Tips, Expertise, Articles and Advice from the Pro's for Your Website or Blog to Succeed
This week, we check out the recent API vulnerability in John Deere farming machinery, the best practices in using Springfox annotations for API security, a new JWT penetration testing lab, and AutoGraphQL — a tool for GraphQL authorization testing.
John Deere is one of the leading manufacturers of expensive farming equipment, such as tractors and combine harvesters. Many of these are automated to the highest degree and cost millions of dollars.
Like anything in life, APIs come in different 'flavors.' In the case of APIs, these are called 'API Styles,' and there are five major styles in the API space. Many of today’s APIs use the resource style, and this can be easily verified by the popularity of OpenAPI, which is the most popular way of describing resource-oriented APIs.
But there is a relatively easy way to 'level up' from that style by using the hypermedia style. Hypermedia is the style of the Web: It centers around resources (just like the resource style) but also centers around interlinking these resources in ways that are meaningful for consumers.
This week, we obviously have to discuss the hundreds of millions of Facebook and Clubhouse user profiles that were scraped using APIs. In other news, Forrester has published their fresh and insightful report “The State of Application Security”, and there’s a new online training “Building an Identity Architecture for APIs”.
The biggest recent data leak news is the huge database of 530 million Facebook users that was made available. Facebook has made an official statement on the incident, downplaying it because the data was “scraped” already back in 2019 using Facebook’s APIs, rather than obtained through some sort of database access or another “direct” hack.
This week, we check out the recent API vulnerabilities at VMware and GitLab, how URL parameters can lead to server-side request forgery (SSRF) vulnerabilities, and the upcoming webinar on some of the recent real-life API security flaws.
VMware has just patched two critical security issues in their vRealize Operations API. The patched vulnerabilities are CVE-2021-21975 and CVE-2021-21983, and affect the products Cloud Foundation and vRealize Suite Lifecycle Manager.
Editor’s Note: The following is an article written for and published in DZone’s 2021 API Design and Management Trend Report.
API security is at the forefront of cybersecurity. Emerging trends and technologies like cloud-native applications, serverless, microservices, single-page applications, and mobile and IoT devices have led to the proliferation of APIs. Application components are no longer internal objects communicating with each other on a single machine within a single process — they are APIs talking to each other over a network.
Editor’s Note: The following is an article written for and published in DZone’s 2021 API Design and Management Trend Report.
It is easy to get lost in the hype and excitement of our technological decisions — which database to use, which dependency injection framework works best, and which programming language is superior — and lose focus on our goal: Create an application that most effectively solves a customer’s problem. While languages and tools are an important facet of software design, they are not the only aspects we must consider.
This week, we take a look at the recent API vulnerabilities reported at Microsoft and Truecaller Guardians, the new penetration testing labs for API security, and an upcoming webinar on the API security process at Ford Motors.
API endpoints for resetting account passwords are a frequent attack vector. Attackers brute-force these by supplying as many possible combinations of password reset codes as they can within the time window available to them.
This week, we take a look at the recent API vulnerability at chess.com, resources for GraphQL API security, and some API security advice from Michael Cobb at TechTarget.
Sam Curry found an API vulnerability that allowed arbitrary account takeover in chess.com, a popular online chess community and app.
This week, we take a look at the security issues in cheap video doorbells and security cameras, as well as tutorials and webinars on protecting APIs running in Kubernetes, JSON web tokens (JWT), and web and API authentication and authorization.
Oh, and we also have a link to DZone community awards where you can vote for this newsletter!
This week, we check out a potential exposure of APIs developed with Spring Framework and OAuth 2.0 attack classification. There’s also a recording of a recent JSON web token (JWT) security webinar and an upcoming API security fireside chat at the Postman Galaxy event next week.
Frameworks make developer life easier but may also increase your attack surface, as the recent research on Spring Framework demonstrates.
Happy New Year 2021!
This week, we revisit the API aspects of the SolarWinds breach and check out how APIs featured in the recent Ledger breach. There is also an API vulnerability found in Microsoft’s Office 365 Outlook and a new API development and security plugin for JetBrains IDEs.
As with any product lifecycle, a key responsibility for API architects and API product owners is deciding when to sunset or retire a feature or offering. The API lifecycle is no different, but requires careful planning to carry out the deprecation to minimize customer impact. Unlike a packaged solution or module which is more of a black box, APIs enable your customers to build custom functionality which may have requires months of integration work and testing. Without the correct assessment or process, you could prematurely deprecate a critical service causing a storm of support tickets.
This guide walks through the best practices of deprecating an endpoint and shows, by example, how to do it with an analytics platform.
This week, we check out the API aspects of the recent SolarWinds and PickPoint breaches. Also, we have a review on how to shift API security left with GitHub and 42Crunch and an introduction video on GraphQL security.
The SolarWinds hacking reported this weekend was not API-related as such. It was a supply chain attack in which hackers (likely a state actor) managed to add their backdoor in one of the DLL files of SolarWind’s IT monitoring and management software, Orion. After a dormant period, the malicious code would contact the command and control center (C2) to get further instructions and execute them. This was in turn used against SolarWinds’ customers, including multiple US government agencies.
This week, we take a look at the recent API vulnerabilities reported at YouTube and 1Password, a detailed OpenID Connect (OIDC) security research, and how Assetnote Wordlists can be used in API discovery.
Ryan Kovatch was testing YouTube Video Builder beta when he discovered API flaws in YouTube APIs that it uses.
This week, we have the recently reported API vulnerability in Duffel’s Paginator, a new API fuzzer from Microsoft Research, an upcoming JWT security webinar, and a recorded talk on approaches to API authentication.
Peter Stöckli from Alphabot Security has posted a write-up on the API vulnerability he found in Duffel’s Paginator (CVE-2020-15150).
This week, we take a look at the recent API security issues with Resource-Based Policy APIs at Amazon Web Services (AWS), Backup Gateway APIs at Tesla, and in Twitter Fleets. In addition, we have some free passes to the upcoming DeveloperWeek New York that includes some talks on API security too.
Researchers at Unit42 found that 22 APIs across 16 different AWS services can be exploited to leak Identity and Access Management (IAM) users and roles.
Gatling is a quite famous and powerful open-source tool for performance/load testing and provides integration with CICD tools like Jenkins.
It offers great reporting and an easy to use recorder and script generator.
This week, another API has been leaking voter data in the US, we take a look at Dynatrace’s API token best practices as well as Dredd, an open-source OpenAPI verification tool, and there is a video with tips on locating broken object-level authorization vulnerabilities in APIs.
Although the campaigns are finally over, the US elections still feature in our newsletter. This time the dubious star of the week is the website that the Trump campaign launched to collect anecdotal evidence of voting issues. Researchers found that the APIs behind the site were poorly protected and leaking voter information.