In the wake of pervasive ransomware and the Kaseya cyberattack, new research finds security professionals are becoming increasingly concerned that poorly constructed authorization frameworks could be a significant vulnerability and the gateway to larger data breaches. An astounding 70% of respondents said they are concerned about a breach due to poor access controls, according to the new API Authorization & Policy Management Survey Report from build.security and Propeller Insights. Of those respondents, 84.2% described their concern as at least moderately worried, and nearly 40% said they are very or extremely worried of a potential breach related to their authorization.
The concern of a potential data breach due to a poorly constructed authorization framework is significant. When considering tackling authorization across multiple applications or services, while trying to centrally manage your policies across those services, the complexity becomes difficult to manage. To emphasize the severity of this risk, broken access controls is listed in OWASP’s top ten web application security vulnerabilities.
Key survey findings include:
37.5% of engineering teams said they had experienced a breach of one kind or another due to poorly constructed or enforced access controls
Over 80% of respondents expressed some difficulty in managing their authorization
More than half (55.3%) of engineers who responded said that they have had to delay the rollout of a new application into production due to insufficient access controls
There is a growing number of identities that need access to corporate assets and an increasing need to secure non-user identities, such as applications. Individuals within enterprises at various levels need access to different cloud infrastructures, SaaS applications and connected devices. In regards to the pillars of identity management, authorization presents significantly more complexity than authentication.
“One of the biggest variables of complexity when it comes to authorization is the type of access controls used in the system. Access controls can oftentimes be addressed far too late in the software development lifecycle, impacting the deployment of applications,” said Amit Kanfer, co-founder and CEO of build.security. “The discoveries from this survey are incredibly valuable for understanding authorization needs and where teams are falling short.”
“Authorization presents significant challenges to engineering and security teams. Trying to build and manage access controls for microservice architectures only compounds that problem,” said Amol Kulkarni, Chief Product Officer of CrowdStrike and member, build.security's board of directors. “As evidenced by the survey findings, teams lack confidence in their authorization implementation, typically because they built something in-house which may need to be rebuilt as authorization scenarios evolve to become more sophisticated.”
Participants in the survey included 400 engineers, architects, DevOps, IT and security professionals. Respondents from companies ranging from 100 to 5,000+ employees of varying seniority within their department gave insight into how engineering teams from companies of all sizes handle authorization.
The full report is available for download: API Authorization & Policy Management Survey Report.