[caption id="attachment_1685" align="alignnone" width="2400"]
The chart is based on a complete analysis of the CVE database between 2006 and 2021[/caption]
The chart is based on a complete analysis of the CVE database between 2006 and 2021[/caption]
The 540% increase in the number of API-related security vulnerabilities recorded in the CVE (common vulnerabilities and exposures) database (https://cve.mitre.org/) between 2015 and 2021 compared to an increase of 280% of overall vulnerabilities in the same timeframe demonstrates the importance of tightening API security and governance. The topic chart generated from the 631 API-related CVE records from 2021 shows unauthenticated access for hackers (1) and the subsequent remote retrieval of sensitive information (3) through externally available REST APIs (2) as critical topics. Older API versions that were deprecated but never turned off constitute another popular entry point for unauthorized access to enterprise systems (4) including file servers (6).
Microservices and Kubernetes As the Driving Factor
[caption id="attachment_1686" align="alignright" width="300"]
Topic map based on standard clustering of the 631 API-related CVE records from Jan 1 to October 30, 2021.[/caption]
The rapid adoption of distributed cloud native applications, typically on top of the Kubernetes container orchestration platform, was the driving factor behind these API challenges. Unsurprisingly, we find “API”, right at the center of the topic map of all 2021 CVE records, as cloud native applications consist of numerous loosely coupled microservices, all communicating through their own APIs to access the internal and external code functions and data elements required to provide a seamless user experience. This new distributed architecture has caused a tremendous increase in network traffic between individual containerized microservices that could be located within the same or separate Kubernetes clusters in the data center or public cloud. As long as all microservices, internal and external, publish their specifications that describe which access rights and functional capabilities they provide to different user groups, APIs of distributed applications can become part of the organization’s central governance, compliance, and security frameworks.
EMA Research Facts
- 540% - Increase in API related security vulnerabilities (CVE records) between 2015 and 2021.
- 68% - Increase in API-related software development topics on Stackoverflow.
- 250 - Number of monthly changes in APIs by AWS, Azure, and GCP
Shifting Left API Governance Is Critical
[caption id="attachment_1689" align="alignright" width="300"]
Topic Map based on all 10,911 CVE records related to cloud native applications.[/caption]
Due to the complex and dynamic nature of cloud native applications there is no viable alternative to “shifting left” the creation and governance of API specifications. This requires the automatic generation and audit of API specifications as part of today’s software release process. The new APIClarity open source project creates the foundation for addressing this challenge by automatically surfacing APIs that are currently not visible to the organization. Without creating standard specifications for these formerly under-the-radar APIs, the organization will load up on unknown quantities of security risk. APIClarity alerts human operators of these unspecified APIs and enables them to verify and complete an automatically created API specification. APIClarity creates this specification based on the OpenAPI 3.1 standard to allow easy ingestions for the corporation’s higher level cloud native security platforms.
Topic Map based on all 10,911 CVE records related to cloud native applications.[/caption]
Due to the complex and dynamic nature of cloud native applications there is no viable alternative to “shifting left” the creation and governance of API specifications. This requires the automatic generation and audit of API specifications as part of today’s software release process. The new APIClarity open source project creates the foundation for addressing this challenge by automatically surfacing APIs that are currently not visible to the organization. Without creating standard specifications for these formerly under-the-radar APIs, the organization will load up on unknown quantities of security risk. APIClarity alerts human operators of these unspecified APIs and enables them to verify and complete an automatically created API specification. APIClarity creates this specification based on the OpenAPI 3.1 standard to allow easy ingestions for the corporation’s higher level cloud native security platforms.
