Below is our recent interview with Doug Dooley, COO at Data Theorem:
Q: It has been a few months since we last spoke. How did 2019 end for you, and anything new with Data Theorem?
A: 2019 was a record-setting year for us at Data Theorem. We experienced significant growth across our customer base, revenue, and product functionalities. We expanded our business significantly with customers in the financial services, banking, retail, and technology sectors.
On the product side, one of the many functions we released last year was our new offering to secure customers’ modern web applications called SPA (Single Page Apps) using GraphQL, a new API standard. In 2020, we will be expanding our efforts for modern web application security specifically when those apps are natively built on top of serverless and public cloud environments.
The industry also took notice of Data Theorem’s unique solutions and benefits delivered. In 2019 we were distinguished in nine separate Gartner reports for unique innovations in cloud-based API Security, AppSec, DevSecOps, and IT Automation. We also won a dozen industry awards across a variety of leading publications and industry organizations.
Q: Before I ask you about what you are seeing for the New Year, I understand the API Security for Dummies e-book has recently published. Can you tell me about that?
A: Yes, I would be happy to. The API Security for Dummies e-book details how APIs have become the most vulnerable attack vector for large-scale data breaches and describes how organizations can empower their teams to automate and analyze the security behind their applications. Specifically, readers will take away the Top 10 methods that improve API Security for mobile, web and cloud applications. Those interested in accessing the e-book can do so at http://bit.ly/30maQVV. This is a must-read for anyone who wants to learn more about API Security.
Q: What are some of the new security issues being created by all of the rising adoption of serverless computing?
A: The majority of companies are already using serverless, and its use will grow significantly over the next two years. This application architecture is so new that most traditional security tools cannot detect or protect applications built on top of serverless due to lack of operating system or container access. As a result, we need to focus on application programming interfaces (APIs), where sensitive data is prominently transferred in these modern serverless application designs. As we move forward in 2020, we believe that APIs are the most vulnerable attack vector for large-scale data breaches. Security teams need to be able to automate and analyze security behind their apps to keep sensitive data safe.
Q: What do you see the state of API security and data breaches being in 2020?
A: From our experience, we can see that API data breaches will represent more than 50 percent of records lost in 2020, and that it will be the single largest vector of large-scale hacking. According to Verizon’s 2019 Data Breach Incident Report, external hacking remained the largest threat actor (69 percent) and threat action (53 percent) for data breaches reported last year. And the top threat vector that was successfully attacked was web applications at approximately 67 percent of the time. Lately, when breaches are reported, the specific web attack vector is a RESTful API. This year, these incidents of large-scale data breaches from APIs connected to both mobile and web applications will be the largest and most significant data breaches reported.
Q: What are Shadow APIs, and what is their unique threat in the New Year?
A: Today cloud services enable businesses to ship new applications (mobile and web) faster and cheaper with more scalability. As a result, the number of new microservices and APIs grows exponentially with cloud-native apps. New APIs are popping up everywhere and are known as “Shadow APIs” since it’s not clear who owns them and who is responsible for their ongoing security and compliance. As a result, Shadow APIs will emerge as a new threat for cloud-first enterprises. These enterprises agree. According to the ESG Report on Security for DevOps, the top new investment that enterprises plan to make to secure cloud-native apps will be API Security (37 percent of all respondents marked this as the most important new control needed for cloud security).
Q: How will the adoption of serverless computing compare to usage of Kubernetes and containers in the New Year?
A: We see that serverless will continue to lead Kubernetes and container usage in 2020 and beyond. As much as Kubernetes is being praised by many DevOps thought leaders, the data tells us that most developers appreciate the convenience, speed and ease of building applications delivered by serverless computing. According to CB Insights, serverless is now the highest growth public cloud service ahead of containers, batch computing, machine learning, and IoT services. Serverless spending is expected to reach $7.7B by 2021, up from $1.9B in 2016, with an estimated CAGR of 33 percent. Today, very few existing security tools can address application security issues specific to serverless applications. This will be an important new security challenge in 2020 and beyond.
Q: What threats do you see emerging for machine learning in 2020?
A: Adversarial machine learning techniques can successfully “poison” ML-based models. Researchers and academic leaders in the computer science field have a renewed focus on artificial intelligence and machine learning algorithms. They are continuing to prove that “poisoning” machine learning systems is consistently possible once access to the model or reference model is achieved. Adversarial machine learning appears to be in its infancy, but we will start to see more instances in 2020 and beyond.
Q: And how do you see the California Consumer Privacy Act playing out in the New Year?
A: We predict that CCPA fines will exceed $200M in 2020. Commencing January 1, it’s well known CCPA is already in effect. However, the way the regulation is outlined, lawsuits can be filed for privacy violations occurring in 2019, as well. It is our estimate that very few companies are prepared to meet the guidelines outlined in CCPA. And unlike the General Data Protection Regulation (GDPR) which went into effect in May 2018, there are no maximum limits capping how large the fines could be for CCPA violations. It would be no surprise if the first few CCPA rulings served by the courts create big headlines to put added pressure on companies to be proactive about protecting the data privacy of their customers.
Q: Thank you for your time. Is there anything you would like to add about API security in 2020 as we wrap up our interview?
A: In 2019, many companies successfully mobilized and monetized their data using APIs as an effective way to share information and build services. However, APIs can create compliance and security vulnerabilities the industry is ill prepared to address. As more companies leverage and build API services and apps natively in the cloud, the industry will face new concerns and cybersecurity threats in 2020. While automation is a common practice that enables DevOps speed and scale, security teams need to take advantage of similar automation techniques to keep up with application teams using CI/CD and DevOps practice. As an industry, we need to do more to discover and secure APIs to protect ourselves against large-scale data breaches in 2020 and beyond.Activate Social Media: