Posted on

API Security Weekly: Issue 173

This week, we have news of the eye-opening vulnerability on the Coinbase platform which netted $250,000 in bug bounty. There’s also an excellent guide on best practices for authentication and authorization for REST APIs, an article on the growth of bad bots and how to mitigate against them, and a fun read from APIHandyman on how to hack the Elgato Key light API.

Vulnerability: Coinbase API Bug Allowed Unlimited Cryptocurrency Trading

This week’s major news story has been the disclosure of a major vulnerability in an API on Coinbase, a cryptocurrency trading platform. This vulnerability potentially allowed an attacker to make unlimited cryptocurrency trades between different currency accounts.

Posted on

The 7 Most Expensive Bugs in History

NASA Mars Climate Orbiter: $193 Million 

Nasa’s Mars Orbiter was the second probe in their Mars Surveyor Program, which also included the Mars Global Surveyor that launched in November 1996 and the Mars Polar Lander that launched in January 1999. 

They were designed to arrive at roughly the same time to conduct experiments on the surface, climate, and atmosphere of Mars. It was supposed to arrive in orbit on September 23, 1999.

Posted on

DevSecOps, SecDevOps, or RainbowMonkeyUnicornPony? [Interview with DJ Schleen]

While DevOps is forging boldly into the future, security is still trailing those advances in many organizations. So it’s important that we understand how to apply notions of (traditionally static) security into environments that are built to foster continuous development. I, for one, would like to raise the torch to the fledgling category of DevSecOps and learn how it is successfully implemented by industry leaders. In the first of a series of interviews with DevSecOps community leaders, I chat with DJ Schleen, DevSecOps Advocate at Sonatype.

Helen: I think that the market is light on shared DevSecOps reference architectures to help the community learn and grow. Do you agree and what can we do about it?

DJ: There are a lot of missing pieces out there and I think it's because nobody really knows where to go with it. If you do a search for DevSecOps reference architectures, you're going to see that infinity logo with a bunch of locks around it which doesn't really tell you much. I’ve created this one, but the community does need to share. I think it's because people don't really know which community they're part of; are they part of Secure DevOps, SecDevOps, OpsSecDev? I think there's confusion. So you might see some security reference architectures, but I don't know if they're really taking into consideration flow across the whole technology value stream.