Every company today is a software company. Every company today is a data generating company. That’s because your customers gain access to your company through APIs.
And if your customers have access to you through APIs, so do threat actors, which could compromise your software supply chain security, according to a session at (ISC)2 Security Congress.
API in the Software Supply Chain
APIs act as the digital intermediary between the supply chain environment and applications. Or you can look at it as the digital intermediary between the supply chain and the customer, making sure the entire process runs smoothly, from a correct order to efficient delivery. This reliance is only expected to grow, as Gartner predicts that by 2025, 80% of B2B sales interactions will occur in digital channels.
But Gartner also adds this prediction: “By 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains, a three-fold increase from 2021.”
A Changing Infrastructure
The software supply chain security risk comes because of the changes in how users get to the data source or the application they need, according to Andrew Whelchel, Senior Solutions Engineer with Saviynt, who presented the Security Congress talk.
In the past, this was a complex process, going through multiple layers of servers just to get to the data, and then it was an equally complex trip back to the user. Risk was present because of the transmission process through so many different layers and the solid boundary edge around the process, indicating that the end-user is the one responsible for the security of the data, even if it isn’t part of their core business operation.
Cloud computing has changed the infrastructure. The organization is no longer the sole custodian of the data; cloud providers also share custodianship, even if it is temporary. This creates a shared management.
Amid this system sprawl, every one of these systems is moving to the cloud and every forward-thinking company in the supply chain is trying to integrate them.
A more subtle shift is the role of inner-cloud services and how data is now delivered. Less data is siloed. APIs have matured from the original SDK to a series of APIs connected to each other. And this has facilitated a number of changes in the software supply chain. APIs offer communication with data and processes in a more uniformed manner, replacing the custom data calls. Cloud-based APIs also eliminated the space between the data and the user. In the old way, the data had to move through multiple entities to reach the end user, slowing transmission. No distance speeds up processes, impacting the end user experience.
The No Distance Impact on Software Supply Chain Security
The server clouds and no distance from the data also bring more documentation transparency than traditional servers, and that improves overall security risk assessment. This has offered new levels of agility to those organizations that must follow strict governmental compliances, Whelchel pointed out. The agility establishes resiliency against cyberattacks, which continue relentlessly no matter the infrastructure.
This new structure offers a solid basis for fans of a Zero Trust architecture. There is less focus on risk to the network interface settings and more focus on the risks of the assets, in this case the data.
Threat Context and APIs
In APIs’ prior role, there were a lot of connections and a lot of nods to get to the data itself. In the past, the data model was more focused, often with lateral movement. But this also gave threat actors a lot of cover. When they gained access into this space, they could lay low until the opportune time approached to make their move undetected. There were too many access points and too many opportunities for credential compromise. This approach also made networks and VPNs more vulnerable.
With serverless APIs, credential compromise can be addressed with least privilege. It’s important to look at identity principles to combine with access and look at it in real-time threat information.
In the next post, we’ll look at how to best defend software supply chain attacks using secure APIs.