
API Security 101: Lack of Resources & Rate Limiting
Data, data, everywhere. How the lack of rate limiting contributes to severe security issues.Photo by Ludovic Charlet on UnsplashYou’ve probably heard of the OWASP top ten or the top ten vulnerabilities that threaten web applications. OWASP also periodically selects a list of top ten vulnerabilities that threaten APIs, called the OWASP API ... Read More

API Security 101: Excessive Data Exposure
Hey, I found your access tokens on your profile page.Photo by Rachel LaBuda on UnsplashYou’ve probably heard of the OWASP top ten or the top ten vulnerabilities that threaten web applications. OWASP also periodically selects a list of top ten vulnerabilities that threaten APIs, called the OWASP API top ten. The current ... Read More

API Security 101: Broken User Authentication
How attackers hack API authentication. Are you who you say you are?Photo by Markus Spiske on UnsplashYou’ve probably heard of the OWASP top ten or the top ten vulnerabilities that threaten web applications. OWASP also periodically selects a list of top ten vulnerabilities that threaten APIs, called the OWASP API top ten ... Read More

API Security 101: Broken Object Level Authorization
An API Objects Free-For-AllPhoto by CHUTTERSNAP on UnsplashI got really into studying API security recently. While working on the first draft of my book, my technical editor, Aaron Guzman, pointed out that my book on web security needed an API chapter to be complete.And he has a great point. As modern ... Read More

Why Your Code Is A Graph
Graph structures and how they are used in security code analysisGraphs structures are a natural representation of many kinds of data. They are a good way to represent relationships between objects, such as the relationship between users on social media sites, and the distance between different locations.Today, let’s explore graphs and ... Read More

AppSec Conference: Shifting Left 2.0
Sessions to watch for developers and hackersPhoto by Austin Distel on UnsplashHere at ShiftLeft, we are gearing up for Shifting Left 2.0, a two-day application security conference for developers and security practitioners on June 22–23, 2021. It has something security-related for everyone: dev team leaders, application security folks, and the developers who ... Read More

Secure Developer Challenge May 2021
Thanks to everyone who submitted to the Secure Developer Challenge for May 2021!For this month’s challenge (https://go.shiftleft.io/developer-challenge-05-2021), we asked you to identify which of these statements about HTTP security headers are false:The correct answer is that options C and F are incorrect. Did you get it right?X-XSS-Protection turns on the XSS auditor of ... Read More

Closing the Developer Security Skills Gap
Photo by Alex Radelich on UnsplashHow to help devs write code, learn security, and fight attackersSecuring software is friggin complicated.Supply chain attacks, the OWASP top ten, ransomware, insider attacks, and plain old typos. As software development becomes increasingly fast-paced, the potential threats that can compromise security don’t stop. If anything, the ... Read More

Beating the OWASP Benchmark
Achieving a best-in-class OWASP Benchmark score with data and information flowsThis post is an update to a previous research post authored by ShiftLeft’s Chief Scientist, Fabian Yamaguchi (https://blog.shiftleft.io/beating-the-owasp-benchmark-24a7b1601031). In the last article, he evaluated ShiftLeft’s static analysis tool against the OWASP Benchmark. ShiftLeft’s tool achieved a true-positive rate of 100% ... Read More

Beating the OWASP Benchmark
This post is an update to a previous research post authored by ShiftLeft’s Chief Scientist, Fabian Yamaguchi (https://blog.shiftleft.io/beating-the-owasp-benchmark-24a7b1601031). In the last article, he evaluated ShiftLeft’s static analysis tool against the OWASP Benchmark. ShiftLeft’s tool achieved a true-positive rate of 100% and a false-positive rate of 25%, making it the best-in-class ... Read More