Posted on

API Security Weekly: Issue 170

This week, we have an article on applying a DevSecOps approach to API security by utilizing a shift-left and protect and monitor right approach, a pair of vulnerabilities patched by F5, views on the top 10 API integration trends by Brenton House, and finally, a view on the rise of bot attacks against APIs.

Article: Taking a DevSecOps Approach to API Security

This week, Doug Dooley published an article on how a DevSecOps approach could be applied to API security. It describes how an approach of shift-left and protect and monitor right could result in more secure APIs by bringing API development more in line with well-established processes for application development.

Posted on

API Security Weekly: Issue 168

This week, we have news of a vulnerability in the IndexedDB API in Safari 15 that exposed user information, a pair of vulnerabilities in AWS affecting AWS Glue and AWS CloudFormation, and a podcast featuring Rinki Sethi and Alissa Knight discussing API security.

Last week, we featured an “awesome API security” guide from a 3rd-party site with good intentions. Subsequently, we’ve discovered that this guide is a direct and unattributed copy of the excellent guide by André Rainho previously featured in this newsletter. Our apologies to Andre for this oversight, and we strongly advise readers to check out his original Awesome API Security guide.

Posted on

API Security Weekly: Issue 160

This week, we have a vulnerability in the AWS API gateway that allows a potential cache-poisoning attack, disclosed at the recent BlackHat Europe conference, a guide on how to harden Kubernetes API access, a report from Forbes on the need to take API security more seriously, and predictions on what's possible on the next OWASP API security Top 10.

Vulnerability: AWS API Gateway Vulnerable to HTTP Header-Smuggling Attack

At the recent BlackHat Europe security conference, web security researcher Daniel Thatcher disclosed vulnerabilities relating to the AWS API gateway that allowed HTTP header smuggling. Currently, AWS has not responded to this research nor offered a comment regarding the potential vulnerabilities in their API gateway.

Posted on

API Security Beginner’s Guide

Historial API Evolution

As per the documented history, the occurrence of web APIs transpired towards the end of 1990 with the launch of Salesforce's sales automation solution. At that point in time, it was an open resource, awarded to everyone.

Salesforce's automation tool was XML-driven and the format used for interchanging the data for this tool later got acknowledged as standard SOAP API. It featured message format specifications and encoding-specific rules related to allowing or disallowing requests.

Posted on

Practical API Security: The OWASP API Security Top Ten

API security is on everyone’s mind: After all, APIs always opens up network-accessible interfaces that previously may not have been exposed. Making sure that this is not creating new risks means that securing APIs is an essential aspect of API management.

API security has always also been a technical issue, but it starts much earlier than when just “securing an API.” It needs to be part of the general API mindset and of how an organization manages APIs throughout its lifecycle.

Posted on

Broken Access Control and How to Prevent It

Broken Access Control vulnerabilities are common in modern applications since the design and implementation of access control mechanisms rely on a highly complex ecosystem of multiple components and processes. In such a complex, changing ecosystem, security teams should apply several legal, organizational, and business logic to ensure the tech stack is watertight and has no room left for hackers to exploit the system.

As it sounds, the job isn’t easy, and there are fair chances of unidentified vulnerabilities on account of a formal approach to tackling security. The traditional method of identifying access-related vulnerabilities is to rely on manual testing. Due to the lack of automated, continuous detection, access control vulnerabilities often remain unnoticed and are potentially targeted by hackers at a much higher intensity.

Posted on

Application Security Checklist

Editor's Note: The following is an article written for and published in DZone's 2021 Application Security Trend Report.

In today’s technology landscape, organizations are supported by web applications that act as essential enablers to streamlining operations. While these applications enable automation, wider collaboration, and ease of sharing data, they also act as vectors that are prone to malicious attacks. Besides this, as modern applications rely on loosely connected components and services in constant communication, security becomes a complex, time-consuming challenge.

