API Security Weekly: Issue #12
API Security Weekly: Issue #12
Loo at few API stories involving vulnerabilities, conference talks, and best practices.
Join the DZone community and get the full member experience.Join For Free
Discover how you can get APIs and microservices to work at true enterprise scale.
Happy New Year to everyone! Here are a few stories that we have collected for you during the holidays.
- Hardcoded credentials for cloud APIs,
- Sequential IDs used for user-level authentication (so you can iterate over the user IDs and get information on all cameras belonging to each user including credentials for direct camera access),
- Out of bound writes that lead to remote code execution.
Looks like the company did not get back to the researches in time and vulnerability information got out in the wild.
API Security Workshop slides from APIdays, Paris have been published by the speaker, Isabelle Mauny from 42Crunch:
- How OWASP applies to APIs
- Real-life stories of API breaches
- API security categorization
- Input validation and sanitization
- OAuth tips and best practices
- JWT validation
- Locating vulnerabilities
A fascinating RSA Conference IoT security talk by Charles Henderson from IBM’s X-Force Red team had some fascinating API-related nuggets: in one real-life example, car manufacturers tried to improve the physical security of their customers by limiting geolocation range for vehicle API to 1 km. However, they simply trusted their mobile app invoking the API to report the location of the invoker correctly and didn’t have any additional security on the API side. As result, the attacker could just keep calling the API enumerating locations and quickly covering significant areas.
John Hawkins (CTO at Lightwell) published an overview of the most common API security mechanisms including:
- access control
- rate limiting
- network authentication and encryption
- protection from DDoS/microservice/application level attacks
- API design
- security testing
Samir Jain and Lisa Ropple argue in Harvard Business Review that instead of punishing companies for security breaches, governments should provide common standards and assistance. Right now, the physical and digital worlds have vastly different expectations. In the physical world, if a bank gets robbed, the police step in and go after the criminals. In the digital world, there is somehow an expectation that any company is supposed to be able to withstand any attacks including those from nation states.
API security write-up by Taylor Armerding at Synopsys:
- Organizations manage on average 363 APIs, 69 percent of which are public.
- These APIs increasingly become the main vector of attack.
- The solution is to move API security to the design and development phase and apply existing and new API security technology.
You can subscribe to this newsletter at https://APISecurity.io.
Published at DZone with permission of Dmitry Sotnikov , DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.