Holistic API security needed in face of increasing cybersecurity risk
The challenges that the global business community has faced in the last few years have been unprecedented. A pandemic, inflation, an energy crisis, war, an economic downturn, and fragmented and delayed supply chains have all created issues for organisations and have left no industry, market, or region untouched.
Yet, despite these issues, our digital ecosystems and footprint grow ever bigger and increasingly complex, says Filip Verloy, Field CTO at Noname Security.
The global digital transformation market was worth $731.13 billion in 2022, and it is now expected to grow at a CAGR of 26.7% by 2030, driven in the main by businesses trying to gain a competitive advantage.
"However, it is the size and intricacy of our digital world that makes cyber risks and threats both more present and more potent," says Verloy.
"With more digital transformation initiatives and more third-party providers involved in the supply and distribution of digital goods and services, this creates more opportunities for cybercriminals to target our infrastructure," he says.
"That's because these initiatives increase complexity – with more connection points, more third parties, and lengthier digital supply chains."
According to Verloy, this, in turn, increases the need for more APIs and API integration – creating increased risks and attack vectors.
"The reality is that APIs are the connective tissue for the digital world, but the explosion in API use has created new and rapidly growing threats to organisations across the globe," he says.
Less tech talent, more AI and automated code generation
Verloy says there is a growing shortage of talent with sufficient know-how to properly manage and build infrastructure. Some 71% of CEOs anticipated that the skills and labor shortage would be 2022's biggest disruption, and this skills gap, more specifically, is expected to cost businesses trillions of dollars by the end of the decade. This is prompting organisations to look at how or what they can automate to fill that gap.
"Automation, fuelled by AI and spearheaded by digital giants and their text generation software such as ChatGPT and Google Bard, are all very much in vogue as a result," Verloy says.
"The ability of these tools to generate working code will increasingly become the backbone of many digital services and products, especially with fewer tech experts and ever more lines of code to program (of growing complexity)," he says.
"Such tools are easily accessible, and the potential productivity boost is enormous, but unfortunately, the benefits also come with some major drawbacks. It is undeniable that these tools have the ability to make development easier and faster.
"However, in terms of generating secure code, the jury is still out. AI tools use a breadth of existing knowledge, but they lack human creativity and initiative, and this means vulnerabilities can creep into code. And unfortunately, it only takes one vulnerability for an attacker to gain access to critical information via an API. "
Verloy says this also increases the potential for, and likelihood of the use of, automated code generation tools such as Github Copilot and Copilot X.
"Certainly, these tools have the potential to make life easier for a stressed and in-demand developer – but a team of researchers associated with Stanford University also found it makes security vulnerabilities and flaws in the apps they develop much more likely," he says.
Shifting global regulations are increasing complexity
"To make matters increasingly difficult, the laws of various lands are rapidly changing – and not in any synchronised manner," says Verloy.
"This means that any international company and its lengthy supply chain must abide by new, changing, and disjointed rules."
The US National Cyber Strategy, the EU Cyber Defence Policy, and Cyber Resilience Act, the NIS2 Directive, the Digital Operational Resilience Act (DORA), and the PSD3 Consultations on Open Banking, begin to show the amount of legislation on these wide-reaching topics and there are plenty more in the works.
"Some of these are guidelines, some are laws, some are comprehensive, and some are less so. This makes it even harder to stay ahead," Verloy says.
"All of the issues outlined above are creating a perfect storm and doing business across such a complex matrix of policy, regulation, and security is not only creating huge inefficiencies but also attack vectors and vulnerabilities at a time when organisations are ever watchful over risks and costs, owing to the economic climate."
How comprehensive API security fills the gaps
In such a vulnerable, uncertain, and heavily regulated environment, Verloy says there is now a critical requirement for proper API security that can discover, monitor, and predict vulnerabilities while fixing them before they spread through a network.
He says this comprehensive and dedicated API security needs to "shift left" and start life from the beginning of the software development lifecycle but "lean right" – emphasising active and real-time protection.
"Ultimately, the goal should be to establish comprehensive and efficient API security policies which are proactively managed over time," Verloy says.
"The use of advanced AI and ML processes to uncover new threats before they impact the network is also essential. As is continuous and active testing to ensure that the business has the real-time capabilities in place to identify new attack vectors and remediate vulnerabilities as they unfold."
As with all new platforms and tools, an API security provider must be more than simply a vendor, according to Verloy.
"They need to be viewed as a trusted partner to help ensure that API security policies and tools stay ahead of the ever-shifting landscape while also improving the speed at which customers can expand their businesses in this highly competitive environment," he says.
"As we look to a future of increasingly rapid software development incorporating automated code generation, now more than ever, companies will need comprehensive, flexible API security tools such as discovery, posture management, runtime protection, and pre-production and deployment.
"This will enable them to actively test, predict, and defend against vulnerabilities and meet the demands of an increasingly unpredictable world."