One Article Review
| Source |  AlienVault Lab Blog |
|---|---|
| Identifiant | 8322881 |
| Date de publication | 2023-03-29 10:00:00 (vue: 2023-03-29 10:06:34) |
| Titre | Sécurité de l'API: le nouveau champ de bataille de sécurité [API security: the new security battleground] |
| Texte | The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. “While defenders pursue the most powerful and advanced solutions they can find, the enemy needs only a single user with a bad password or an unpatched application to derail an entire defensive position.” This quote by Dr. Chase Cunningham from his book, “Cyber Warfare – Truth, Tactics, and Strategies,” seems a fitting way to begin the topic of cybersecurity battlegrounds. Regardless of the techniques used, going big, expensive, and glossy – while potentially useful - doesn’t replace the need for a well-reasoned approach to securing assets founded on traditional activities and principles. Innumerable assets are housed behind APIs, and the widespread use of APIs means they are high-profile targets. Securing them is of the utmost importance. Two historical books came to mind for this topic: Art of War, by Sun Tzu Book of Five Rings, by Miyamoto Musashi I chose these two due to their applicability to the topic (oddly enough because they are less specific to modern security – something about their antiquity allows for a broader application). After revisiting the books, I decided to take Musashi’s five (5) principles (scrolls; Earth, Water, Fire, Wind, and Void) and match them as best as possible with 5 of the numerous teachings from Sun Tzu. I then applied them to securing APIs in the growing cybersecurity arena where there are an increasing number of threat actors. Earth Musashi’s focus in the Earth Scroll is seeing the bigger picture. Practitioners need to know the landscape or the 30,000 ft view. Sun Tzu said, "The supreme art of war is to subdue the enemy without fighting." How to Apply One needs to understand the nature of API attacks and attackers in securing APIs. One example of a common exploit category is Security Misconfiguration. Some fundamental API security activities that can prevent attacks before they even get started including following an SDLC, implementing access control, deploying some form of edge protection, using continuous monitoring and alerting, and using appropriate architecture and design patterns. API attackers are ruthless and relentless. Most criminals want an easy win and using good defense will fend off a high percentage of attacks. Encryption is a must, both in transit and at rest. The enemy can be thwarted by not being able to use what was stolen. WATER It’s important to be experienced and flexible – or fluid - on an individual level, and that includes one’s role in the company. Sun Tzu said, “Be flexible.” How to Apply Gathering cyber threat intelligence (CTI) makes it possible to adapt to changing threats in real time. Intelligence gathering, even using Contextual Machine Learning (CML), means that one doesn’t depend on past information, hearsay, rumors, or peer information. Rely on as much clear, relevant, and current information as possible about threats and risks for one’s own company. In addition to CTI, focus on a well-designed and tested incident response plan. Intelligence and responding to incidents go a long way toward making company security agile and adaptable. FIRE The Fire aspect is about the actual use of the weapons (tools) on the battlefield. Sun Tzu said, "Th |
| Envoyé | Oui |
| Condensat | “be “cyber “if “style “utilize “while 000 able about abuse access acting action activities activity actors actual adapt adaptable addition addressing adopt advanced after against agile ahead; alerting all allows alone also always analysis antiquity any anyone apart api apis applicability application applied apply approach appropriate architecture architectures are aren arena art article aspect assets at&t attackers attacks authentication author authorization available avoiding awareness bad based battlefield battleground battlegrounds battles because been before begin behind being believe best better big bigger book books both brain broader built business but called came can capacity careful category chance changing chaos chase choosing chose classic clear cml coffee collective common community companies company compliance component content contextual continuous control corporate cream creating criminals cti cultivates cunningham current cyber cyberattacks cybercrime cybersecurity data day dealt decided defenders defending defense defensive departmental depend depends deploying derail design designed determine developer disaster distinction does doesn’t due earth easy edge else emptiness encryption ending endorse enemy enhance enlightened enough ensuring enterprise entire epilogue even every example exercises expand expensive experienced expertise exploit facets failure fear fend fighting find fintech fire fitting five flavors flexible fluid focus following form foundations founded from fronts full fundamental gathering general get getting given glossy goal going good growing have having hearsay helpful here high his historical housed how hundred ice idea ideas identify implemented implementing importance important improve improved improvement incident incidents inclination include includes including increasing independently individual individuals industry information innumerable input instinct intelligence international interpreted intuition intuitiveness involved isolation it’s just know landscape lasting lays lead leaders learning legal less level leverage like likely local long machine maintain major make makes making manage many match mean means methods mind misconfiguration miyamoto modern monitoring monkey more most much musashi musashi’s must natural nature need needs new next not now number numerous observe oddly off oft often once one one’s only opponents org other others out overlooked own paraphrase passionate passively password past patterns peer pentesting people percentage performing phishing picture plan planning plans platform play point points position positions possible post potentially powerful practitioners prevent principles privacy profile profitable proper protection protections provided provides pursue quote real reason reasoned recovery red/blue/purple reflection regardless regular regulation regulations relentless relevant rely replace require requires resources responding response responsibility rest result revisiting rings risks role ruler rumors ruthless said same scanning scroll scrolls; sdlc second secure securing security security: seeing seems set sharing shop shop; should single size solely solutions some something specific spreadsheets stakeholders started steps stolen strategies strengths strengths: study studying subdue such sun supreme sure system tactics take targets teachings team teaming teams techniques test tested testing than them then there’s these they’re things think thinking thorough threat threats through thwarted time together tools topic topic: toward traditional training transit truth two tzu understand understood uniquely unpatched uptime use used useful user using utmost very view views void vulnerabilities vulnerability want war warfare water way ways we’ll weaknesses weapons well what where whether who widespread will win wind without work your yourself |
| Tags | Vulnerability Threat Guideline |
| Stories | |
| Notes | ★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.