News broke last week that the National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) alongside other international cybersecurity agencies issued an advisory warning about vulnerabilities in web applications and APIs.
By exploiting insecure direct object reference (IDOR) vulnerabilities in web applications, bad actors can “modify or delete data or access sensitive data by issuing requests to a website or a web application programming interface (API) specifying the user identifier of other, valid users.”
In the past, these vulnerabilities have compromised personal, financial, and health information of millions of users. To protect against IDOR vulnerabilities, the agencies recommend implementing secure-by-design and default principles.
Traceable’s CSO, Richard Bird, discusses how awareness alone does not constitute effective cybersecurity.
Richard Bird, CSO, Traceable AI
“Finally! The acknowledgment by CISA and other agencies that APIs even actually exist is a huge step forward. But, this recent cybersecurity advisory is delivered with the same Achilles Heel flaw that we continue to see universally in security recommendations. Suggesting that the way to mitigate these risks is for developers to become more “security aware” is both a historically failed strategy and an expectation that is not supported by nearly 30 years of data. We don’t tell people that in order for crime rates to go down they just need to be more aware of policing techniques and criminal science. But we keep trying to put the obligations for security on the wrong people in technology every single day.
CISA and other agencies have finally admitted that technology has actually evolved beyond data centers and monolithic applications with their recent cybersecurity advisory about web application access control abuse. While it can be argued that their messaging about IDOR is 10 years late at least we can now agree collectively in the security community that we have a serious problem when it comes to API security. Old habits die hard though and the idea or expectation that we can make the digital world safer if only developers become more security-aware is both laughable and simply not supported by historical evidence. The complicated spider webs of API connections across business applications and data mean that all developers would need to be both security and aware and highly coordinated with each other. That’s not how the digital world actually works anymore.”