API Security Weekly: Issue #68
This week, take a look at where API security is at on Gartner Hype Cycle, what the threatscape for 2020 looks like, and more.
Join the DZone community and get the full member experience.Join For Free
This week, we take a look at where API security is at on Gartner Hype Cycle, what the threatscape for 2020 looks like according to McAfee, and a SANS Institute whitepaper on DevSecOps.
Analysts: API Security in Gartner Hype Cycle
Gartner published their Hype Cycle for Application Security, 2019 a few months ago. The Hype Cycle provides a graph on where we are in application security in terms of the maturity of technologies and their adoption; what is up and coming and what is already established.
The graphic shows that API security is very much a hot topic of the moment:
- API Security Testing and Discovery is just starting to rise along the hype cycle. Companies are starting to use these tools to discover APIs that their development teams produce and to test the security of these APIs during API design, implementation, and testing. This helps eliminate risks before they even get to production.
- API Threat Protection is approaching the peak of the expectations. These are tools with firewall capabilities for live API traffic. Unlike the generic web application firewall (WAF) category, these firewall products have been specifically designed to work with API traffic and protect your systems at runtime from API-specific attacks.
For the definitions, position, adoption speed justification, user advice, business impact, vendor lists, and so forth, check out the full Gartner report.
You might also like: REST API Security
Opinions: Threat Predictions for 2020
January is the time of predictions for the year ahead. CISOMAG has published “5 Threat Predictions for 2020” by Raj Samani, Chief Scientist and McAfee Fellow at McAfee. He predicts the following trends in cyber security:
- Broader deepfake capabilities will be available even for attackers with less skills.
- Attackers will start generating deepfakes to bypass facial recognition.
- Ransomware attacks will be executed as two-stage extortion campaigns.
- DevSecOps will become more prominent as increased containerized workloads cause security controls to shift left.
- APIs will be the weakest link in application security bringing about cloud-native threats.
From the API security perspective, the last prediction is the most prominent one. However, DevSecOps is very topical as well, because containerized cloud architecture inevitably means even more APIs and API changes that can easily slip through controls to indeed become the weakest link in the chain.
API Security: OWASP API Security Top 10 Explained
Over at DevOps.com, Erez Yalon from the OWASP API Security Top 10 project provides the details and sample exploit scenarios for each of the OWASP API Security Top 10 vulnerabilities.
Check out the two-part blog post:
Rebecca Deck from SANS institute has published a whitepaper titled “Adapting AppSec to a DevOps World.”
The whitepaper focuses on DevSecOps, the abuse cases and threat models affecting DevOps, and the challenges in trying to fit legacy tools into CI/CD pipeline.
You can subscribe to this newsletter at APIsecurity.io.
Published at DZone with permission of Dmitry Sotnikov, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.