As more digital collaborations are set rely on API plugins, one industry observer is calling for serious scrutiny of API security
Last week, Singapore telecoms firm SingTel’s subsidiary in Australia, Optus suffered a cyberattack that had resulted in the leak of 11.2m customer records including names, dates of birth, phone numbers, email addresses, home addresses, passport and driving license details.
The firm’s Chief Executive Kelly Bayer Rosmarin said the company was “devastated” to discover it had been subject to “a cyberattack that has resulted in the disclosure of (its) customers’ personal information to someone who should not see it. As soon as we knew, we took action to block the attack and began an immediate investigation.”
Following this incident, it was recently reported that the data had been exfiltrated from an unauthenticated application programming interface (API). This recent method of facilitating fast digital collaborations between organizations and businesses has become another massive attack surface for cybercriminals to exploit.
Going forward, API exploitation will be more commonplace, and one cyber expert even noted that API security in traditional edge-based infrastructures need to be revisited.
According to Curtis Simpson, CISO, Armis: “In modern online platforms API transactions are already outpacing the number of user transactions. Exposures associated with APIs range from configuration-based to logic-based vulnerabilities that can be exploited to compromise platforms, networks, users, and data. Traditional edge security and application security testing capabilities are not identifying nor facilitating the remediation or protection against the exploitation of such exposures at scale across our cloud environments that continue to transform alongside our business operations.”
Simpson suggested the following examples of steps to increase API security:
- Real-time logic-based API protection
- API exposure analysis, prioritization, and remediation through development stacks
In the increasingly digital global economy, as more business activities and collaborations are done over APIs, security programs and technologies must continue to evolve in order to safeguard modern web services,” Simpson said.