Security Boulevard: The Five-Step Journey to Complete Cloud Security (April 5th)
IT - Security

Attackers Exploit APIs Faster Than Ever Before
HelpNet Security, March 8th, 2023
After combing through 350,000 reports to find 650 API-specific vulnerabilities from 337 different vendors and tracking 115 published exploits impacting these vulnerabilities, the results clearly illustrate that the API threat landscape is becoming more dangerous, according to Wallarm.

Researchers came to this conclusion based on the 2022 data, specifically these three trends:

Attack growth

In 2022 there was a huge increase in attacks against Wallarm's customers' APIs, which ballooned over 197% from H1 to H2. As API-related breaches influence today's headlines, it's clear that this trend is extrapolating beyond Wallarm customers and will continue to grow in 2023.

One of the mysteries of detection and response (D&R) is about how companies really approach D&R in the public cloud. So we did a survey focused on this, and we actually polled both leaders and technologists.

'Our State of Cloud Threat Detection and Response report summarizes the survey responses of 400 security leaders and SecOps practitioners in North America regarding the capabilities, practices, and behaviors of protecting against, identifying, and remediating cloud-based threats.'

Now, you have three options:

  • Just read the survey results document 'PDF, 24 pages, with pictures!'
  • Read the official blog, it is serious.
  • Or, read this one, where I try to be a bit funnier. Then read the survey results anyway.

Before we go further, a quick reminder: this is a survey, thus it analyzes what people say they do, rather than what they actually do (so YMMV).

We saw numerous cybersecurity breaches in 2022. The attacks became more sophisticated, the bots got sneakier, and the cost of breaches multiplied.

Yet, enterprises were underprepared to deal with the well-known threats. With the rise of new technologies and the increased adoption of remote work, cybercriminals have quickly adapted their tactics. They are now targeting businesses in ways never seen before.

As a result, every organization needs to realign its cybersecurity goals and processes to meet the changing needs of the threat landscape. CISOs must stay ahead of the curve and be prepared for the cybersecurity trends defining 2023.

These agile controls and processes can help critical infrastructure organizations build an ICS security program tailored to their own risk profile.

It's no secret that the industrial control system (ICS) attack surface is rapidly expanding (PDF). From advancements in business digitalization, IT-OT convergence, and Internet of Things (IoT) adoption to the ripple effects of escalating geopolitical tensions, organizations in critical infrastructure sectors must be positioned to combat accelerating ICS attacks that, in addition to forcing prolonged operational downtime, can potentially put people and communities at severe risk.

The typical cloud is likely less secure than an organization believes it is, and that is because most security professionals do not have a clear picture of their entire cloud. How did they get here?

Well, enterprise digital transformation has historically placed so much value on speed in development, that cloud security has fallen by the wayside. Many organizations find themselves moving to the cloud once the business discovers it can offer them major cost savings and increased efficiency, but their procedures, tools, dashboards and security strategies are consistent with on-prem days.

Standardized SD-WAN and SASE have emerged as crucial use cases for edge computing as they allow the provisioning of computing resources and connectivity needed to improve application performance, minimize latency, and enhance the user experience.

The adoption of a hybrid work environment has reverberated across the technology ecosystem. Employees expect fast, secure, and reliable access to corporate resources from any location, and the traditional walls of centralized security and applications have been dismantled as organizations look to support a geographically distributed workforce.

The continuing epidemic has shifted the way we work and engage with technology, making the last year a rollercoaster ride for many enterprises. Among all the changes, one constant has been the significance of security. As we look back on 2022, it's worth pausing to consider the year's important security victories.

In this blog post, we'll look at some of the most important accomplishments in development, engineering, and executive leadership, as well as how they're working to design a more secure future.

Security Wins for Development Teams

2022 has been a year of advancement in the field of secure code development for development leaders. Application Security testing is becoming increasingly common, with a growing number of enterprises understanding the value of discovering and addressing vulnerabilities early in the development process.

Remote working is here to stay, but the risks remain

Businesses and employees have benefitted greatly from the introduction of remote and hybrid working, but have also faced major challenges, new research has found.

A report from Fortinet found almost two-thirds of firms (62%) suffered a data breach during the last two to three years, which could be, at least in part, attributed to the remote working environment.

The idea of remote working introducing new risks into the workplace is thus no longer merely theoretical, but also proven in practice. Fortinet says there are vulnerabilities in the way work is being organized that threat actors actively exploit to steal sensitive data. Usually, that data is either sold on the black market, used to mount additional attacks, or used as a bargaining chip in a ransom negotiation.

As the security model becomes the preferred security strategy, it's worth looking at what it is and what it takes to achieve.

Security leaders are embracing zero trust, with the vast majority of organizations either implementing or planning to adopt the strategy. The 2022 State of Zero-Trust Security report found that 97% of those surveyed either have or plan to have a zero-trust initiative in place within 18 months.

In fact, the percentage of organizations with zero trust already in place more than doubled in just one year, jumping from 24% in 2021 to 55% in the 2022 survey issued by identity and access management technology provider Okta.

Want To Stretch Your Security Budget? Read Our Guide
Security Boulevard, March 7th, 2023
In an uncertain economy, getting sufficient funding for security budget projects can be hard to come by. Organizations are being more cautious about spending, which means security leaders must adapt accordingly.

They need to be more discerning in how they plan their budgets.

Fortunately, there are ways CISOs and other cybersecurity leaders can gain efficiencies and be smarter about how they conduct operations. Here are four tactics they can employ to maximize their cybersecurity investments:...

The Open Web Application Security Project (OWASP) is a global non-profit organization dedicated to improving the security of software. The OWASP foundation first released a list of the top 10 security risks faced by APIs in 2019.

This year, we'll see the updated list for 2023 being published, which is currently in Release Candidate status soliciting contributions...

Although 4 years is an extremely long time when it comes to computing, the fact remains that most organizations are still in the process of putting better API security controls in place to protect against the 2019 Top 10. Additionally, remember that the list contains ten categories of vulnerabilities, each category housing multiple vulnerabilities.

See all Archived IT - Security articles See all articles from this issue