Tuesday, October 3, 2023

APIs new porous points for entry of scammers, says security exec

While APIs (application programming interfaces) have become the lifeblood of the modern computing industry by allowing disparate computer programs to communicate with each other, hackers and scammers have also exploited the weaknesses of the technology and have made it into a lucrative trade.

Noname Security vice president for sales in Asia Pacific PK Lim

This is according to PK Lim, vice president for sales in Asia Pacific at Noname Security, who cited a report by research firm Gartner that APIs have become the top attack vector for Web applications as traditional controls have left APIs vulnerable to attack.

Lim said legacy systems are still very much in use across multiple industries, making API security exposed to vulnerabilities, misconfigurations, and design flaws.

The official stressed that while APIs are not the lone entry point for attacks, he said a significant portion of cloud breaches can be traced to misconfigured APIs.

“It is essential for a company to be pro-active when it comes securing their API platform. Otherwise, it could be damaging for them if it is too late,” said Lim, a veteran security professional who had stints with top security firms RSA, Fortinet, and Blue Coat.

Lim said API security risks and issues are highly technical that require thorough study and monitoring. Noname Security’s solutions, he said, are specifically built to uncover data leakage, data tampering, data policy violations, suspicious behavior, and API security attacks.

It must have been for this reason that Tonik, which is said to be the first “neobank” in the Philippines, has tapped the security firm to help secure a critical component of its digital platform as it seeks to address new retail lending opportunities in Southeast Asia.

Noname said its API Security Platform will provide Tonik with the means to validate the health of the APIs it uses. The digital bank, it said, can now have a real-time inventory and monitor active APIs efficiently as well as discover and analyze legacy and dormant APIs.

The security company also said platform also enables the bank to actively test APIs before production so that it can identify potential flaws in its software development lifecycle.

Noname Security was also chosen for its ease-of-use, Software-as-a-Service (SaaS) licensing model, non-intrusiveness, and the ability to integrate with the bank’s back-end workflow solution.

“We chose the Noname API Security Platform after a proof-of-value test and we are happy that it meets our expectations of a top-notch API security solution,” said Arivuvel Ramu, group chief technology officer of Tonik.

“It is a priority for us to ensure that APIs deliver the performance and security required for compliance as well as a great digital experience for consumers,” he added.

Lim, for his part, said the platform’s automated and dynamic tests built into API development allows enterprises like Tonik to effectively resolve any security issues before they take root.

Noname is confident of its engagement with Tonik as it is coming off from a successful deployment of its API Security Platform with payments firm Rapyd, which operates a payments network that allows local and cross-border transactions.

Noname’s security solution is deal for Rapyd as its platform unifies fragmented payment systems worldwide by bringing together 900-plus payment methods in over 100 countries.

As such public payments API, which handles billions of dollars of transactions 24/7. Even minor instances of disruptions, fraud, or abuse could mean millions of dollars in lost revenue, significant remediation costs, and a loss of customer trust for both Rapyd and its customers, according to Noname Security.

“After evaluating each vendor’s holistic combination of product and team capabilities, Noname Security emerged as the clear leader. The CISO’s team quickly deployed the Noname API Security Platform – with posture management, runtime protection, and active testing in one unified solution – across all of their AWS regions globally,” Noname Security said in a customer brief.

“Rapyd can now confidently grow its global business both quickly and securely, as real data from blocked attacks and production vulnerabilities inform their development efforts and new code can be easily tested before going live. Rapyd will also have full architectural freedom to deploy Noname as fully cloud-based, fully on-premises, or any hybrid combination as needed as they continue to expand into new markets and regulatory environments,” it added.


- Advertisement -spot_img