Last year, API security was an overwhelming theme across the security events that I attended, RSA and BlackHat.
As myself, @PSilva and @AubreyKingF5 head to RSA Conference 2023, I'm interested to see if the theme will change.
But ahead of that, I'm wondering how you all in the Community have been dealing with APIs? Have you actually had API security projects? Or, is it being pushed out for the time being? Or, is it even being looked at?
We have seen an uptick in customers asking about API protections, primarily in the energy and rental areas of business. In many instances, there are resources in the field collecting data which has to be trasmitted over LTE or WIFI to the corporate offices for billing determination. Clearly, there is a financial component here that can be impacted due to any man in the middle or even abuse of an exposed API. The source IP changes, and many times these field devices dont support strong authentication or authorization. However, when it comes to IoT devices.... everything that runs in the house and has an IP address is laughable, and updates are non-existant. Wallgarden those devices on a dedicated ESSID / VLAN with isolation enabled, and firewall the living hell out of it on outbound access, lol. That is the only way there. So yeah, there is both a business and personal use case 😉
Yes - frightening to know that my TV can be compromised!
A while back, we hosted a user group meeting in Manchester NH for the local maker space. In the presentation, we used some cheap electronics from eBay and showed how easy it was to grab electrical use values on a simple drive by. Absolutely no security. Do this at night, and you can see statistically who is either mining bitcoin or growing herb under grow lights. All of those APIs and communications are not protected. Same thing with home IoT like temp sensors, airthings radon, etc which use a type of bluetooth communication that can be read on the fly as it is transmitting to a users gateway or hub. Those are things that are a bit more scary than remote TV control. (That is also possible btw... I figured out how to remotely control the smart TVs at my parents house remotely over multicast which runs over an IPSEC VPN.) How about car APIs? Those bus communications are also not secured and you can bust out a headlamp, and inject messages into the CPU and open locks/start the car. Truly surprised enterprises are not investing into these technologies to better secure them. This is where F5 can help! 🙂