ThreatX - Blog

As more and more businesses elect to conduct business online, not only are they subject to additional threats, but their customers are as well. For customers, this is especially true when using and submitting credit cards to complete online transactions. One of the most common attacks in this space is Carding. Carding occurs when an attacker utilizes illegally obtained credit card information (often in bulk), attempts to validate the stolen card numbers, and sells/utilizes the valid credit card information. In 2018, credit card fraud was expected to exceed $6 billion*. This number is only expected to grow as online shopping becomes more widespread and accepted.

*We are thrilled to introduce and feature David Geer on the ThreatX Blog. David is a content marketing writer and market influencer specializing in cybersecurity.*

You’ve heard that nation-state hackers stole 145 million consumer records in the 2017 Equifax breach. Did you know that this attack and breaches at Amazon, Facebook, T-Mobile, and the Black Hat security conference all targeted vulnerable APIs?

Thanks to APIs, your consumers, employees, and partners benefit from robust applications with rich features. But, cyberthugs profit too, because they can leverage APIs and their flaws to get to your data.

Thousands of new APIs become available each year on ProgrammableWeb.com alone. The global cloud API market will generate more than $1.7 billion in revenues by 2026, according to Persistence Market Research. With organizations like yours creating and using more APIs each year, the attack surface grows ever broader. Any solution must surround and secure your APIs, apps, and data despite the burgeoning landscape.

Application security is undergoing a broad transformation - from the way applications are architected, developed, and deployed to the ever-evolving diversity and scale of the threats they face. Driving this transformation is the growing complexity of application portfolios, which are providing more engaging experiences for customers but are also housing increasingly more data. Often, this is accomplished through Application Programming Interfaces (APIs), which can be both external-facing, as well as connected on back-end systems. In addition, applications are becoming more modular or are broken into microservices.

As a result, legacy, rules-based web application firewalls (WAFs) like F5 and Imperva Incapsula are not equipped to keep pace with today's dynamic application and threat environments. These tools are increasingly unable to keep up with sophisticated, high-impact threats. Security teams need the right tools and strategies built for these new realities. Enter, the next-gen WAF.

Application Programming Interfaces (APIs) are growing at an unprecedented rate. According to ProgrammableWeb, there were more than 20,600 APIs as of January 2019. That's nearly a 230% increase in the last decade. And while APIs are better suited for today's high-powered business model, they present a myriad of security challenges that must be addressed. 

Last week we had a great webcast and discussion on the topic of securing APIs and microservice architectures. Based on the feedback during the webcast and the many conversations we have with prospects, this is becoming a very hot topic (and source of frustration) for many of you in application security.

This shouldn’t come as a surprise given that these two topics are shifting some of the fundamental assumptions that old-school WAFs have relied on for years. Instead of everything coming in through the front door, applications are increasingly accessed via APIs that can be both Internet-facing, as well as connected on the back-end. Likewise, as applications become more modular and broken into microservices, the old appliance-based model of WAFs is increasingly out of the loop in terms of seeing and enforcing application traffic.

Many of the questions we received in the webinar mirrored questions and challenges we regularly hear in the field when engaging with AppSec teams. So with that in mind, I wanted to quickly run through, and provide answers to, some of those questions.

APIs have become a strategic necessity for conducting business due to the agility, innovation, and automation they enable. While 90% of the business reaps the benefits of this technology, the security teams are often exposed to a slew of new challenges that can’t be solved by long-standing security tools and strategies. In fact, according to Gartner¹, by 2022, API abuses will be the most frequent attack vector resulting in data breaches for enterprise web applications. We are partnering with the team at SC Magazine to address this phenomenon in an upcoming webinar.

Before joining ThreatX, Jeremiah Cruit was no stranger to Web Application Firewalls. As a seasoned CISO with 20+ years in the industry, he tried dozens of WAF solutions along the way. And with each solution, his faith in the effectiveness and usability of WAFs dwindled. So how did he end up at a WAF company? IDG Connect explored this and more about his past in the following interview. 

Earlier this month, I had the opportunity to discuss the role of machine learning in security with Dave Shackleford from SANS. It was a fun discussion, and if you have the time, I encourage you to check it out here.