Home Podcasts Videos Guest Posts Q&A My Take Bio Contact

GUEST ESSAY: Five stages to attain API security — and mitigate attack surface exposures

By Rakshith Rao

APIs (Application Programming Interfaces) play a critical role in digital transformation by enabling communication and data exchange between different systems and applications.

Related: It’s all about attack surface management

APIs help digital transformation by enabling faster and more efficient business processes, improving customer experience, and providing new ways to interact with your business.

Whether an API is exposed for customers, partners, or internal use, it is responsible for transferring data that often holds personally identifiable information (PII) or reveals application logic and valuable company data.

Therefore, the security of APIs is crucial to ensure the confidentiality, integrity, and availability of sensitive information and to protect against potential threats such as data breaches, unauthorized access, and malicious attacks.

API security is essential for maintaining the trust of customers, partners, and stakeholders and ensuring the smooth functioning of digital systems. If API security is not properly implemented, it can result in significant financial losses, reputational damage, and legal consequences.

GUEST ESSAY: Why CISOs absolutely must take authentication secrets much more seriously

By Thomas Segura

The IT world relies on digital authentication credentials, such as API keys, certificates, and tokens, to securely connect applications, services, and infrastructures.

Related: The coming of agile cryptography

These secrets work similarly to passwords, allowing systems to interact with one another. However, unlike passwords intended for a single user, secrets must be distributed.

For most security leaders today, this is a real challenge. While there are secret management and distribution solutions for the development cycle, these are no silver bullets.

Managing this sensitive information while avoiding pitfalls has become extremely difficult due to the growing number of services in recent years. According to BetterCloud, the average number of software as a service (SaaS) applications used by organizations worldwide has increased 14x between 2015 and 2021. The way applications are built also evolved considerably and makes much more use of external functional blocks, for which secrets are the glue.

GUEST ESSAY: Testing principles to mitigate real-world risks to ‘SASE’ and ‘Zero Trust’ systems

By Sashi Jeyaretnam

A new generation of security frameworks are gaining traction that are much better aligned to today’s cloud-centric, work-from-anywhere world.

Related: The importance of ‘attack surface management’

I’m referring specifically to Secure Access Service Edge (SASE) and Zero Trust (ZT).

SASE replaces perimeter-based defenses with more flexible, cloud-hosted security that can extend multiple layers of protection anywhere. ZT shifts networks to a “never-trust, always-verify” posture, locking down resources by default and requiring granular context to grant access.

With most business applications and data moving to cloud and users connecting from practically anywhere, SASE and Zero Trust offer more versatile and effective security. Assuming, of course, that they work the way they’re supposed to.

Effective testing

Modern SASE/ZT solutions can offer powerful protection for today’s distributed, cloud-centric business networks, but they also introduce new uncertainties for IT. Assuring performance, interoperability, resilience, and efficacy of a SASE implementation can be tricky.

What’s more, striking the right balance between protecting against advanced threats and ensuring high Quality of Experience (QoE) is not easy when new DevOps/SecOps tools are pushing out a 10X increase in software releases.

GUEST ESSAY: The case for complying with ISO 27001 — the gold standard of security frameworks

By Matthew Sciberras

Of the numerous security frameworks available to help companies protect against cyber-threats, many consider ISO 27001 to be the gold standard.

Related: The demand for ‘digital trust’

Organizations rely on ISO 27001 to guide risk management and customer data protection efforts against growing cyber threats that are inflicting record damage, with the average cyber incident now costing $266,000 and as much as $52 million for the top 5% of incidents.

Maintained by the International Organization for Standardization (ISO), a global non-governmental group devoted to developing common technical standards, ISO 27001 is periodically updated to meet the latest critical threats. The most recent updates came in October 2022, when ISO 27001 was amended with enhanced focus on the software development lifecycle (SDLC).

These updates address the growing risk to application security (AppSec), and so they’re critically important for organizations to understand and implement in their IT systems ASAP.

AUTHOR Q&A: China’s spy balloons reflect a cyber warfare strategy America must counter

By Byron V. Acohido

The attack surface of company networks is as expansive and porous as ever.

Related: Preparing for ‘quantum’ hacks

That being so, a new book, Fixing American Cybersecurity, could be a long overdue stake in the ground.

This is a well-reasoned treatise collaboratively assembled by board members of the Internet Security Alliance (ISA.) Laid out in two parts, Fixing American Cybersecurity dissects the drivers that got us here and spells out explicitly what’s at stake. It also advocates a smarter, more concerted public-private partnership as the core solution.

Part one of the book catalogues how cyber criminals and US adversaries have taken full advantage of systemic flaws in how we’ve come to defend business and government networks. Part two is comprised of essays by  CISOs from leading enterprises outlining what needs to get done.

I had the chance to query Larry Clinton, ISA’s president and CEO, about the main themes laid out in Fixing American Cybersecurity. ISA is a multi-sector trade group focused on policy advocacy and developing best practices for cybersecurity.

We discussed this book’s core theme: a fresh set of inspired public-private strategies absolutely must arise and gain full traction, going forward, or America’s strategic standing will never get healed.

GUEST ESSAY: Too many SMBs continue to pay ransomware crooks — exacerbating the problem

By Zac Amos

Well-placed malware can cause crippling losses – especially for small and mid-sized businesses.

Related: Threat detection for SMBs improves

Not only do cyberattacks cost SMBs money, but the damage to a brand’s reputation can also hurt growth and trigger the loss of current customers.

One report showed ransomware attacks increased by 80 percent in 2022, with manufacturing being one of the most targeted industries. Attack that drew public scrutiny included:

•Ultimate Kronos Group got sued after a ransomware attack disrupted its Kronos Private Cloud payment systems, relied upon by huge corporations such as Tesla, MGM Resorts and hospitals That ransomware attack shut down payroll and human resources systems.

•The Ward Hadaway law firm lost sensitive client data to ransomware purveyors who demanded $6 million, or else they’d publish the data from the firm’s high profile clients online.

SHARED INTEL: The expected impacts of Pres. Biden’s imminent National Cybersecurity Strategy

By Shannon Flynn

The United States will soon get some long-awaited cybersecurity updates.

Related: Spies use Tik Tok, balloons

That’s because the Biden administration will issue the National Cyber Strategy within days. Despite lacking an official published document, some industry professionals have already seen a draft copy of the strategic plan and weighed in with their thoughts. Here’s a look at some broad themes to expect and how they will impact businesses:

•New vendor responsibilities.  Increased federal regulation puts more responsibility on hardware and software vendors compared to the customers who ultimately use their products.

Until now, people have primarily relied on market forces rather than regulatory authority. However, that approach often leads to bug-filled software because makers prioritize new product releases over ensuring they’re sufficiently secure.

These changes mean business representatives may see more marketing materials angled toward what hardware and software producers do to align with the new regulations.