by Colin Ife – Security Researcher

Getting your first car is one of the great joys of freedom. No longer bound by the laws of public transport, you now have absolute control of where, when, and by which way you want to go. Of course, this is until you hear about car insurance and the legal requirement to have it! More often than not, these insurance policies – most especially the fully comprehensive ones – come at great expense, and can seem like money wasted.

However, as owners of any valuable car will know, this is not the case. The unpredictability and potential for an accident on any road journey makes car insurance – especially the wholly comprehensive policies – a smart choice rather than just an unnecessary cost. In short, car insurance helps drivers to manage their risks, protecting their valuable assets and persons against the divergent costs that may arise from unforeseen harms. What’s more, add value to the car itself by driving an Audi R8 or an Aston Martin DB9 and this makes even more sense than when you’re driving, say, a ‘95 Cavalier.

Clearly, owning a vehicle gives you flexibility and freedom that no other mode of transport can offer, but also requires the protective cover that car insurance provides. In fact, almost every physical valuable asset can be insured against unforeseen damage, whether criminal or not.

Just like the car industry, APIs work in the same way, and the organizations that use them need comprehensive protection too.

In the software landscape, APIs give businesses and developers the added capabilities of automation, flexibility, reusability, seamless integration, efficiency, and the personalization of their web applications and services. APIs “take the shackles off” of the traditional software paradigms of siloed services and built-from-scratch software to allow for seamless and straightforward integration between different web services.

The downside to this – as there always is – is that API security is yet to catch up with the explosion of vulnerabilities that come along with it, despite great investment into the field. Recent security reports provide damning assessments on the state of API security. One in particular [1] points out that:

  1. The number of serious vulnerabilities continues to increase at a rate that makes remediation nearly impossible if teams continue to rely on traditional bug remediation methods.
  2. Microservices are riddled with vulnerabilities. This is because microservice-based approaches typically involve exposing more of the system’s functionality directly to the network, and, in turn, to would-be attackers. Also, dealing with multiple small and replicable containers that function as one means the potential landscape is significantly expanded with an increased likelihood of one vulnerability in a microservice being replicated again and again. In fact, they average more vulnerabilities per line of code than traditional services do.
  3. Nearly 70% of every application is comprised of reusable software components, thereby allowing for vulnerabilities to be “inherited.”
  4. 85% of mobile apps violated one or more of the OWASP Mobile Top 10. This list details the top 10 most common threats to mobile application security. An astonishing number of mobile apps returned risk findings for insecure data storage and/or insecure communication, client code quality issues and vulnerabilities, risk exposure to reverse engineering, and/or extraneous functionality that could potentially be exploited.

Figure: OWASP Mobile Top 10 Violation Rates by NowSecure – https://www.nowsecure.com/blog/2018/07/11/a-decade-in-how-safe-are-your-ios-and-android-apps/

More generally, this report talks about the Window of Exposure (the period of exposure of applications to security risks) and the Time to Fix window (how long it takes to fix a vulnerability), and highlights the importance of organizations understanding and managing these critical metrics in order to protect their applications, services, and clients.

Whether you look at past breaches or the everyday threats that typical users face, it is clear that the constant threat of malicious users and cybercriminals mean that these un-remediated vulnerabilities will inevitably translate into exploitation, then misuse, then more data breaches, and, ultimately, serious losses for both the businesses and the users.

Here at Spherical Defense, we’ve spent years investigating and developing the adaptive comprehensive cover, powered by unsupervised deep learning techniques, that services, developers, and security specialists have been needing for years! 

In a series of articles, we’ll break down what this “comprehensive cover” entails and explain how AI-powered security technologies can (1) automatically detect new vulnerabilities, (2) provide cover for an application’s Window of Exposure, and (3) shift the Time to Fix window so that software developers can remediate bugs sooner rather than later.

By the end, you should understand the need to rethink the management of APIs in the organization and to mount a comprehensive and adaptive security policy.
[1] NowSecure WhiteHat Report 2018: https://www.nowsecure.com/resource/2018-application-security-statistics-report/nowsecure-whitehat-2018-application-security-report-cover/