Yisrael Gross is the Co-founder, and Director of Business Development of Israel-based L7 Defense, a cybersecurity firm that specializes in API security. Entrepreneur and business development mentor, Gross is the producer of a popular tech show in Israel, “Kikar HiTech.” He is also a founding member of the Israel Cyber Group.
API security is touted as the new frontier in cybercrime. In fact, by 2022, API abuses will be the most-frequent attack vector resulting in data breaches of enterprise web applications. Is the cybersecurity industry taking necessary precautions to safeguard enterprises from this imminent threat landscape?
According to Gartner, “With few exceptions, WAF technology has failed to deliver on the promise to automatically enforce a positive security model. Shorter application project cycles further impede the ability of security teams to implement and fine-tune WAF appliances.”
That is the main reason for the recent raising of a new cybersecurity vertical, named as “API Security.” API Security solutions are aimed to protect from same “classical” types of threats as used to be handled by WAFs, plus new types of emerging threats, such as BL attacks, which are specific to APIs. It should be done in a much more dynamic, automated, and precise manner than it used to be made by application security solutions.
It is said that current API solutions like content delivery networks and application delivery controllers, web application firewalls, identity and access management, and API gateways provide basic protections for API infrastructure against volumetric DDoS attacks, OWASP top ten vulnerabilities, session high jacking, and invalid input attacks, to name a few. But are they enough to stop threat actors determined to exploit vulnerabilities unique to each API? How can companies be a step ahead of hackers on this front?
This API “customized policy” referred to here is a major point in protecting APIs. The ability to set an automated, fully adapted policy to an API is the hurt of any API protection layer as otherwise, a major fraction of the request might be mistakenly considered as hostile or friendly, by their generic structure or content, while only the specific API policy may judge it correctly. For example, lets us assume a policy of a search API, which might get a broad content landscape including even operator types such as OR and AND. Using a general policy will make false such requests, while specific API policy should know how to differentiate these.
In reality, as “open banking” was initially regarded by many as a typical exercise in compliance, following the implementation of the Second Payments Services Directive (PSD2), banks are now shifting gears and going beyond the regulatory requirements by leveraging the benefits of “open APIs” to cater to customer needs and innovate open banking business models, and demand more of these type of solutions.
How has the API security threat landscape changed since the onset of COVID-19?
The threat landscape hasn’t changed much. However, the attack scale has grown dramatically for two main reasons. The number of API targets is growing fast now, developed and deployed at less order, and therefore are more vulnerable. On the other side, criminal motivations are skyrocketing as expected at such time. So, these two are facing each other in growing frequency as expected, since the beginning of this global situation.
As attacks become AI-based, there are higher chances that the Next-gen “Zero-day Payload” attacks can bypass even the most advanced solutions. What are the best practices that need to be adopted to avert this crisis?
The answer is, of course, said inside the question. There is a major need to adapt the AI protection shield, in all aspects of cybersecurity. It should be adaptive to the ever dynamically changing inside structure and outside threat nature. It should also be automated and precise, as for the growing gap of professional resources availability and the growing sophistication of AI-governed attack tactics.
Poor cloud security hygiene has been plaguing several organizations globally. Nearly half of the global organizations on AWS workloads don’t have MFA enabled for users. It is an example of potential avenues for attackers to infiltrate an organization. What is your take on that?
Definitely! It really presents the way of doing the job these days, cross-industry. Business usually comes before cybersecurity, which leaves a wide-open window to the attacks. And when you call them, they come, sometimes in seconds, as everyone who opens a new server on AWS may know.
We believe that there is no point in fighting this lost battle, as this is the way of life. Instead, we present a different approach that is adapted to this trend. We offer enterprises these days to deploy our API security solution, in front of your APIs and Applications, thereby giving them the best of breath protection that may be found in the market.
About the Author
Augustin Kurian is part of the editorial team at CISO MAG and writes interviews and features.