The accelerated pace of digitalisation in recent years, with the help of interconnected software systems, has exposed businesses to cyber threats that are harder to trace and track, says cybersecurity firm Imperva.
In particular, the move towards micro services and application programming interfaces (APIs) which allow developers to quickly create new features for digital services and improve customer experiences needs to be better managed, said the company’s chief executive officer, Pam Murphy.
With the pandemic forcing many businesses to rush out digital services, many now have to deal with hundreds, if not thousands, of APIs that may become huge loopholes for hackers to exploit, she pointed out. “Now, API insecurity is a big thing.”
In a nutshell, APIs connect up different software applications, for example, an e-commerce website with a credit card payment gateway, to enable users to transact online.
However, these new pieces of software, like any other, often come with vulnerabilities that cyber criminals can exploit. For example, they can connect to an API that is not properly secured and steal data by pretending to be a friendly application seeking that information.
They can also set up bots that mimic human users to interact with APIs that are none the wiser, so they can, say, jump the queue online to buy exclusive tickets, limited-edition sneakers or other rare items that are worth a lot in the resale market.
In 2022, such bad bots took up more than 30 per cent of all website traffic, with “good bots” set up by businesses accounting for about 17 per cent and humans about 53 per cent, according to Imperva.
Such a huge volume of bad bots exploiting a large number of APIs that businesses have been relying on means many potential cybersecurity breaches. Worse, businesses often do not know how exposed they are.
“When prospects come to us, the number one issue is “I don’t know how big of a problem I have”,” said Murphy, who spoke to Techgoondu during a recent visit to Singapore.
“They would say the biggest issue is they don’t know how many APIs they have,” she added. “These could connect to a data store or to business logic.”
Like many other security solutions, Imperva’s API security tools start with discovery. After all, you cannot protect what you don’t know.
“The reality is that the typical customer (we see) today has structured data, semi structured data, unstructured data… and all that data is in AWS (Amazon Web Services), GCP (Google Cloud Platform), and (Microsoft) Azure and others are on-prem,” said Murphy.
“We help customers analyse their entire spectrum and perimeter, where APIs are and from there, you can move to identify which are sensitive (such as data) and which are risky and then move to protect them,” she added.
“We always identify 10x more (APIs) in reality from what people first tell us,” she noted. “It’s the way DevOps and engineering teams work now… they are under pressure to develop digital capabilities quickly.”
Indeed, one dirty secret of today’s digital services development is that the “dev” part of DevOps often takes on more importance for many businesses than the “ops” part, since maintenance is not seen as a breakthrough.
Unfortunately, this means teams could end up not documenting issues or being diligent in resolving software bugs, which later often result in vulnerabilities. Speed to get a digital service out the door has often come at the cost of security issues later.
To be sure, the rush to connect up via APIs offers a valuable lesson to businesses that are now rushing to adopt the next big thing – AI – in their operations as well.
Generative AI is useful to help businesses take on more technical tasks by using natural language instead of typing in a command but it can also be used by the bad guys, said Murphy.
Generative AI can be used to mimic human behaviour and trick cyber defences into thinking they are human, she noted.
“The AI models will get smarter and we have to step up investments to make sure that generative AI will not threaten our defences in future,” she added.
