zero trust | The Blog Pros

June 21, 2022

API Security Weekly: Issue 165

This week, we have news of another high severity vulnerability in a WordPress plugin, this time the popular All in One allowing compromise via the core REST API. We also have views from @apihandyman on why to treat all APIs as public ones, a comprehensive beginner's guide to API security, and finally an optimistic view from Forbes on how enterprises can achieve speed and security by adopting Zero Trust and APIs.

Vulnerability: High Severity Vulnerability in the All in One WordPress Plugin

Vulnerabilities in WordPress plugins have featured frequently in this newsletter (here and here) and again this week we feature a pair of high-severity vulnerabilities in the popular All in One plugin. The first vulnerability CVE-2021-25036 allows for access to high privilege API endpoints via a privilege escalation attack, whilst the second vulnerability CVE-2021-25037 allows for SQL injection via API endpoints.

June 13, 2022

API Security Weekly: Issue 164

This week, we have news on the Log4Shell vulnerability affecting applications and infrastructure using the ubiquitous Log4j library. In addition, there's an article on how API sprawl is becoming a threat to the digital economy, a guide on API security design best practices, and views on the benefits of the zero trust approach for API security.

Vulnerability: Log4Shell Vulnerability Poses a Critical Threat to Applications

The major news this week is the critical vulnerability in the ubiquitous Log4j Java logging library. A combination of factors — including the ease of exploit (several example exploits were posted within hours of disclosure), the prevalence of the library, and the impact of the vulnerability (including complete server takeover) — has led to the vulnerability being classified a maximum score of ten on the CVSS scale. The vulnerability has been assigned the identifier CVE-2021-44228.

March 22, 2022

3 Steps To Streamline Kubernetes Multi-Cluster Management

The footprint of Kubernetes is expanding rapidly in all industries. Many enterprises already operate multiple Kubernetes clusters in multiple regions to address the needs of global operations and reduce application latency for customers worldwide. You may already have a large number of Kubernetes clusters in on-premises data centers and a number of public cloud locations, possibly using several cloud providers to avoid lock-in.

Unfortunately, operating a distributed, multi-cluster, multi-cloud environment is not a simple task. Kubernetes is a relatively new technology. It’s hard to find staff with Kubernetes skills or to identify the best tools for multi-cloud Kubernetes management.

February 21, 2022

Zero Trust Security Model to Safeguard Software Apps

We've all heard a lot about digital transformation and how it affects the IT world. Each of these technologies, whether it's big data, the Internet of Things (IoT), or cloud computing, has made a significant contribution to a range of enterprises. Few people, however, talk about the complexity they add, especially in the context of business network infrastructures.

The fences are crumbling, and there is a hazy peripheral that is causing security concerns.

January 7, 2022

What Is Zero Trust Security and Why Is It Necessary?

What is Zero Trust?

Zero Trust is a security model that enables the DevSecOps team to deal with vulnerabilities that have arisen with massive digital transformations like cloud adoption, decentralized infrastructure, and container technologies. Though these have enabled teams to deliver products and services efficiently, the traditional security models pose a massive threat. The idea of trusting anyone inside the organization’s network is a massive flaw that needed rethinking.

The core of the Zero Trust security model is to trust no one and always verify. This approach establishes a hard rule to always validate every digital interaction. Zero Trust framework assumes an organization’s network security is always at risk to external and internal threats. It helps organize and strategize a thorough approach to counter those threats.

May 20, 2021

How to Reduce Your Chances of an API Data Breach

With more companies embracing APIs, they are fast becoming the weak link in the organizational security chain. In our post-Equifax world, APIs still fly under the radar of security professionals, and the future will only bring more incidents unless leaders adopt strategies and tactics to mitigate the inherent “openness” of APIs.

The Equifax breach was the result of a known vulnerability in the Apache Struts web framework but not all exposures are so easily identified and patched. There are numerous potential attack vectors with APIs — on average, there are 22 vulnerabilities per web application and they are so commonplace that OWASP has an entire list dedicated to the API Security Top 10.

January 25, 2021

6 Security Predictions for 2021—And Why They Matter

Understanding industry trends is important for any IT professional, but it’s especially critical for anyone working in security. Teams need to be able to stay a step ahead of a wide range of security threats. With the global COVID-19 pandemic altering the way enterprise organizations do business and their employees work, it’s been a particularly challenging year to achieve this, all while ensuring that the new tools employees need to stay connected and productive don’t put individuals, or the enterprise, at risk.

Just as the nature of our work style and lives have changed, so too has the threat landscape and the security tools we use to combat it. We’re constantly learning about emerging and ongoing security trends that will impact businesses and customers globally, but with breaches du jour, it’s often hard to know which are the most important. That said, there are six factors that IT and business leaders should keep top of mind to kick off the new year right.

March 25, 2020

Zero-Trust for Next Generation Clouds

Definition

Next-gen clouds mean modern digital cloud architectures that are built using open-source software stacks that are part of the Cloud Native Computing Foundation (CNCF). Zero Trust is a security model that starts with the assumption that any network is insecure and cannot be trusted and access to any application or service is dependent on the device and user credentials. This allows an individual or employee to access any system on any network provided the device and credentials are presented.

Google shared an influential whitepaper, “BeyondCorp – A new approach to Enterprise security” in 2014 which provided a roadmap for what they were doing to flip their internal IT systems onto the internet and move to a zero-trust model.

November 8, 2019

How Zero Trust Architecture Keeps Your Data Safe

Just as every rose has approximately 23.5 thorns, every business innovation gives rise to an array of cybercrimes designed to exploit it. As we become a more connected world — sharing data and processes, sending live communications over mountains and oceans, and logging on to apps hosted across any number of nations — nefarious threats rise to meet our best intentions.

It's no wonder Cybersecurity Ventures predicts that, by 2021, businesses will fall victim to a ransomware attack every 11 seconds.

July 12, 2019

Why ”Less” Is More is the Secret to Cloud-Native Computing

Hybrid IT. Hyperconverged infrastructure. Multicloud. Containers and microservices.

It seems that the entire IT infrastructure landscape is advancing so quickly, it might as well be lava under our feet.