DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
  1. DZone
  2. Data Engineering
  3. Databases
  4. API Security Weekly: Issue #32

API Security Weekly: Issue #32

Look at the latest vulnerabilities in an ASUS update service and Linksys routers, a recent report on WAF customer satisfaction, and a new podcast on API security.

Dmitry Sotnikov user avatar by
Dmitry Sotnikov
CORE ·
May. 24, 19 · News
Like (2)
Save
Tweet
Share
9.36K Views

Join the DZone community and get the full member experience.

Join For Free

This week, we take a look at the latest vulnerabilities in an ASUS update service and Linksys routers. In addition, there is a recent report on WAF customer satisfaction and a new podcast on API security.

Vulnerabilities: ASUS WebStorage

We reported Dell’s Support Assist vulnerability few issues ago, and now the ASUS update service got a similar one. The scenario is similar: ASUS WebStorage Update did not enforce HTTPS and signatures for downloaded files. These deficiencies allowed attackers to launch a man-in-the-middle (MitM) attack, intercept the traffic, and trick the update agent into installing rogue files.

Always use HTTPS, and never trust any unsigned data.

Vulnerabilities: Linksys Routers

Over 25,000 Linksys Smart Wi-Fi routers have an unprotected API that leaks data about the devices connected to the routers, such as:

  • Name
  • MAC address
  • OS
  • Firewall status
  • WAN settings
  • Firmware updates
  • DDNS

Attackers can thus get that data, learn more about the devices in the user network, and use that information for other attacks, without any authentication.

The API also tells if the admin password is default or changed. The attacker can thus know which routers can be managed with default administrative credentials.

The bottom line is that security by obscurity does not work: if you have an unprotected API, the chances are that someone will find it. And default admin passwords are evil, too.

WAFs Are Failing to Adapt

Only 40 percent of organizations are satisfied with their web application firewalls (WAF), according to the Ponemon Institute report published by Cequence Security:

“The State of Web Application Firewalls report is based on data gathered from 595 organizations across the U.S. On average, they have each deployed 158 web, mobile, and API-based applications, on-premises and in the cloud.”

The rapid shift of web traffic to API traffic for mobile, web, IoT, and microservices has made it hard for WAFs to stay relevant:

  • 86 percent of WAF customers had in the last 12 months attacks that bypassed their WAF.
  • On average, customers need 2.5 full-time people maintaining the WAFs.
  • The average total cost of ownership is $620K/yr (of which $420K/yr is going to the WAF vendors).

API Security Podcast

Alissa Knight at Aite Group Radio podcast has released episode 6 specifically on API security. On the podcast, Alissa and I discuss the recent API breaches, their root causes, and what could be done to mitigate them:


You can subscribe to this weekly newsletter at https://APIsecurity.io

API security

Published at DZone with permission of Dmitry Sotnikov, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • Top 5 Java REST API Frameworks
  • Stream Processing vs. Batch Processing: What to Know
  • Quick Pattern-Matching Queries in PostgreSQL and YugabyteDB
  • Building a Scalable Search Architecture

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends: