COMMENTARY: Chinese state-sponsored hackers last December breached multiple Treasury Department workstations and accessed unclassified documents by exploiting vulnerabilities in a Remote Support application programming interface (API) from a third-party software provider.
The incident should serve as a critical reminder to both government and industry, highlighting the pressing need for robust API security, particularly in our most critical government agencies, industry partners and infrastructure.
[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
Undocumented, shadow APIs that lack security controls, web apps, scattered security testing tools and an overwhelming number of vulnerabilities are creating a perfect storm of expanded attack surfaces affecting cybersecurity teams. Many APIs found in a standard government or company network environment are unknown, may bypass security mechanisms and expose sensitive data.
Furthermore, the primary means of access for hackers are web applications. In fact, 68% of security breaches include third-party risks like web applications—often related to human error.
Since APIs now dominate internet traffic, they have become a huge target for hackers, leading to numerous breaches. The overwhelming number of vulnerabilities discovered also poses a significant challenge, particularly when there’s no clear prioritization strategy. Without contextual understanding of how a vulnerability in one component impacts another, low-risk issues consume resources while high-risk threats remain unchecked, potentially causing severe operational and business disruptions.
CISA's call to action
Regarding API security, we must also address cloud security particularly as government agencies and businesses migrate data to the cloud. The Cybersecurity and Infrastructure Security Agency’s (CISA) recent Binding Operational Directive (BOD), BOD 25-01, makes abundantly evident how urgently cloud environments must be kept secure and with strong security configurations.
The directive said government agencies must comply with this emergency directive by mid-2025, which entails determining all cloud tenants and applying assessment tools to guarantee their cloud environments match CISA's Secure Cloud Business Applications (SCuBA) configuration standards.
Although BOD 25-01 does not specifically reference shadow APIs, protecting cloud data depends on addressing these latent risks. To reduce dangers connected with shadow APIs and improve general cloud security, government agencies and their partners should give top priority to thorough API discovery, ongoing monitoring, strong governance standards and developer education.
The use of fragmented and siloed security testing tools further complicates managing risks associated with shadow APIs and web apps. Government agencies and their private sector partners should prioritize integrated security capabilities that offer centralized management across their entire digital ecosystem. These should include API security, web application protection and vulnerability management in one unified framework. Capabilities like these streamline security data and workflows to deliver faster threat detection, more efficient incident response and a more holistic view of cybersecurity postures.
Move beyond checkbox compliance
Government agencies and companies find it increasingly tougher to manage all the vulnerabilities discovered in different types of security assessments. Lacking contextual awareness of these vulnerabilities, teams frequently receive an overwhelming number of alerts, which complicates their responsibility to sort through high-impact and low-threats.
Agencies must embrace automated risk-based prioritization to address this problem. This approach requires leveraging advanced analytics and machine learning algorithms to assess vulnerabilities in the context of an organization’s network, mission-critical assets and threat landscape. By focusing on high-impact risks, security teams can allocate human resources more effectively and significantly improve their overall security posture.
As teams rein in shadow APIs, these proposed strategies promise to enhance security measures through real-time monitoring, and also address any anomalies that arise using automated techniques. Implementing AI-driven risk assessments within daily operations and continuous integration and continuous delivery/deployment (CI/CD) pipelines can expedite development cycles by identifying potential risks early and facilitating swift corrections.
AI also plays a crucial role in vulnerability prioritization by analyzing data sources to evaluate risk based on system criticality, threat intelligence and various human factors. This approach empowers security teams to address their most pressing issues more effectively while also transforming their overall approach to risk management.
As government agencies and their private sector partners move forward, they must embrace a holistic approach to risk quantification. Separating attempts at application security in the digital environment of today is insufficient.
Modern applications are interconnected ecosystems in which weaknesses in one area might increase risks elsewhere. Attackers will exploit these links, turning minor issues into significant threats. For instance, an exposed API with weak authentication, combined with a vulnerable application and an outdated server, can create a high-risk attack vector. This interconnected risk requires a comprehensive assessment approach to risk management.
Security teams must integrate automated risk prioritization, remediation and holistic risk quantification into their security frameworks. With a proactive stance and continuous vigilance, these strategies will boost cyber resilience, ensuring a secure API and web application ecosystem.
Jonathan Trull, chief information security officer, Qualys
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
