Tag: ball | SpinSafe

‘Most web API flaws are missed by standard security tests’ – Corey J Ball on securing a neglected attack vector

February 21, 2023/in Internet Security

API security is a ‘great gateway’ into a pen testing career, advises specialist in the field

Most web API flaws are missed by standard security tests - Corey J Ball on securing a neglected attack vector

INTERVIEW Securing web APIs requires a different approach to classic web application security, as standard tests routinely miss the most common vulnerabilities.

This is the view of API security expert Corey J Ball, who warns that methods that aren’t calibrated to web APIs can result in false-negative findings for pen testers.

After learning his craft in web application penetration testing in 2015 via hacking books, HackTheBox, and VulnHub, Ball further honed his skills on computers running Cold Fusion, WordPress, Apache Tomcat, and other enterprise-focused web applications.

He subsequentially obtained CEH, CISSP, and OSCP certificates before eventually being offered an opportunity to help lead penetration testing services at public accounting firm Moss Adams, where he still works as lead web app pen tester.

Recently focusing more narrowly on web API security – a largely underserved area – Ball has launched a free online course on the topic and published Hacking APIs: Breaking Web Application Programming Interfaces (No Starch Press, 2022).

In an interview with The Daily Swig, Ball explains how the growing use of web APIs requires a change of perspective on how we secure our applications.

Attractive attack vector

The past few years have seen accelerating adoption of web APIs in various sectors. In 2018, Akamai reported that API calls accounted for 83% of web traffic.

“Businesses realized they no longer need to be generalists that have to develop every aspect of their application (maps, payment processing, communication, authentication, etc),” Ball says. “Instead, they can use web APIs to leverage the work that has been done by third parties and focus on specializing.”

API stands for application programming interface, a set of definitions and protocols for building and integrating application software.

Web APIs, which can be accessed with the HTTP protocol, have spawned API services that monetize their technology, infrastructure, functionality, and data. But APIs have attracted the…

Source…

Senator: On Cyberwarfare, Russia Has The US “Behind The Eight Ball”

March 12, 2018/in Internet Security

Senator: On Cyberwarfare, Russia Has The US “Behind The Eight Ball” Fast Company

Full coverage

cyber warfare news – read more

US dropped ball on Navy railgun development—now China is picking it up

February 3, 2018/in Internet Security

Photos posted by a Chinese People’s Liberation Army Navy (PLAN) observer show what appears to be an electromagnetic railgun being affixed to a PLAN tank landing ship, the Haiyang Shan. The LST is being used to test the weapon because its tank deck can accommodate the containers for the gun’s control system and power supply, according to comments from a former PLAN officer translated by “Dafeng Cao,” the Twitter handle of the anonymous analyst.

For nearly a decade, the US Navy’s Office of Naval Research (ONR) and various contractors worked to develop a railgun system for US ships. A prototype weapon was built by BAE Systems. Testing at the US Navy’s Naval Surface Warfare Center in Dahlgren, Virginia was deemed so successful that the Navy was planning to conduct more testing of the gun at sea aboard a Spearhead-class Joint High Speed Vessel (JHSV). The program promised to deliver a gun that could fire projectiles at speeds over Mach 7 with a range exceeding 100 miles. The 23-pound hypervelocity projectile designed for the railgun flying at Mach 7 has 32 megajoules of energy—roughly equivalent to the energy required to accelerate an object weighing 1,000 kilograms (1.1 US tons) to 252 meters per second (566 miles an hour).

Read 3 remaining paragraphs | Comments

Biz & IT – Ars Technica

How AT&T wants to use AI as a crystal ball

July 18, 2016/in Computer Security

AT&T uses artificial intelligence to tell if things are going wrong in its network. Soon, AI may know it before it happens.

The carrier says it’s been using AI for decades in areas like call-center automation but developed it for each use as they came along. Now AT&T is pouring its AI smarts into a one platform that can be used with multiple applications.

“I can’t just keep doing this once at a time. We need a foundation,” said Mazin Gilbert, assistant vice president of the company’s Inventive Sciences division, in an interview last week at the AT&T Shape conference in San Francisco.

That foundation is about two million lines of the code that powers AT&T’s Domain 2.0 software-defined network, which the carrier built so it could roll out new services more quickly and efficiently. Along with its own AI code, much of which is open source, the company is using open-source components from partners including universities and third-party vendors.

To read this article in full or to leave a comment, please click here

Network World Security

Tag Archive for: ball

Attractive attack vector