Tag Archive for: API

Softcell partners with Salt Security, the leader in API security solutions

/in


Softcell Technologies Global Private Limited, a leading System Integrator in India, has established a strategic partnership with Salt Security to offer API security solutions to its enterprise customers.

As the digital landscape continues to expand, the importance of safeguarding Application Programmable Interfaces (APIs) has become paramount. According to a recent white paper published by the Indian Computer Emergency Response Team (CERT-In) along with Mastercard and Computer Security Incident Response Team – Financial Sector (CSIRT-Fin), there has been a 62% increase in the number of API attacks on the Indian financial sector as on June 2023, compared to June 2022. The report ‘API Security: Threats, Best Practices, Challenges, and Way forward using AI’ states that ”with this rise of digitization and API usage in the financial sector along with the availability of sensitive customer information, the financial sector is also becoming a preferred target for API attacks.” Recognizing this need to protect against API attacks, Softcell has joined forces with Salt Security, winner of the 2023 CISO Choice Awards, in the API Security category. The awards are judged by a panel of distinguished CISOs across the world.

”Softcell is proud to partner with Salt Security in delivering robust API security solutions to our clients in India,” stated Sunil Dalal, Managing Director at Softcell. ”This recognition further solidifies our joint efforts in addressing the critical need for advanced security measures within the API sphere.” ”Modern applications run on APIs. However, as they are highly complex and still relatively new, many companies do not have robust mechanisms in place to secure them,” said Nico Wagemans, VP EMEA, Salt Security. ”As they often boast access to an organization’s most sacred assets and data, attackers are increasing their exploits against APIs at an exponential rate. As the first entrant into the API security market, we have developed a solution enriched with mature algorithms and AI to provide organizations with unmatched visibility into their API ecosystem. We are honoured to receive this prestigious recognition by industry CISOs who acknowledge the breadth…

Source…

Wallarm highlights disturbing trends in API security threats

/in


Wallarm has released its Q3 2023 API ThreatStats report which sheds light on the escalating threats targeting APIs and revealing vulnerabilities that have impacted industry giants such as Netflix, VMware, and SAP.

The report’s revamped ‘Top 10 API Security Threats’ compilation outlines 239 vulnerabilities discovered during the quarter, with injections taking the lead.

Injections involve inserting malicious data or code into APIs, leading to unauthorised access and data breaches. Notably, SQL and XML-based attacks were prevalent, underscoring the importance of robust security measures to prevent such breaches.

33 percent of the vulnerabilities (79 out of 239) were linked to authentication, authorisation, and access control (AAA). Well-established safeguards such as OAuth, single-sign-on (SSO), and JSON Web Token (JWT) were compromised in high-profile organisations like Sentry and WordPress.

Sentry, for its part, faced incorrect credential validation—potentially exposing developers’ projects to unauthorised access. WordPress suffered from plugin broken authentication, leaving millions of users’ data vulnerable to theft.

The report also spotlighted the concerning rise in API data leaks, ranking fourth on the list of security threats. Complex tech stacks have made these leaks more prevalent, with Netflix, VMware, and SAP falling victim.

Ivan Novikov, CEO of Wallarm, urged business leaders and cybersecurity professionals to acknowledge the gravity of these threats:

“Whether caused by malicious actors or internal carelessness, this report is a wake-up call for business leaders and cybersecurity professionals to include protection against threats to APIs and other leaks in their product security programs.

Established security frameworks, like OWASP API Security Top-10, are one way to get started but have limitations in addressing today’s complex API security needs. 

This real-time data-driven threat list complements and extends the OWASP framework by identifying unaddressed threats and vulnerabilities, enhancing overall security posture.”

Wallarm’s report serves as a wake-up call, urging…

Source…

#InfosecurityEurope: Why API Security Could Be the Next Big Thing in Cyber

/in


In our modern digital world, application programming interfaces (APIs) have become the backbone of our personal and professional Internet use. They enable a wide range of services, from our mobile applications to the Internet of Things (IoT) and banking transactions.

APIs make up 70% of all web traffic observed by content delivery network provider Cloudflare. Akamai puts this figure at 83% of all traffic it has observed.

Additionally, API usage keeps growing: the Salt Labs State of API Security Report Q1 2023, published in March 2023, found that the average number of APIs per customer grew 82% from July 2021 to July 2022.

This makes APIs one of the top attack vectors, Mayur Upadhyaya, CEO of Contxt, said during a presentation at Infosecurity Europe.

“First, vulnerable APIs can be exposed to the public internet, leading to enumerable identities and other known misconfigurations such as the ones that make the OWASP API Top 10. Then, poor authorization of API endpoints can lead to various security issues. Finally, permissive APIs are a significant risk to businesses when developers share more data than necessary or reuse APIs for multiple purposes.”

However, Upadhyaya said that API security solutions are not widely adopted yet. “As there is no clear owner of APIs within the enterprise, there is usually not a single stakeholder that will be responsible for protecting APIs and API security tend to be overlooked,” he added.

As a result, API security solutions have only been adopted by highly regulated industries, mainly financial services, bound to comply with regulations such as the EU’s revised Payment Services Directive (PSD2) and with standards like the Payment Card Industry Data Security Standard (PCI DSS).

Thankfully, things have recently started to change for the better, Upadhyaya continued.

For instance, IoT security regulations like the UK’s Product Security and Telecommunications Infrastructure (PSTI) bill and the EU Cyber Resilience Act have recently been adopted, meaning IoT manufacturers now have to conform to stricter standards of security, which include API protection provisions.

“We’ve also started to see more adoption pushed by the OpenID…

Source…

Hackers threaten to leak stolen data if Reddit doesn’t reverse API changes

/in


The situation surrounding Reddit’s changes to its API continues to get even weirder. Earlier this year, a ransomware group used a sophisticated phishing attack to steal 80GB of data from Reddit. Now, ransomware group BlackCat is claiming responsibility for that hack and threatening to release that information if Reddit doesn’t reverse its API changes and pay a $4.5 million ransom…

As spotted by Bleeping Computer, researcher Dominic Alvieri spotted BlackCat’s announcement today in which it threatens to release the data publicly if Reddit doesn’t meet its demands.

BlackCat is demanding that Reddit not only pay that $4.5 million ransom but also reverse its controversial API changes that will kill many third-party apps. BlackCat was previously waiting for Reddit’s long-awaited IPO to claim responsibility for this breach but has instead opted to seize on the ongoing controversy surrounding those API changes.

I told them in my first email that I would wait for their IPO to come along. But this seems like the perfect opportunity! We are very confident that Reddit will not pay any money for their data. But I am very happy to know that the public will be able to read about all the statistics they track about their users and all the interesting confidential data we took.

In our last email to them, we stated that we wanted $4.5 million in exchange for the deletion of the data and our silence. As we also stated, if we had to make this public, then we now demand that they also withdraw their API pricing changes along with our money or we will leak it.

Reddit publicly acknowledged the security incident back in February, saying that it was a “sophisticated and highly-targeted phishing attack.” The attackers sent “plausible-sounding prompts” redirecting employees to a website that cloned the behavior of the company’s intranet. As a result, the attackers were able to steal credentials and two-factor tokens.

Based on our investigation so far, Reddit user passwords and accounts are safe, but on Sunday night (pacific time), Reddit systems were hacked as a result of a sophisticated and highly-targeted phishing attack. They gained access to…

Source…