Couchbase announced a broad range of enhancements to its Database-as-a-Service Couchbase Capella™.
As organizations increasingly rely on APIs to streamline their operations and drive innovation, the need to securely authenticate across these critical communication channels is more important and complex than ever. The Corsha State of API Secrets Report 2023 highlights the need for better tools, technologies, and tradecraft around API secrets to help DevSecOps professionals who feel overwhelmed by the amount of time they must dedicate to API security and worried that their organizations remain vulnerable to breaches.
The Prime Culprit: Leaked API Secrets
API secrets leaks have been the driving force behind several recent high-profile security breaches, including Twitter, Dropbox, and Uber incidents. These breaches emphasize the importance of securing API secrets and the potential consequences organizations face if they do not.
One red flag uncovered by the report is the high prevalence of data breaches due to compromised API tokens. Over half (53%) of respondents have experienced a data breach with unauthorized access to their networks or apps due to compromised API tokens. This statistic underscores the need for improved API secrets management practices.
The report also found that although 72% of respondents use a secrets manager to handle their API secrets, more than half (56%) worry about potential data breaches. This suggests that simply using a secrets manager feels inadequate to ensure robust security.
The survey also reveals how much manual time professionals spend daily on secrets management. 86% of respondents spend up to 15 hours a week provisioning, managing, and dealing with secrets. This considerable time investment emphasizes the complexity and burden of API secrets management and underscores the need for more efficient and ideally automated practices around operations like secrets provisioning and rotation. After all, the tradeoff between security versus time and convenience is often solved by automation.
Clearly, API secrets leaks are a significant concern for DevSecOps teams and security personnel, despite the adoption of secrets managers. The report highlights that the current defenses in place for API secrets management fall short in multiple areas:
■ Inadequate secrets management policies: Many organizations lack comprehensive policies for handling API secrets, contributing to the persistence of security vulnerabilities.
■ Securing multi-cloud environments: With 44% of respondents hosting their API services across multiple clouds, managing secrets becomes even more complex as organizations must contend with varying security policies and mechanisms for each cloud provider.
■ Managing too many credentials: 78% of respondents reported managing at least 250 API tokens, keys, or certificates across their networks. With such a high volume of credentials to manage, scaling security strategies for API-based communication becomes increasingly difficult.
■ Thwarting insider threat: Granting all-or-nothing access to systems and service accounts is a common practice among more than 42% of respondents, which exacerbates the risks associated with insider threat. This approach fails to implement the principle of least privilege, which is crucial for minimizing the potential damage caused by compromised credentials or malicious insiders.
■ Poor visibility: More than 50% of respondents have little to no visibility into the machines, devices, or services (API clients) that utilize the API tokens, keys, and certificates that their organization provisions. This lack of visibility hampers organizations' abilities to detect and respond to potential security incidents.
Implementing Effective Secrets Management
The inadequacy of current defenses highlights the urgent need for organizations to adopt more robust and comprehensive approaches to API secrets management by embracing these five core tenets of effective secrets management:
Integrate a good secrets manager: Selecting and integrating a reputable secrets manager is a good first step to help organizations gain overall visibility into their secrets, allowing for better management and control over sensitive data.
Utilize mTLS (Mutual Transport Layer Security): When and where possible, use mTLS to establish secure, encrypted communication channels between clients and servers, further enhancing the security of API transactions. Remember to factor good hygiene and secrets management of these certificates into new workflows though!
Set short expiry periods for secrets: Always set short expiry periods for secrets when possible. This limits the time window during which a potentially stolen secret can be exploited if compromised.
Sign and verify all tokens: Ensure secrets are always signed and verified to confirm their authenticity and integrity, reducing the risk of unauthorized access or data tampering. This is a great area to use
Avoid plaintext storage or transmission of secrets: Never store or pass secrets in plaintext, as this leaves them susceptible to interception or unauthorized access. Instead, always encrypt secrets during storage and transmission.
We also recommend adding a clear additional factor to API authentication, such as Multi-Factor Authentication (MFA). As API usage grows, static secrets are harder to manage and more vulnerable to compromise. We all now recognize the challenges associated with static passwords for human users and have adopted MFA to mitigate the risks for nearly all accounts, especially sensitive ones. The challenge with this bearer model of authentication using simple API keys, tokens, and credentials is no different.
As the digital landscape continues to evolve, it is crucial to recognize that risk is predominantly shifting from human to machine and, even more so, to machine-to-machine interactions. This transformation calls for reevaluating existing security measures and implementing more effective API authentication and secrets hygiene.
Adhering to some of these best practices will enable organizations to significantly improve their API security posture, alleviate the concerns of DevSecOps teams, and better safeguard critical digital assets against ever-evolving threats.
Remote.It release of Docker Network Jumpbox to enable zero trust container access for Remote.It users.
Platformatic launched a suite of new enterprise-grade products that can be self-hosted on-prem, in a private cloud, or on Platformatic’s managed cloud service:
Parasoft announced the release of C/C++test 2023.1 with complete support of MISRA C 2023 and MISRA C 2012 with Amendment 4.
Rezilion announced the release of its new Smart Fix feature in the Rezilion platform, which offers critical guidance so users can understand the most strategic, not just the most recent, upgrade to fix vulnerable components.
Zesty has partnered with skyPurple Cloud, the public cloud operations specialists for enterprises.
With Zesty, skyPurple Cloud's customers have already reduced their average monthly EC2 Linux On-Demand costs by 44% on AWS.
Red Hat announced Red Hat Trusted Software Supply Chain, a solution that enhances resilience to software supply chain vulnerabilities.
Mirantis announced Lens Control Center, to enable large businesses to centrally manage Lens Pro deployments by standardizing configurations, consolidating billing, and enabling control over outbound network connections for greater security.
Red Hat announced new capabilities for Red Hat OpenShift AI.
Pipedrive announced the launch of Developer Hub, a centralized online app development platform for technology partners and developers.
Delinea announced the latest version of Cloud Suite, part of its Server PAM solution, which provides privileged access to and authorization for servers.
Red Hat announced Red Hat Service Interconnect, simplifying application connectivity and security across platforms, clusters and clouds.
Teleport announced Teleport 13, the latest version of its Teleport Access Platform to enhance security and reduce operational overhead for DevOps teams responsible for securing cloud infrastructure.
Kasten by Veeam announced the release of its new Kasten K10 V6.0 Kubernetes data protection platform.
Red Hat announced Red Hat Developer Hub, an enterprise-grade, unified and open portal designed to streamline the development process through a supported and opinionated framework.