2023 Cybersecurity Predictions:API Security Q&A w/ Richard Bird
2023 Cybersecurity Predictions: Insights on the Future of API Security from Traceable CSO, Richard Bird
It's that time again! It's time for experts around the globe address the year we are leaving behind, assessing our success and failures as an industry, and thinking deeply about what's coming and what we can do about it. In today's post, we are lucky to have the insights from Traceable's own, Chief Security Officer, Richard Bird.One thing is for sure as we start our journey through 2023 -- The time to learn and move on API security is now, not two years from now when the seriousness of the risk is fully understood.Let's get started.
1. Financial Services Will Need to Address API security More Seriously in 2023
Verticals that need to be addressed are banks due to the emergence of Federal Financial Institutions Examination Council's (FFIEC) requirements. In 2023, regulators in the financial services and banking sector are going to drive a heightened level of interest, focus and expectations around API security. This will definitely have a cascading effect into other less regulated or non-regulated businesses since external audit houses will be conditioning their audit guidance to include API security. We know this pattern well, demands for higher performance in security almost always land on banks and financial services organizations first and then expand and extend into every other industrial vertical.
2. What API Security Will Look Like in 2023
In terms of trends we need to shine a light on, 2023 will be the year that the leaders in the majority of companies, organizations and agencies around the world wake up on any given morning and think “whoa, I have a security problem”. As we close out 2022, most enterprises either don’t realise the size of the risk they currently face with their unsecured and largely unmanaged API ecosystem or they are willfully ignoring the risks by believing that API gateways and web application firewalls are protecting them.We should be very happy that the current state and maturity of API security affords us the opportunity to get it right in 2023. API security is a greenfield within most companies and organizations today, which means we are in a moment where we can choose tools, processes and frameworks that will deliver huge improvements in security and risk mitigation. The alternative, if we don’t capitalize on this moment, is that in 2024 and beyond API security tactics and performance will be dictated and demanded of us by regulators and we will no longer have the flexibility and agility to meet these challenges without the overhead of compliance pressures.
3. There Will Be an Even Bigger Concentration on API Security in 2023. Here's Why:
2023 will be the break-out year for API security as a focus area for many of the Fortune 1000. The lack of control, security and governance around APIs isn’t just exposing companies to serious risks, but also to massive amounts of operational inefficiency caused by APIs being developed and deployed independently across multiple devops teams. This means that there are huge numbers of “zombie” APIs, abandoned but never removed from a company's systems. And there are costly redundancies due to the inability for companies to enforce and inform DevSecOps on internal standards for API creation and deployment. Without visibility into the API ecosystem at a company, you can bet that money is being wasted on the creation of redundant APIs happening nearly every day. That redundancy comes at a cost, inefficiency isn’t free.
4. Business Leaders Are Missing the Boat with Their Understanding of Unstructured Data. Here's Why that Matters for API Security:
Business leaders rarely understand the amount of unstructured data their companies actually have and the levels upon levels of redundancy they have in respect to that data. Companies over-collect and over-store data in quantities that would have been inconceivable just a decade ago, mainly because storage used to be expensive enough to warrant judiciousness in the acquisition and retaining of data. Now data storage is ridiculously cheap and the unintended consequences of that reality is grabbing and hanging on to way more data than is functionally necessary. This leads to the biggest misunderstanding for business leaders. Holding on to massive amounts of data that you don’t need isn’t a benefit to your company, it is a liability. Because the more you have, the harder it is to protect and contain it.
5. API Security Has a Unique Role in 2023
In 2023, API security will drive realizations and revelations by enterprises that go beyond the threat and risks of APIs. API security is dependent on the discovery and collection of the APIs that a company is exposed to. Once organizations take that step, they quickly realize that the entire operational framework of their API management is problematic. There is very little in the form of standardization and governance for APIs in most companies, which means that there are huge amounts of inefficiency and costly redundancy across those same APIs.
6. Organizations Need to Educate Themselves on the Best Solutions for API Security.
The pathway to self-awareness and self-learning about API security starts with taking a simple step; exercising intellectual honesty. API security and operations isn’t something new. It is an extension of the best practices that have always been demanded in the digital world. If you believe you don’t have an API security problem because you don’t use a lot of APIs or because you leverage an API gateway or web application firewall, you’re not being intellectually honest. Every day, in highly publicized events, the attack surface and vulnerabilities of APIs is being clearly communicated to the market. Believing that APIs won’t be opportunistically exploited by bad actors just isn’t supported by data, evidence and the history of technological evolution. The time to learn and move on API security is now, not two years from now when the seriousness of the risk is fully understood.About TraceableTraceable is the industry’s leading API security platform that identifies APIs, evaluates API risk posture, stops API attacks, and provides deep analytics for threat hunting and forensic research. With visual depictions of API paths at the core of its technology, its platform applies the power of distributed tracing and machine learning models for API security across the entire software development lifecycle. Book a demo today.
The Inside Trace
Subscribe for expert insights on application security.