Transition to API-based app development raises security concerns
The proliferation of API-centric applications and mission-critical cloud services are causing many organisations to underestimate the required tools and technologies to secure them, new research from edge cloud platform provider Fastly suggests.
Fastly conducted a survey of IT and security professionals in Asia Pacific (Australia, New Zealand and Japan), Europe, and North America over two weeks in March 2021.
According to the research, organisations are turning their application development focus inward, with almost half (47%) of Australian organisations expecting to support more than 200 internally-developed applications in the next two years. These internal applications may rely on APIs for data sharing, application interconnect, or microservices.
However, APIs are also being used by attackers to gain entry into organisations for the purposes of stealing data.
In Australia, 90% of organisations reported at least 10 attacks on their web applications and APIs that were not detected by security tools until they snowballed into something that had a negative impact on their business, such as a breach.
Attack types include exploitation of OWASP Top 10 (31%), zero-days (29%), malware infections (33%), account take-over (24%) and cloud service misconfiguration (21%).
“One of the biggest security challenges we are seeing today is that technologies are rapidly evolving to better serve the growing demand for digital experiences, but the security offerings that protect those technologies are not experiencing that same level of transformation -- and often erode the benefits of modern technology stacks,” comments Fastly senior principal technologist, Kelly Shortridge.
“Security tools should fuel innovation, actively support service resilience, and minimise disruption to software delivery workflows, rather than slowing build cycles and producing disjointed, unactionable, or irrelevant data.”
Surveyed respondents also state that some security tools can have negative impact on businesses because they block too much legitimate business traffic. This issue, called ‘overblocking’, can have implications such as wasted time, customer experience impact, system downtime, undetected attacks, loss of revenue, and service level agreement failure. Further, some organisations choose to disable blocking to prevent these attacks.
Fastly APAC sales engineering manager Stephen Gillies points to the DevOps movement, which showed that rapid testing and automation led to more innovation, but there was a catch.
“Innovation filled with risk is not really the end game. The next crucial step is to implement security directly into the internal app and API workflow process so it is not a hurdle to work around, but a part of the process that can move as quickly as the rest if done right. Otherwise, it’s just more of the same, and security will remain elusive.”
These statistics are taken from Fastly’s Reaching the Tipping Point of Web Application and API Security report.