Application programming interfaces, or APIs, have become an integral part of maintaining an online business, and are often indispensable for cross-functionality and user experience.
However, the increased use of APIs has led to a rise in attacks against them. This can in turn cause breaches of company data or even full account takeovers. Improperly-managed APIs are a key attack surface and firms would do well to treat this seriously as threat actors step up their efforts at exploitation.
In this episode, Rory and Jane are joined by Yaniv Balmas, VP of security research at Salt Security, to discuss the risks that come with using APIs and how to mitigate against them.
Highlights
“When you're speaking a different language than the service is expecting to hear, there could be one of many, many, many issues that will follow starting from very simple things like, you know, simple error page or server crash or something like that. And ranging up into, you know, information disclosure, full account takeovers, and stuff like that.”
“As time passes, yeah, more attackers join this API attacking club, and that's why we see this increase. And if you're asking my predictions on the future I don't see that stopping or, you know, start being in lower volumes. Quite the opposite.”
“If it's a third party tool that you're using, then you need to test it to make sure that, you know, it complies with everything and that it stops everything, all the relevant API attacks. And then finally, once you've deployed your solution, that's not enough because this world is constant, it's dynamic. It's constantly changing. There are always new attacks, every day you hear about new techniques and a new attack.”
Read the full transcript here.
Footnotes
- 90% of businesses experienced API security vulnerabilities in 2020
- Research: Luxury cars and emergency services vehicles vulnerable to remote takeover
- Hyundai vulnerability allowed remote hacking of locks, engine
- 4 Things to Know about Your Car and API Security
- The API economy: What your business needs to know
- T-Mobile customers at heightened risk of phishing attacks in wake of data breach
- Twitter API keys found leaked in over 3,200 apps, raising concerns for linked accounts
- Could APIs be your business' secret weapon?
Subscribe
-
AI is helping bad bots take over the internetNews Automated bot traffic has surpassed human activity for the first time in a decade, according to Imperva
-
Two years on from its Series B round, Hack the Box is targeting further growthNews Hack the Box has grown significantly in the last two years, and it shows no signs of slowing down
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
-
The new era of cyber threatsITPro Podcast With AI-powered attacks and state-backed groups, security teams face face a new wave of sophisticated threats
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Vulnerability management complexity is leaving enterprises at serious riskNews Fragmented data and siloed processes mean remediation is taking too long
-
A critical Ivanti flaw is being exploited in the wild – here’s what you need to knowNews Cyber criminals are actively exploiting a critical RCE flaw affecting Ivanti Connect Secure appliances
-
Researchers claim an AMD security flaw could let hackers access encrypted dataNews Using only a $10 test rig, researchers were able to pull off the badRAM attack
