Whether it’s gaps on supermarket shelves, shortages of electronic components, or long wait times for new cars, evidence of the strains on global supply chains are everywhere.
Different supply chain problems were highlighted by the SolarWinds attack at the end 2020 as well as the Log4j vulnerability that was discovered a year later. These third-party attacks raise further questions about the resilience of supply chains and what needs to be done to make them more secure.
The role of APIs
A key step that can be taken within digital supply chains is to increase the use of Application Programming Interfaces (APIs). APIs can streamline integration between systems and allow data to be quickly and easily accessed.
APIs can act on the data they receive, effectively creating a real-time chain of information that can be used to determine where the demand is occurring and monitor everything from inventory to shipping and purchase order status. This, in turn, creates a seamless flow of data between all parties in the supply chain.
However, while APIs can certainly add significant value, their effective management is often overlooked. This can result in APIs becoming weak spots within a supply chain which can expose components to cyberattacks.
It’s an issue that needs close examination. According to consulting firm Gartner[1], 45% of organisations worldwide will have experienced attacks on their software supply chains by 2025.
Improving API security
One of the firsts steps needed to improve API security is to ensure they have access only to the data they require to function. Allowing additional access adds no value and also potentially makes it accessible to an attacker.
Effective API implementation projects should also take steps to ensure that non-production supply chain APIs are deployed in private locations and are not discoverable by a cyber attacker. This is because if they are accessed, they can provide a criminal with an effective blueprint with which they can plan an attack on an organisation’s production environment.
It’s also important to remember that APIs require the same level of governance, compliance, and security as any other component within a supply chain. Many organisations often choose to place their supply chains in an ‘allow all’ security group, which subsequently goes unmonitored or managed.
If API keys are shared with suppliers or partners, this needs to be done securely and with the concept of least privilege applied. This means that all suppliers are confined to resources relevant to them and don’t end up with full system access.
Risks from third-party APIs
Other risks occur when third-party APIs are brought into an organisation without the knowledge of the security team. It could be that the partner or person managing the third-party relationship believes the APIs are secure however they actually have subtle vulnerabilities that can be exploited by a cybercriminal.
Even very well coded and deployed third-party APIs can be targeted by threat actors if they believe the time required to study it is worth the data that can be obtained if they are successful.
The long tail of vulnerability
Security in supply chains is only as strong as the weakest link. A survey conducted by Cequence during 2022 of client systems found unpatched servers deep within digital supply chains that experienced alerts up to 15 hours after patches against the Log4j threat had been carried out.
On examination, it became clear that while these organisations had patched their systems, their partners had not. This meant that, even though their systems appeared secure, they were still at risk of an attack on the systems of their supply chain partners.
Unfortunately, due to the complexity of many supply chains, this is a vulnerability that will need to be addressed for a number of years. Indeed, in the last six months of 2022 alone, more than 4,000 instances of Log4j were detected in the wild. This means organisations must remain vigilant, regardless of how careful their own internal patching efforts might have been.
To counter such threats, organisations need to have an API security strategy in place that incorporates the elements of runtime discovery, threat detection, and defence. This will ensure that threats can be identified as quickly as possible and neutralised before they can cause disruption or losses.
APIs will continue to be a vital component with supply chains around the world. Maintaining effective security will ensure they can continue to operate efficiently and dependently at all times.
[1] https://www.gartner.com/en/articles/7-top-trends-in-cybersecurity-for-2022
