Nmedia - Fotolia
When you think about the Internet of Things, mobility, APIs and legacy applications, the possibilities for security lapses and exposure of sensitive data can cloud business innovations.
Many companies want to take advantage of APIs to unlock legacy data for employees or to engage in flexible and convenient ways with customers or supply chains. While your organization may not be exposing racy photos like Snapchat or redirecting users to a fake malicious site with your Bitly account, the risks are real for both private and public APIs.
The mobility piece is even scarier. In addition to poor API design and management, security professionals have legitimate concerns about a lack of mobile security measures. According to a Ponemon Institute study, published in February, 77% of security professionals stated they have serious difficulty securing mobile apps, while only 14% said their organizations were effective in securing them. Insecure mobile apps can have a ripple effect on the vulnerability of enterprise applications from open source and cloud to proprietary software.
All of these concerns are tied to an age-old security problem -- software vulnerabilities and a widespread lack of control over development practices, testing and adequate documentation. As developers rush to meet customers' demands or wrestle with Microsoft's aging Windows APIs, developing and enforcing procedures to secure programmatic interfaces has fallen by the wayside. Is it realistic to make CIOs and security managers responsible for API design and management processes?
Enterprises are making strides toward API management as a slew of technologies aimed at access, adminstration and ease of use try to help automate and bring visibility to the process. Information security is a key promise of these platforms, as Alan Earls reports in his article on the API economy and its security implications. "API management products not only often include a gateway function, they also serve up additional features such as authentication, analytics, hosting and billing options," he writes.
The mobility piece is not getting easier. But some companies are using unique strategies to control network access, as David Strom discovered in his story on securing the network perimeter in the age of mobile and cloud. "Today's data centers are no longer on-premises," says Strom. "New network security models are required to define what the network perimeter is and how it can be defended."
APIs can help systems and applications interact and bring new value to company data. Will working together help industries counter cyberthreats?
Adam Rice and James Ringold continue their APT series this month with a look at which artifacts should be shared and how companies can benefit by participating in collaboration and information sharing and analysis centers. Organizations that do not have mature security programs may have more to gain, but large enterprises serve as active leaders in these communities. Some groups partner with government agencies, but the FBI and NSA's definition of "sharing" may differ from that of the private sector. The same could be said for private industries that are highly competitive, like technology.
- E-Guide: Best practices for pen testing Web applications –SearchSecurity.com
- Secure Web Gateway Overview: Implementation Best Practices –SearchSecurity.com
- Methods & best practices to reduce application security risk –TechTarget
- Mobile Application Security Best Practices to Protect Corporate Data –SearchSecurity.com