What are APIs and Why Do They Matter?
“API” stands for Application Programming Interface. An Application Programming Interface is a set of related functions or named entry points into software used by programmers to allow software applications to issue specific calls to communicate with an operating system1.
Of an uninterrupted nature, APIs are seamless services that link different services together using a set of definitions and protocols. As one could imagine, the use of APIs has increased significantly. According to Salt Security, the number of API calls increased by 82% year-over-year in 2022 connecting people to more services than ever before2. Salt Security customer data shows the average number of APIs per customer grew 82% over last year, up from 89% in July 2021 to more than 162% in July 2022.
During the same period and taken as a whole, API traffic per customer grew 168%, indicating that API usage is also exponentially growing. This been said, the amount of malicious traffic over APIs skyrocketed 121% year-over-year during the course of the above-mentioned period. This brought the malevolent traffic to 2.1% of all API traffic for Salt Security customers, thereby signifying that cyberattack activities continue to keep pace with this dramatic expansion in API usage. With malicious API traffic outpacing the increase of all API traffic, there is an evolving need for organizations to invest in cybersecurity tools that prevent production APIs from calling malicious sources while maintaining the availability of core services.
 Robinson, Michael (2004) : Dictionnaire de technologie numérique : anglais-français, français-anglais = Dictionary of Digital Technology : English-French, French-English, Paris, Ellipses, 809 p.
What is Open Source Security and Why Does it Matter?
Commonly referred to as Software Composition Analysis (SCA), Open Source Security is a methodology providing users better visibility into the Open Source inventory of their applications3. This is achieved by examining components via binary fingerprints, utilizing professionally curated and proprietary research, matching accurate scans against that proprietary intelligence as well as demonstrating and verifying for software developers that proprietary intelligence inside their favourite tools. Furthermore, Open Source Security refers to the measure of assurance or guarantee in the freedom from danger and risk inherent to an Open Source Software system4.
What is Open Source Software and Why Does It Matter?
Open Source Software (OSS) is a decentralized development model that distributes source code publicly for open collaboration and peer production known as the “open source way”5. Open Source Software is software that is freely usable, modifiable, and distributable. Open Source Software relies on an online community of users who are loyal and engaged to the brand to provide customer service and troubleshooting benefits. Open Source Software is inherently community driven and requires the expertise and contribution of staff within the Open Source Initiative environment. As a California public benefit nonprofit corporation founded in 1998 with 501(c)3 tax-exempt status, and as the steward of the Open Source Definition, the Open Source Initiative (OSI) refers to the collection of rules that define Open Source Software6.
Produced by the Open Source Initiative (OSI), the Open Source Definition is a document that is published to determine whether a software license can be labelled with the Open Source certification mark7.
Despite the possibility of vulnerabilities being created by the contributions of numerous different people, Open Source Software can be very secure. Cyber-attackers may take advantage of these flaws to break into systems or steal confidential information. The multiple users of Open Source Software should be aware of updates and promptly apply them to address any known vulnerabilities. Additionally, it is a good idea to employ security tools to check Open Source Software for weaknesses and to adhere to secure coding best practices while creating such Open Source Software.
What Can be Done to Secure Open Source Software?
Open Source Software Developers can adhere to a variety of secured and recommended practices to provide assistance to users and guarantee that the code they conceive is protected and safe. Some of the most important practices include among others:
Organizations should strive to seek guidance from their penetration testing partners to recommend tools that are adequate with their budgets and requirements. Specifically, application penetration testers are skillful at identifying and exploiting vulnerabilities using common toolsets. Moreover, application penetration testers can deliver valuable insights about Open Source SDKs and code frameworks for Software Development Kits to rapidly identify vulnerabilities
De plus, les testeurs de pénétration des applications peuvent fournir des informations précieuses sur les SDK Open Source et les cadres de code pour les trousses de développement logiciel afin de déceler rapidement les vulnérabilités.
Resources Available in the Market
Fortunately, there are excellent resources available for organizations to learn about software development secure practices. Frameworks such as NIST Secure Software Development, OWASP or the Mitre Att&ck Framework are excellent starting points to educate software developers about adversary methodologies. Thanks to that knowledge, individuals developing applications can put into practice those considerations to their usage of Open Source libraries and SDKs.
Food for Thoughts
As with anything in the realm of cybersecurity, it is ultimately up to organizations to define their risk tolerance and adhere to best practices that fit their vision. It is critical for leaders to conduct risk assessments and determine the correct approach that is right sized for their organizations.
As it will be increasingly difficult to avoid using API-enabled services or Open Source tools, it is therefore critical to plan for rapid growth in this sector. Wherever possible, organizations should strive to get guidance from experienced external parties to ensure that subject matter expertise is considered throughout strategic cybersecurity processes.