Formalizing our API Security Research with the Launch of Salt Labs

In many ways, our announcement today about the formation of Salt Labs has been five years in the making. I came up with the need for Salt Security as a result of the expertise gained in the elite cyber security unit in the IDF and spending years in a number of roles where I saw the growing problem of API security. My research showed APIs to be a highly fruitful target and among the least protected assets – API security research has been at our heart from day one.

And my love of hacking goes back much farther. Ever since I started programming at the age of 9, hacking has been a big part of my exploration and self education. Sometimes, when we are evaluating a SaaS solution, I get curious about how well secured the system’s APIs are. For example, I was recently pitched on a stock option management platform – the company balked when I declined to sign on, noting their APIs weren’t secure enough, and through a common vulnerability I was able to retrieve the stock details and  option tally of the chairman of the board for one of their lead reference customers.

From the start, Salt Security has been the leading company in API security – we’ve defined and shaped this product category, and that leadership role brings with it a great responsibility. It’s impossible to lead if you are not out in front of the latest and greatest in API threats. We’ve educated hundreds of organizations on API security, and our researchers have been core to this process from the beginning. The results of their hacking – performed with permission – forms a major part of our customers’ education. That’s why we are evolving and formalizing our research activities with Salt Labs, to make sure that we stay ahead of any API threat to come and to educate the broader community.

We have so much to share. We nearly always find stunning security gaps in the APIs of the customers we’re supporting. To date, we’ve shared those findings only with those organizations. By anonymizing that information and extracting best practices and remediation insights, we have the opportunity to educate the broader market on API programming mistakes to avoid.

In today’s inaugural vulnerability research from Salt Labs, we detail stunning API security gaps at a large financial institution. Our security researchers found  inadequate authorization for data access, inadequate authorization for function access, susceptibility to parameter tampering, and improper input filtering. As a result, the Salt Labs team was able to show that:

1. Any user could read any financial records of any customers, despite lacking the proper authorization

2. Any user could delete any customer’s user accounts across the financial platform

3. Any user could tamper with authentication parameters and take over any account

4. Any user could launch an application-level denial of service attack that would render entire applications unavailable

Unfortunately, such missteps in APIs are common – in our research, we also frequently hack public applications and services, looking for API security gaps we can incorporate into our ML and AI algorithms to make our platform more beneficial for all our customers. With this formal launch of Salt Labs, we will now take the time to document those findings publicly, after we follow responsible disclosure processes, so that once again, the broader industry can learn from our discoveries.

We’ll also incorporate broader data sources, including aggregated customer data, industry research, and survey data into our body of work. We’ll fold the “State of API Security” report under the Salt Labs team, for example, and undertake additional research on how different industries are grappling with API security.

As we take this core capability of the Salt team and open it up more publicly, we’re excited to get your feedback and input. Please let us know where you want us to focus the considerable research talents of Salt Labs going forward – use the Contact Us page to share your feedback.

*** This is a Security Bloggers Network syndicated blog from Salt Security blog authored by Roey Eliyahu. Read the original post at: