Is Your Algorithmic Code Hiding a Dirty Secret?

Launching new digital services has never been easier. The rise of AI, low-code, and DevOps are speeding up coding, enabling app development to be carried out at a frenetic pace. Now, the hidden risks in these algorithms are being laid bare.

Earlier this year, the Open Web Application Security Project (OWASP) released major updates for several top 10 security lists. These lists included the top 10 machine learning security and the top 10 API security issues.

“The updated OWASP Top 10 reflects the changing landscape, including the increasing role of APIs, CI/CD pipelines, and low-code platforms. CSOs should familiarize themselves with these updates as a priority,” said Rachel Laycock, chief technology officer at technology consultancy Thoughtworks. 

New app security frontiers

Laycock noted that AI can not only automate coding but also automate attacks. This allows attackers to hit businesses faster, harder, and more frequently.

Using AI and low-code platforms also democratizes coding, allowing non-developers to create apps. According to Shanhnawaz Backer, senior solutions architect at F5, this could dramatically ramp up the pace for businesses to launch new apps but miss the thorough security best practices that human developers would apply, like reviewing the code integrations or input validation.

“AI usually generates pieces of code individually, but do these pieces integrate well? Is there a process to validate the input or SQL injection of the code?” said Backer. “Businesses that simply consume the code generated from AI will also lose the expertise they would have with human developers.”

In addition, the rising popularity of no-code platforms and SaaS among business users also means enterprises rely on these platform providers for the security measures of their digital services.

“No-code is the trend to go. There are probably thousands of businesses using the same platform to develop their digital services,” said Kok Tin Gan, partner at PwC and founder of Dark Lab. “It is forming a concentrated risk. Attack on these vendors will tremendously impact many businesses across the industry.”

While the scale of operations allows no-code providers to invest in security, Gan said such a scale of operations also offers immense opportunities and potential returns for attackers.

Keeping platform providers in check 

Despite these technology providers' significant impact and risk level, Gan said they are not liable for their customers’ financial loss. Suppose the digital services developed on these platforms create vulnerabilities that lead to an attack. In that case, the vendors are not obligated to compensate their customers.

“There are not enough regulations to ensure these technology providers manage the risk properly. I believe they should be subject to regulations similar to banks,” said Gan, who is also a speaker at the firm’s upcoming Hack A Day to share findings on the risk of the technology supply chain. Without these regulations, he said CSOs should act as a group to request technology providers to be bound by commercial contracts and compensate for related attacks.

Additionally, Laycock said businesses should ask their low-code provider more security-related questions: what are the security features embedded in the platform? What is the process for reporting and fixing security vulnerabilities?

Nevertheless, human factors can never be eliminated. Backer noted humans should always be involved, ensuring security processes are in place to validate the input and review the output.

“The AI-generated codes may have built-in vulnerabilities,” he added. If the models were embedded with vulnerabilities, the codes generated may not be secure. Human developers should always be involved in reviewing the output and enabling DevSecOps practices before launching these new digital services.

From coding to connecting—the risk of APIs

Backer noted that modern applications are modular, encouraging the use of AI-generated codes to develop smaller reusable codes. These codes are also being developed as application programming interfaces (APIs), creating a higher risk of API-related attacks.

APIs were primarily used as a standard means for two applications to talk to each other and exchange data. However, it has evolved into a powerful tool for connecting different businesses to deliver value for end customers. The COVID-19-induced rush of new apps and the rise of digital marketplaces also encouraged companies to embrace APIs to build more digital services faster.

Akamai Technology research indicated that API traffic represents 83% of all web traffic. The cloud network and security firm also quoted Gartner stating API abuses and related data breaches would nearly double by 2024. The firm’s recent research also found a 65% YoY increase in application and API attacks on financial services companies in Q2 2023, accounting for 9 billion attacks over 18 months.

“The significant increase in attacks and vulnerabilities through third-party APIs and scripts requires firms to take an increasingly active approach to hardening systems and third-party risk management more broadly,” said Teresa Walsh, global head of intelligence for the financial services information sharing and analysis center at Akamai Technologies.

Actionable visibility on APIs

Visibility is critical in managing the API supply chain risk, noted Backer. More security tools are available to monitor traffic and authenticate the access of APIs.

“Visibility alone can be a double-edged sword,” added Laycock. “More data doesn’t always mean actionable insights. CSOs should focus on setting up proper alert prioritization mechanisms.”

Backer agreed and added API governance was best done by combining machine learning and human intelligence. Through the human developer’s expertise in DevSecOps practices, organizations can build machine learning models to identify patterns and anomalies.

He also suggested businesses focus on monitoring five elements in API governance. They include drift detection, sensitive data detection, authentication state detection, dormant API detection, and high-risk API detection.

“The goal should be to sift through the noise and focus on alerts that matter, rather than getting inundated by a flood of notifications that may or may not be critical,” Laycock concluded.

Sheila Lam is the contributing editor of CDOTrends. Covering IT for 20 years as a journalist, she has witnessed the emergence, hype, and maturity of different technologies but is always excited about what's next. You can reach her at [email protected].

Image credit: iStockphoto/drante