DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
  1. DZone
  2. Data Engineering
  3. Databases
  4. API Security Weekly: Issue #26

API Security Weekly: Issue #26

Another GPS watch got breached, Shodan added an IoT monitoring service, and we take a look at API security best practices, webinars, and recommendations.

Dmitry Sotnikov user avatar by
Dmitry Sotnikov
CORE ·
Apr. 12, 19 · News
Like (3)
Save
Tweet
Share
10.09K Views

Join the DZone community and get the full member experience.

Join For Free

This week, Verizon has been patching their home routers, another GPS watch got breached, Shodan added an IoT monitoring service, and we take a look at API security best practices, webinars, and recommendations.

Image title

Vulnerabilities

Verizon is urgently updating their Verizon Fios Quantum Gateway home routers. Researchers from Tenable found multiple security issues in the device’s API. For example, HTTPS was not enforced, and some API call parameters were not sanitized. This enabled attackers to sniff logins, decrypt password from its hash, perform a command injection attack, and take control of the device.

More bad news on smartwatches: Vidimensio smartwatches are vulnerable to Insecure Direct Object Reference (IDOR) attacks. Attackers can enumerate device IDs and make API calls for any of them. The vendor has been ignoring the reports, so the researcher used the vulnerability itself to send a warning on it to some of the device users: he spoofed GPS coordinates to make the mobile app spell out the word “pwned” on the location map.

It’s starting to look like inexpensive smartwatches and GPS-enabled watches quite often lack API security. For more examples, see our earlier reports on discovered vulnerabilities in issues 7, 18, and 19.

Tools

Shodan is a popular internet vulnerability scanner. Attackers and researchers have used it to discover unprotected Elasticsearch instances, Chromecast devices, printers, and more. To monetize the IoT scenario, Shodan has now launched a new Shodan Monitor service. The service alerts organizations on any of their device APIs that have been left exposed on the public Internet.

Best Practices

Five Best Practices for API Security by Twistlock’s John Odey:

  1. Use authentication and authorization.
  2. Encrypt API data.
  3. Implement security on the application layer.
  4. Whitelist allowed accesses.
  5. Log APIs.

Webinars

KuppingerCole has published the recording of their webinar on API security. The webinar “API Security: Separating Truth from Fiction” was led by Alexei Balaganski and Isabelle Mauny. The webinar covers, for example:

  • API standards
  • The scope of API security
  • Tooling
  • API strategy
  • Practical steps.

You need to register (free) with KuppingerCole to watch the recording.

You can subscribe to this weekly API Security newsletter at https://apisecurity.io.

API security

Published at DZone with permission of Dmitry Sotnikov, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • How to Submit a Post to DZone
  • Microservices Discovery With Eureka
  • API Design Patterns Review
  • What Is a Kubernetes CI/CD Pipeline?

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends: