The Updated OWASP API Security Top 10 for 2023 is Here
The Open Web Application Security Project (OWASP)…
In a previous post, we discussed the rapidly changing landscape of software supply chains. Now, we turn from containers in Kubernetes to containers on cargo ships, from digital supply chains to physical supply chains: the people and organizations managing the ships, trains, trucks, warehouses, and other physical critical infrastructure on which we all rely for our daily food and other goods.
With supply chains in the news every day as disruptions from border closures to changing consumer behavior ripple through the global economy, logistics organizations have had to take a new look at their operational capabilities.
This means the same “digital transformation” that has completely changed other industries: digitizing existing processes, connecting with customers and partners, and refining processes through automation and analytics.
In practical terms, this means integrating mission-critical information systems to eliminate silos and allow supply chain partners to work together. In technical terms, this means using application programming interfaces (APIs) to connect systems, data, and businesses to address supply chain cyber security threats.
But with digitization and new ways of working come new challenges, particularly regarding cybersecurity in supply chain and, ultimately, a logistics organization’s ability to execute.
In this article, we’ll cover:
The disruptions to supply chains from COVID-19 highlighted how complex and, at times, fragile global supply chains have become, as just-in-time manufacturing met the hard reality of unavailable parts and materials.
As supply chains became more efficient, they also became more complex as the number of things that had to go right increased. For example, sufficient raw materials being mined or manufactured, parts being loaded onto containers in time, enough ships and trucks being available, and so on.
Furthermore, the number of information systems – software, internet-connected devices, and networks – that supply chain participants rely on has continued to grow. Supply chains are fundamentally collaborative enterprises, and as systems of record have transformed from physical folders and notebooks to digital systems, the amount of data and traffic has grown exponentially. The system sprawl is hard to overstate:
All of these supply chain participants strive to stand out from the competition, driving further adoption of collaborative logistics solutions to provide superior customer experiences, business intelligence systems or “control towers” to uncover insights in data, and various other tracking apps and systems to reduce annoying check-calls.
As freight brokers and 3PLs know well, the stakes are increasing as competition increases. That means that the potential costs of disruptions in information systems cyber security are increasing too. If systems go down or are compromised – whether from cyber attacks or simple mistakes – the consequences for customers and partners can be considerable. Some examples include:
If all of that is at stake, what role do supply chain APIs play? APIs in logistics connect all of those mission-critical systems and enable them to work together. It’s much like how freight brokers need phone and internet connections to communicate with drivers: systems become more useful and valuable when they can talk to each other. But that also creates a dependency that can become a vulnerability in supply chain cybersecurity.
These potential vulnerabilities could be exploited by various actors for various reasons:
Then there are the problems that arise out of simple mistakes or misconfigurations that might accidentally leak data, send too much data and slow systems down, or cause errors that humans have to spend valuable time trying to fix.
What should supply chain & logistics leaders know about protecting their APIs for mission-critical information systems cyber security and data?
Without getting too technical, there are a few things worth being aware of to understand the challenges your security team faces or, if you don’t have one yet, to ask about as you build that important function.
First, understand that APIs are ubiquitous. Although “API security” is a relatively new field, APIs are everywhere, so, unfortunately, there’s no avoiding the issue. You’ve probably experienced APIs first-hand whenever you’ve signed in to an app on your phone with your Google, Microsoft, Apple, or Facebook account. When you take photos, and they’re available in multiple apps or backed up to the cloud, that’s all made possible by APIs. For a more detailed overview of API security, check out “API Security 101 – 6 Things You Need to Know.”
Second, there are great organizations of cybersecurity professionals setting standards and educating the market. The Open Web Application Security Project® (OWASP), for example, is “a nonprofit foundation that works to improve the security of software.” They do excellent research and maintain lists of top threats that leaders need to know about, such as the OWASP Top Ten and the OWASP API Top 10. As previously mentioned, these are good for executives to know about, whether to ask about when interviewing potential security hires or to understand what security leaders (such as CISOs) are concerned about when advocating for resources, processes changes, and so on.
Third, understand that the “top ten” lists are just that: the top challenges but not the only challenges. There’s a lot more that security professionals have to protect against, as Noname Security’s Matt Tesauro described in a recent webinar, “Are you Safe from OWASP #11?”
Fourth, understand that all sizes of companies are potential targets for hackers and attackers. While it’s easy to think that hackers only want to target the “big fish” in an industry, such as major carriers or 3PLs, the reality is that the smaller companies, with less sophisticated security organizations, are often the better targets. Therefore, every organization should be investing in supply chain cybersecurity, especially API security for APIs in logistics, given how interconnected supply chains are.
Fifth and final, know that cybersecurity is not just about preventing attacks from malicious actors like hackers. Many cyber security risks in the supply chain that jeopardize performance, efficiency, and customer relationships come from simple mistakes or misconfigurations that can send the wrong data to the wrong people or expose internal, confidential, or personal data to the internet by mistake. This is another reason why even those companies that don’t think they’d be a target need to invest in cyber security and logistics.
In the past couple of years, demand for logistics companies’ goods and services has skyrocketed as supply chains have been disrupted. To capitalize on today’s high demand and build a strong foundation for future growth, high-performing organizations should focus on three fundamental elements in establishing formidable supply chain cybersecurity:
Any successful initiative requires alignment of these three factors, and supply chain cybersecurity initiatives are no different. Let’s look at each in turn.
Just as how supply chains and logistics organizations connect the physical world, APIs connect the digital world. They make all of the digital experiences we enjoy possible, and, importantly, they enable the next generation of leading logistics firms to operate more effectively and better serve their customers.
To realize that potential, companies must not only adopt the best information systems and accompanying processes, but they must secure them as well. Their data is as important as the ships, trains, and trucks that move goods, the warehouses that store them, and the customer relationships that make it all possible. Specifically, logistics organizations should invest in supply chain API security as part of their broader application security and cybersecurity in supply chain initiatives.
Ready to take the next step and see how your company can secure your APIs? Schedule a free consultation today.
Experience the speed, scale, and security that only Noname can provide. You’ll never look at APIs the same way again.