Posted on

API Security Weekly: Issue 171

This week, we have news of multiple API flaws and vulnerabilities: the parcel tracking portal at DPD that may have exposed customer data, an API vulnerability in the Apache Pulsar that allowed access data in different tenants, and an SQL injection vulnerability in Casdoor API. On the more positive side, we take a look at the emerging trends in the API industry.

Vulnerability: DPD Parcel Tracking Flaw May Have Exposed Customer Data

The big news this week was the disclosure of a vulnerability in the parcel tracking portal of DPG Group, which may have exposed customer data.

Posted on

API Security Weekly: Issue 165

This week, we have news of another high severity vulnerability in a WordPress plugin, this time the popular All in One allowing compromise via the core REST API. We also have views from @apihandyman on why to treat all APIs as public ones, a comprehensive beginner's guide to API security, and finally an optimistic view from Forbes on how enterprises can achieve speed and security by adopting Zero Trust and APIs.

Vulnerability: High Severity Vulnerability in the All in One WordPress Plugin

Vulnerabilities in WordPress plugins have featured frequently in this newsletter (here and here) and again this week we feature a pair of high-severity vulnerabilities in the popular All in One plugin. The first vulnerability CVE-2021-25036 allows for access to high privilege API endpoints via a privilege escalation attack, whilst the second vulnerability CVE-2021-25037 allows for SQL injection via API endpoints.

Posted on

API Security Weekly: Issue 163

This week, we have an article on 7 reasons why API security strategies are failing, details on the recent keynote by Werner Vogels at AWS re:Invent on 6 rules for good API design, an article by Cisco on API discovery, and a review of some of the biggest API security attacks in 2021.

Article: 7 Reasons Your API Security Strategy Is Failing

This week, AmazicWorld featured a review of why API security strategies are failing to have the desired effect. The author’s view is that whilst developers are well-versed in how to create APIs, the security risks that APIs pose are an increasing threat to organizations. These risks are in large part a consequence of rapid API adoption: the sprawl of APIs is widening the threat landscape, and the fact that APIs are well-documented and can be easily reverse-engineered enables attackers to take advantage of them.

Posted on

Creating a Digital Focus for Products With API First

“API First” is something that often is mentioned when it comes to API strategy and other aspects of how to move to a more API-centric way of thinking in organizations. Oftentimes, “API First” is mentioned in the context of digital transformation initiatives and as one of the principles that should be applied as part of this initiative.

But what is “API First”? In reality, many organizations are not developing things from scratch, and when interpreted as “always designing the API before starting the implementation work,” this means that the reality of existing capabilities and the idea of developing APIs first seem to conflict.

Posted on

The Value of Internal APIs

Internal APIs are designed primarily to streamline software development and simplify systems and operational processes. These currently represent the vast majority of use cases.

Internal APIs are often overlooked since they are aimed at in-house developers. These types of APIs generally work with proprietary data specific to a company and its departments. Although this data must be protected, it must also be accessible to those who work with it. Internal APIs allow for exactly this kind of secure access, creating more efficient development cycles for their products.