Issue 68: API security in Gartner Hype Cycle, McAfee threat predictions for 2020


This week, we take a look at where API security is at on Gartner Hype Cycle, what the threatscape for 2020 looks like to be according to McAfee, and a SANS Institute whitepaper on DevSecOps.

Analysts: API security in Gartner Hype Cycle

Gartner published their Hype Cycle for Application Security, 2019 a few months ago. The Hype Cycle  provides a graph on where we are in application security in terms of the maturity of technologies and their adoption; what is up and coming and what is already established.

Gartner Hype Cycle for Application Security 2019

The graphic shows that API security is very much a hot topic of the moment:

  • API Security Testing and Discovery is just starting to rise along the hype cycle. Companies are starting to use these tools to discover APIs that their development teams produce and  to test the security of these APIs during API design, implementation, and testing. This helps eliminate risks before they even get to production.
  • API Threat Protection is approaching the peak of the expectations. These are tools with firewall capabilities for live API traffic. Unlike the generic web application firewall (WAF) category, these firewall products have been specifically designed to work with API traffic and protect your systems at runtime from API-specific attacks.

For the definitions, position and adoption speed justification, user advice, business impact, vendor lists, and so forth, check out the full Gartner report.

Opinions: Threat predictions for 2020

January is the time of predictions for the year ahead. CISOMAG has published “5 Threat Predictions for 2020” by Raj Samani, Chief Scientist and McAfee Fellow at McAfee. He predicts the following trends in cyber security:

  1. Broader deepfake capabilities will be available even for attackers with less skills.
  2. Attackers will start generating deepfakes to bypass facial recognition.
  3. Ransomware attacks will be executed as two-stage extortion campaigns.
  4. DevSecOps will become more prominent as increased containerized workloads cause security controls to shift left.
  5. APIs will be the weakest link in application security bringing about cloud-native threats.

From the API security perspective, the last prediction is the most prominent one. However, DevSecOps is very topical as well, because containerized cloud architecture inevitably means even more APIs and API changes that can easily slip through controls to indeed become the weakest link in the chain…

API security: OWASP API Security Top 10 explained

Over at DevOps.com, Erez Yalon from the OWASP API Security Top 10 project provides the details and sample exploit scenarios for each of the OWASP API Security Top 10 vulnerabilities.

Check out the two-part blog post:

Whitepaper: DevSecOps

Rebecca Deck from SANS institute has published a whitepaper titled “Adapting AppSec to a DevOps World”.

The whitepaper focuses on DevSecOps, the abuse cases and threat models affecting DevOps, and the challenges in trying to fit legacy tools into CI/CD pipeline.

To download the whitepaper, click here.


Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy