Defining “zero trust”Before we dive into why “zero trust” has become a myth in API security, let’s establish what we mean by the term since it is often overloaded in the security industry. Traditional security thinking asserted that if we can build trusted environments (commonly network zones) to host applications, ... Read More

The latest executive order (EO) zones in on a few areas of cybersecurity, but a primary focus is software supply chain security after incidents such as the SolarWinds attack. Some of these mandates were already in play as part of the Federal Risk and Authorization Management Program (FedRAMP) program initiated ... Read More

1. Perform recon of a target and its APIs – attackers stealthily scan and collect information about their targets, often selecting their victims based on data or functionality that is of high value or brand recognition. Information gathering includes IP address ranges, registered domain names, hosting application servers and exposed ... Read More

What is a REST API?A REST API is an API that conforms to specific architectural constraints associated with web-based applications, including stateless communication and cacheable data. REST APIs allow browser apps, mobile apps, and other API clients to communicate with a server. What follows are the top 10 REST API ... Read More

DescriptionMaintaining a complete, up to date API inventory with accurate documentation is critical to understanding potential exposure and risk. An outdated or incomplete inventory results in unknown gaps in the API attack surface and makes it difficult to identify older versions of APIs that should be decommissioned. Similarly, inaccurate documentation ... Read More

DescriptionInsufficient logging and monitoring combined with missing or ineffective integration with incident response, allows attackers to perform reconnaissance, exploit or abuse APIs,  compromise systems, maintain persistence, advance attacks, and move laterally across environments without being detected.  The longer an attacker is present in an environment the higher the likelihood the ... Read More

DescriptionInjection flaws are very common in the web application space, and they carry over to web APIs. Structured Query Language (SQL) injection is one of the most well known, but there are other injection varieties that can impact a range of interpreters and parsers beyond just SQL including, Lightweight Directory ... Read More

What do you do when your exercise equipment leaks your personal information? Why is exercise equipment storing sensitive data, or more accurately, how do associated services make use of APIs to get to that data? And how might such APIs inadvertently leak personally identifiable information (PII)? These questions and more ... Read More

The storming of Capitol Hill on January 6, 2021 was an unprecedented incident for Americans and non-Americans alike, and the world is still processing what happened. Many suspects have been charged, and the FBI is still investigating. As many of you likely know by now, a number of individuals used ... Read More