Follies

The Broadway Tower in Worcestershire, England is a famous structure. It’s inspiring, beautiful, and at 62 feet high, like other similar buildings, it’s a folly. While it looks grand inside and out, it serves no purpose than to be a decoration.

It’s all too easy to buy a set of policies and procedures, change the company name and some other details, then present it as an application development and security program. Regrettably, there are too many companies whose appsec program has quickly become a folly.

How can we avoid this trap?

Some Considerations

Akamai’s State of the Internet Report demonstrates that the growth of the gaming industry creates “an expanded attack surface for threat actors to exploit by using everything from DDoS to SQL Injection (SQLi) attacks.”

It’s not an exaggeration that APIs – whether monolith or microservices – account for 80+% of internet traffic, or that this increase has presented a treasure trove of targets for criminals.

As we learned from the MailChimp breach, API keys are a target. Criminals aren’t always simply after the money – they are looking for ways to achieve Account Take over (ATO), and that includes initial entry, followed by accessing credentials or API keys.

According to the “Cloud and Web Security Challenges in 2022” report from the Cloud Security Alliance (CSA), 47% of businesses are concerned about sensitive data loss, and 43% of businesses have customer data protection as one of their 2022 primary cloud and web security objectives.

Businesses and customers have a vested interest in secure software.

Some Problems

According to the 2021 IBM Security X-Force Cloud Threat Landscape Report, “Public API policies represented a significant security gap. Two-thirds of the incidents analyzed involved improperly configured Application Programming Interface (APIs), based on analysis of X-Force (Read more...)