As we move into a new decade IT professionals will be scratching their heads wondering “what new threat is going to cause me to have to rethink my security architecture or user policy?”. As a solutions architect working with a wide range of customers, here’s my take on what’s coming.
API security to take centre stage
Up until now very little has been done around API security once you get past the basic authentication. What do I mean by this? Well to make an API ‘get’ some data, you feed it a command, let’s say in our case it’s a mobile banking app that shows your name and address as well as account number. To get information from the API, the mobile banking app has to be authenticated with the API, usually with some currently unbreakable encryption method. Great, the connection is trusted and secure. But hackers have shown time and again that once you have access to an API you can usually force it to give you data that wasn’t intended for you.
In my example imagine if swapping out the account number in my API call gave me addresses and account numbers of other bank customers. Sound far fetched? Not really, a vast majority of hacks in the news are done via the API, even Facebook and Google have been victims. You have to ask yourself ‘if Google and Facebook have problems, what are the odds that I do not?’.
And so we’ll see the adoption of machine learning tools for API’s, which, rather than relying on authentication for security, rely on behaviour algorithms instead. Practically everything has an API for it these days, and they were built with ease and portability in mind, security was something of an afterthought, an attitude which will dramatically change in the coming year.
Zero Trust and Identity and Access Management (IAM)
Zero trust is the latest buzzword to have hit nearly all meetings I sit in. Unfortunately for IT managers and sys admins it isn’t just a buzzword, it’s a new paradigm in managing access to resources which means you’ll have to rethink your approach to remote access and logins. There are different approaches to Zero Trust, but for the uninitiated it means the death of old VPN remote access systems and a move to highly secure portals that can only be accessed via a web browser.
Tightly coupled with Zero Trust is IAM, which pushes organisations to have ‘one source of truth’ for what access a user should have. IAM is necessary as we’ve shifted almost entirely to SaaS platforms, most of which are accessed with an email address and password.
How many people reading this article access Salesforce with a user/password type authentication? And how many people have left a company only to find out their old user/password still works? The problem is prolific and companies are way behind on their uptake of Zero Trust and IAM. Rest assured you’ll see more stories of VPN connections being hacked and businesses will be forced to move to new technologies.
Software hygiene and third party scripts
So we’ve all heard the scenario, you need to write a program for something-or-other. After a quick search around it turns out that three pieces of open source software available, which when used together will perform the function you require. Great, so you’ve just saved tonnes of development effort and your time to market is greatly reduced.
The only problem with this is that now you’ve got three pieces of open source code running, each of which can punch a hole in your security posture. Let’s say for example you used an open SSL library as part of this program, and then later a vulnerability is found in this SSL library. Well, how would you know you were affected by this if the library was just compiled into your program? How clean is your program and its composite parts?
This is software hygiene is now becoming a major headache for companies, especially when you’re looking at hundreds of libraries with possibly thousands of known vulnerabilities. Help is at hand and some tech startups are already offering automated tools to alert you to any CVE’s your software might contain.
On the other side of your application you’ve got third party plugins, things which you intentionally allow to access certain parts of your app to provide a feature on your website. This is currently the wild west of the IT world, with companies allowing third party javascript on their site with a very laissez-faire attitude as to what they’re really doing. Attacks leveraging this part of the attack surface roughly come under the name ‘Magecart’, the highest profile incident last year being credit card data theft from British Airways. It’s been coming for a while, but expect to see a big lock down on allowing random open source code and third party add-ons to sites.
Again, there are certain startups that are addressing the issue but I’m fairly sure we’ll see some high profile ‘Magecart’ attacks in 2020 before everyone really takes note. These types of attacks became newsworthy in the last few years and we can be sure that moving forward, they will get much worse – perhaps even bigger attacks and huge fines levied. These weaknesses in the software deployment lifecycle will need careful attention.
*This post originally appeared in SC Magazine UK on February 6, 2020