Posted on

OWASP, Vulnerabilities, and Taint Analysis in PVS-Studio for C#. Stir, but Don’t Shake

We continue to develop PVS-Studio as a SAST solution. Thus, one of our major goals is expanding OWASP coverage. You might ask, what's the use when there's no taint analysis? That's exactly what we thought - and decided to implement taint analysis in the C# analyzer. Curious about what we accomplished? Read on!

Note. This article briefly touches upon the topics of SQL injections and working with SQL in C#. This theory serves as context. For in-depth information on these topics, do additional research.

Posted on

Overcoming OWASP’s Sensitive Data Exposure Risk Through Application-layer Data Encryption

Developers face a number of challenges and pressures when creating an application — most obviously, the need to meet release deadlines. When approaching a looming deadline, security is sometimes deprioritized, so the Open Web Application Security Project (OWASP) Top Ten list was created as an easy reference for developers to learn about major web application security issues and to use as a starting point when performing security assessments.

OWASP is one of the more well-known and highly regarded organizations in the cybersecurity space. This nonprofit is dedicated to improving the state of web application security by bringing attention to the most common and impactful security issues.

Posted on

Statistics-Based OWASP Top 10 2021 Proposal

Everybody knows the OWASP Top 10 as well as the fact that it gets updated only every other 3-4 years. With the last update published in 2017, it’s no surprise that a new version is coming this year. During my application security career, I saw OWASP Top 10 at least in 2003, 2004, 2007, 2010, 2013, and 2017. 

Since the OWASP creation process is not documented well, it seems reasonable to build an open and transparent rating for the same categories based on a large number of security reports.

Posted on

OWASP Mobile Top 10 Vulnerabilities and Mitigation Strategies

According to Statista, there are 3.5 billion smartphone users. That means a lot of people could become victims of insecure mobile apps.

The OWASP Mobile Top 10 list is a great resource for app developers who want to create secure apps. That's because many mobile apps are inherently vulnerable to security risks. Let's think about some of the attacks on mobile apps that have occurred in the past few years. There was the WhatsApp Pegasus spyware that enabled attackers to control victims' devices. Another was the attack on the Pokémon Go app, where users could reverse-engineer the app to catch more Pokémon.

Posted on

Part II: Secure Coding Made Easy: 5 Tips to Integrate Security into Development

You’ve heard it before: it’s time to get serious about security. Cyber threats aren’t slowing down, which means security must become a critical part of your job as a developer. But it’s not always easy to fix your code during or after release to production, especially when you have to stop and search for knowledge resources. That’s where secure coding best practices and fine-tuned training meet to set you up for success.

In part one of this two-part guide, we broke down best practices like parameterizing your queries to avoid SQL injection and encoding your data to address the three main classes of Cross-Site Scripting (XSS). For part two, we’re diving into five additional tips and best practices, from protecting data to leveraging existing frameworks securely.

Posted on

OWASP Top 10 API Security

I am sure that almost all of you would be aware about OWASP. But, just for the context let me just brief about the same.

OWASP is an international non-profit organization that is dedicated to web application security. It is a completely opensource and community driven effort to share articles, methodologies, documentation, tools, and technologies in the field of web application security.

Posted on

10 Node.js Security Practices

Web application security is rapidly becoming a major concern for companies as security breaches are becoming expensive by the day. The Open Web Application Security Project (OWASP) is a non-profit organization dedicated to web security. OWASP has put together a regularly updated list of the top ten web application security risks.

In the course of this article, we will examine the ten secure practices in Node.js which are in line with the OWASP top 10 web application security risks.

Posted on

10 IoT Security Tips You Can Use to Secure Your IoT Devices

IoT is something of a double-edged sword. While it makes life so much simpler to have a smart home with a smart lock, and a Wi-Fi kettle that boils the water for your morning tea automatically, it comes at a price that may cost you significantly more than what’s on the price tag. In IoT security, there are security trade-offs and, unfortunately, these can do more harm than good, and almost make you miss the days when there was nothing “smart” about your TV! 

Let’s take a look at some examples to drive home the importance of security before we welcome this technology into our homes, our industries, and our everyday lives.