The growing demand for automation in Application Security
By 2022, 10% of coding vulnerabilities identified by static application security testing (SAST) will be remediated automatically with code suggestions applied from automated solutions, up from less than 1% today — Gartner
If data is the new oil, Application Programming Interface (APIs) are the connecting pipes that make the data flow. And hackers are increasingly tapping into these pipes, freeloading upon all kinds of data. Secure Octane portfolio company, NeuraLegion, announced its $4.7 million round today led by DNX to build a AI-powered Application Security testing platform which seamlessly integrates into the DevOps process. The investment hypothesis is built upon two major trends — (1) That over 50% of enterprise development processes will be driven by CI/CD and (2) Legacy application security systems are unable to deliver the outcomes with speed and quality.
According to the Akamai 2020 State of the Internet / Security as much as 75% of attacks in the financial services industry were targeted towards APIs directly. The API as a way of data exchange has been around for almost two decades but now has become an essential fabric in the app-based economy. SalesForce was one of the first companies to open up its web APIs. Soon, other companies discovered the value of exchanging data and followed suit. A large portion of mobile traffic, our integrated experience, and most importantly revenues can be tied together, thanks to the intermeshed API economy. We buy and sell a ton of data,be it product information, geo-location coordinates or stock market trends — thanks to the APIs that hum silently behind the scenes.
Plumbers versus hackers
Just as a plumber makes our life easy, so do the developers. They install the pipes, and make sure that ice-cold water does not flow when we expect a warm shower, or the pipes do not burst under pressure or freeze when temperature goes -20 degree Fahrenheit. A good plumber makes your life easy — the kitchen, bathroom and the garden pipes keep humming and we are happy. But a plumber does not think like a hacker. And a hacker can outsmart a plumber any day. Therein lies our problem.
If 75% of attacks in the financial industry are targeted to APIs, the hackers are hitting us where it hurts most — the money pipes — all the while licking their chops, and vacuuming up flow of data from these pipes.
Daily Malicious Login attempts average over 100 million each day, with 20% targeting obvious API endpoints (Source: Akamai)
APIs are implemented by the plumbers of our data economy — the web and application developers will often pick a way of connecting APIs (jargon alert — using REST or SOAP protocols) which determine the technical debt and complexity of data exchange. As APIs are publicly available, just as websites started twenty years ago, their usage expands well beyond humans into the machine world. Smartphones, wearables, and Internet of Things (IoT) devices and 5G will all drive the API wave.
API hacks — If you did not see it, it never happened
In its report called APIs and the New-Old Problem of Visibility F5 Labs points out that we do not have situational awareness of APIs. “They run behind the scenes; this is great until they are compromised behind the scenes, and all of our valuables get stolen behind the scenes.” In short, we do not know when our jewels are being pilfered and we live in sheer ignorance. Also, this is 2020 and not the dark ages. In its 2020 F5 API Security Report, the data shows that 30% of API incidents were due to lack of authentication. These were open APIs — or the plumbers had left the doors open. If you look at the two other major root causes, they relate to authentication and authorization as well. Some were misconfigured or had no authorization at all.
Root Cause of API Incidents (2018–2020) (Source: F5 Labs)
Can Pen Testing save the day? — Yes, No…Maybe
I recently scanned through a Pentest report for a financial services company which moves several hundred million dollars each day. The $15,000 report was delivered by a noname service provider and had the words ‘non-exhaustive’ sprinkled generously all over the 11 page report. It listed some of the common application pentesting criteria such as jargon alert — cross site scripting, code injection flaws, malicious remote file execution and so on. While this was a well-intentioned effort, the path to hell is often paved with good intentions. I am reminded of a Mad magazine Spy versus Spy comic strip. The good and the bad battle fiercely — all day everyday — and there is no winner. Which is kinda like the cybersecurity world — can we think like hackers and stay one step ahead? Maybe. Can we win every time? Certainly not. But the only way you would find out is when the data gets infiltrated and the regulators slap a fine.
In a M2M world, we need machine-driven security
While API management platforms can offer baseline access control (i.e who can do what) they were not designed by security experts. It is a bigger challenge to track message structure, data throttles and payload. DDOS and API flooding are not much different from a hackers perspective — both of them cause havoc at your business expense. Some applications developed for internal usage but have an access to the front end. And with the speed of application feature development and release, it is becoming a tough, almost impossible task to keep track of the attack surface.
Traditional application security tools often rely on crawlers, which are riddled with false positives. Asking a developer to engage and eliminate these alerts is a frustration and a headache. The need for security at machine-speed has become even more pressing. In its Magic Quadrant for Application Security Testing Gartner reports that the application security testing market needs to support enterprise shift to DevOps. Analyzing vendors such as Synopsys, Veracode, Qualys, IBM, Rapid7 and Contrast Security, the report states that security of APIs is currently a challenge for organizations, which need better capabilities to automatically discover APIs and conduct testing than what current DAST (Dynamic Application Security Testing) and SAST (Static Application Security Testing) technologies offer. In many cases, clients rely on manual mechanisms to provide API specifications and inputs for testing to support increasingly automated development efforts.
As the battle between the hackers and security teams rages on, the developers are being caught up and getting squished in the middle. To save the, the next gen startups, the innovators and the nimble — the ones who can build automated security solutions will certainly have an edge over the legacy vendors. Which is why Nuera Legion has a shot at improving security, empowering developers and making our applications robust.
