Growing digital ecosystems, increasing cybersecurity risk, fragmented regulations and economic challenges emphasizes need for holistic API security
The challenges that the global business community has faced in the last few years have been unprecedented. A pandemic, inflation, an energy crisis, war, an economic downturn, and fragmented and delayed supply chains have all created issues for organizations and have left no industry, market, or region untouched.
Yet, despite these issues, our digital ecosystems and footprint grows ever bigger and increasingly complex. The global digital transformation market was worth $731.13 billion in 2022, and it is now expected to grow at a CAGR of 26.7 percent by 2030; driven in the main by businesses trying to gain competitive advantage. However, it is the size and intricacy of our digital world that makes cyber risks and threats both more present and more potent.
With more digital transformation initiatives and more third-party providers involved in the supply and distribution of digital goods and services, so this creates more opportunities for cybercriminals to target our infrastructure. That’s because these initiatives increase complexity -- with more connection points, more third parties, and lengthier digital supply chains.
This, in turn, increases the need for more APIs and API integration -- creating increased risks and attack vectors. The reality is that APIs are the connective tissue for the digital world, but the explosion in API use has created new and rapidly growing threats to organizations across the globe.
Less tech talent, more AI and automated code generation
Furthermore, there is a growing shortage of talent with sufficient know-how to properly manage and build infrastructure. 71 percent of CEOs anticipated that the skills and labor shortage would be 2022’s biggest disruption, and this skills gap more specifically is expected to cost businesses trillions of dollars by the end of the decade. This is prompting organizations to look at how or what they can automate to fill that gap.
Automation, fueled by AI and spearheaded by digital giants and their text generation software such as ChatGPT and Google Bard are all very much in vogue as a result. The ability of these tools to generate working code will increasingly become the backbone to many digital services and products; especially with fewer tech experts and ever-more lines of code to program (of growing complexity).
Such tools are easily accessible, and the potential productivity boost is enormous, but unfortunately the benefits also come with some major drawbacks. It is undeniable that these tools have the ability to make development easier and faster. However, in terms of generating secure code, the jury is still out. AI tools use the breadth of existing knowledge, but they lack human creativity and initiative, and this means vulnerabilities can creep into code. And unfortunately, it only takes one vulnerability for an attacker to gain access to critical information via an API.
Additionally, this also increases the potential for, and likelihood of the use of, automated code generation tools such as GitHub. Certainly, these tools have the potential to make life easier for a stressed and in-demand developer -- but a team of researchers associated with Stanford University also found it makes security vulnerabilities and flaws in the apps they develop much more likely.
Shifting global regulations are increasing complexity
To make matters increasingly difficult, the laws of various lands are rapidly changing -- and not in any synchronized manner. This means that any international company and its lengthy supply chain must abide by new, changing, and disjointed rules.
The US National Cyber Strategy, the EU Cyber Defence policy and Cyber Resilience Act, the NIS2 Directive, the Digital Operational Resilience Act (DORA), and the PSD3 Consultations on Open Banking, begin to show the amount of legislation on these wide-reaching topics and there are plenty more in the works. Some of these are guidelines, some are law; some are comprehensive, some less so. This makes it even harder to stay ahead.
All of the issues outlined above are creating a perfect storm and doing business across such a complex matrix of policy, regulation, and security is not only creating huge inefficiencies but also attack vectors and vulnerabilities at a time when organizations are ever-watchful over risks and costs, owing to the economic climate.
How comprehensive API security fills the gaps
In such a vulnerable, uncertain, and heavily regulated environment, there is now a critical requirement for proper API security that can discover, monitor, and predict vulnerabilities while fixing them before they spread through a network. This comprehensive and dedicated API security needs to "shift left" and start life from the beginning of the software development lifecycle, but "lean right" -- emphasizing active and real-time protection.
Ultimately, the goal should be to establish comprehensive and efficient API security policies which are proactively managed over time. The use of advanced AI and ML processes to uncover new threats before they impact the network is also essential. As is continuous and active testing to ensure that the business has the real-time capabilities in place to identify new attack vectors and remediate vulnerabilities as they unfold.
As with all new platforms and tools, an API security provider must be more than simply a vendor. They need to be viewed as a trusted partner to help ensure that API security policies and tools stay ahead of the ever-shifting landscape while also improving the speed at which customers can expand their businesses in this highly competitive environment.
As we look to a future of increasingly rapid software development incorporating automated code generation, now more than ever companies will need comprehensive, flexible API security tools such as discovery, posture management, runtime protection, and pre-production and deployment. This will enable them to actively test, predict, and defend against vulnerabilities and meet the demands of an increasingly unpredictable world.
Filip Verloy is Field CTO at Noname Security.