[BreachExchange] The Reason For Your API Security Breach: You Did Nothing
Audrey McNeil
audrey at riskbasedsecurity.com
Fri Sep 1 15:23:43 EDT 2017
https://dzone.com/articles/the-reason-for-your-api-
security-breach-you-did-no
You just got three separate calls and countless emails alerting to the fact
that you just had a major security breach. You don’t know the extent of the
damage yet, but it looks like they got into your primary customer database
via the APIs you depend on for all your mobile applications. You are
sitting in your office chair, sweating, and trying to figure out how this
happened. I will tell you, it is because you have done nothing. You have
deprioritized security at every turn, resulting in an open door for any
hacker to walk through.
Not only have you done nothing, you actually worked against anyone who
brought up the topic of API security. You would respond: We don’t have the
time. We don’t have the budget. We don’t have the skills. You never
listened to anyone of your staff, even that security lady (what was her
name?) you had hired last year, and then resigned, with a letter containing
over 25 security holes she had been trying to take care of, but because of
the toxic environment you’ve created, she was unable to do anything and
moved on. You have created an environment where anyone who brings up
security concerns feels persecuted, and even that their job is in jeopardy,
making “doing nothing” the standard mode across all operations.
You have eight separate mobile applications which all use APIs, and all of
them using the customer database in question, which also stores credit
cards, which is in violation of your PCI compliance–you know, those forms
you sign off on each year? You felt these mobile APIs were secure because
they were hidden behind your mobile applications, and your developers had
given you an application security scan report last year. In this situation,
you would love to blame these developers, but all roads lead to you when it
comes to responsibility for this situation. You begin to feel sick to your
stomach thinking about the 345,633 credit cards and other PII that was
leaked. You know the numbers because you have real time reports on how many
customers you have. You just don’t have any real time reports for anything
to do with security.
API security was everyone's first concern when you first pitched these
projects starting back in 2010, and you have managed to run for seven years
without any major incidents. Each year you have just been more emboldened
in your do nothing strategy, but everything has caught up with you now.
What do you do? You don’t have a breach action plan. You don’t have the
sort of protocol needed for this type of situation, despite saying that you
did several times in meetings. You better get to work dealing with the
technical fallout from all of this, because it will last weeks, if not
months. Then you get to also start dealing with the business, legal, and
political fallout from this breach. Hey, there is a bright spot. The
chances are pretty high you might not even have a job after all of this is
pretty high as well. Enjoy!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170901/020fb135/attachment.html>
More information about the BreachExchange
mailing list