Tag Archives: Good Read

Good Read: API First Security Strategy

Every software in the world is either an API or uses API. API (Application programming interface) has enabled the world to connect digitally and advances the broader use of IoT devices.

As APIs’ popularity rises, so does their prevalence as an attack vector for cybercriminals because bad actors have always loved the most target-rich technologies. Gartner forecasts that APIs will become the most common attack vector by next year. Yet despite higher awareness of the need for API security, breaches continue to happen.

Abstract

What does an API-first security strategy look like? Here are five observations:

1. High visibility is crucial. An API-first approach is all about acknowledging the API as a first-class citizen in an application’s design. Given the increase in vital work that the API does in communicating between applications, APIs must have the same scrutiny of access controls that a superuser (e.g., an IT administrative specialist with unlimited privileges) would.

2. REST APIs are a growing target. REST (REpresentational State Transfer) is the duct tape of technology — it defines how systems can be connected to (and interact with) each other by using HTTP requests to access and use data. REST API usage has become so widespread in enterprise application development that many companies have difficulties defining a clear picture of all their deployments. These visibility gaps make APIs harder to protect.

3. Encryption of all data is key. This is true not just when data is at rest, but also in transit. In this encryption scenario, the API would use TLS and authorization tokens to transmit data securely, and the data that the API is accessing should also be encrypted.

4. Credential stuffing is still a huge problem and an evolving threat. Credential stuffing is the practice of using an automated injection of stolen credentials to gain unauthorized access. Companies have gotten better at securing their front-end applications and webpages to defend against credential stuffing. Still, hackers increasingly have been targeting back-end APIs that historically tended to have fewer implemented security controls.

5. Automated checks should be standard practice. I’m seeing how rarely I see automated security checks as part of a CI/CD pipeline, if they are implemented at all. A mature application security team should work with the engineering squads to design and incorporate security into pipelines and allow an organization to scale security with its product offerings.

Reference

https://www.darkreading.com/application-security/5-objectives-for-establishing-an-api-first-security-strategy/a/d-id/1340622?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Very Good Read: The Future of Sensors, Algorithms, and Recommendations

Abstract

One of the easiest technological trends to predict in the coming decades is the improvement and penetration of sensors and algorithms. In short—more sensors, in more places, gathering more data, which are fed to better and better algorithms.

Those algorithms will work together and be fed into a universal interface in both consumer and business environments, and that interface will arrive at conclusions and then make recommendations. This technology trend is universal because it aligns with a human universal, i.e., the desire to improve our lot.

When we’re at home, the combination of sensors throughout our house will include microphones, cameras, radio signals, air-quality, chemical detection in the sinks and toilets, etc.

These will obviously start basic and get more advanced. All combined, these sensors will be able to tell us if we’re hungry, tired, happy, sick, angry, depressed, and a thousand other emotions and moods—all in realtime.

Read more in https://danielmiessler.com/blog/the-future-of-sensors-algorithms-and-recommendations/?mc_cid=3512bae25b&mc_eid=35079f6e24