The Updated OWASP API Security Top 10 for 2023 is Here
The Open Web Application Security Project (OWASP)…
Ethical hacker Alissa Knight opened the eyes of the banking industry yesterday in her Money 20/20 keynote presentation entitled “Scorched Earth: Hacking Bank APIs”.
In her presentation, Alissa revealed that she was able to gain access to 55 different banks and change PIN codes and move money in and out of accounts.
Below are the key findings from the press release.
The full report is now available here.
Enterprises across all verticals can learn from Alissa Knight’s research. Here are the top 3 lessons learned:
API usage has surged into a sprawl for businesses of all shapes and sizes. Words and phrases like “digital transformation”, “cloud migration”, “apps”, and “microservices” all mean the same thing — lots and lots of APIs.
In Alissa Knight’s research, she found the same API security vulnerabilities in banks that had 25,000 customers and a few million in managed assets as she did in banks that had 68 million customers and $7.7 trillion in assets under management. Large, mature, and well-funded security teams are not able to keep pace with API security challenges with traditional tools and processes.
Many teams play critical roles at securing APIs. Developers need to write code with security in mind; cloud and platform teams need to use APIs that are configured properly; and security teams need to detect, investigate, and respond to incidents. Often, especially in larger organizations, APIs are deployed to production faster than they can be secured and there often isn’t a clear line of communication across enterprise teams.
Specific to Knight’s research, the APIs she exploited were developed by a third party — introducing yet another variable. Whatsmore is that the hack wasn’t detected at any of the banks. This highlights the fact that API security needs to be operationalized across more enterprises to ensure that vulnerabilities are detected and remediated before an attack. And it’s not just the responsibility of a single team. Developer, DevOps, DevSecOps, and security teams need to standardize, collaborate, and communicate how they build, deploy, and secure APIs.
It’s very easy to jump to conclusions when exploits or attacks make headlines. But detecting and blocking behavior like Alissa Knight’s is only a piece of the API security puzzle. Enterprises need to think about API security across 3 core areas:
Our goal at Noname Security is to help enterprises have trust and peace of mind with their APIs. And we chose to work with Knight because there is still so much education that needs to happen.
Together, we look forward to pioneering and shaping API security maturation across all industries.
Experience the speed, scale, and security that only Noname can provide. You’ll never look at APIs the same way again.