Archives Mamoon Yunus

API Security and MySQL — A match made in Hell

By | Date posted: August 30, 2017

What do API Security and MySQL have in common? Not much one hopes, especially if you are responsible for implementing enterprise-wide API Security.

When picking any security product, particularly an API Security Gateway, an enterprise should carefully evaluate the architecture and components of the product that it’s purchasing. If the components such as Operating System, PKI security stack and policy storage mechanisms are not secure, then an enterprise is increasing its API attack surface area rather than mitigating it through an API Security Gateway.

And please don’t have your security policies stored in a database such as MySQL — a prime target for hackers. If you security policies are stolen, your entire enterprise API ecosystem is compromised.

Alexei Balaganski‘s article — “The Cargo Cult of Cybersecurity” — critiques our false sense of security. We spend billions of dollars (120 Billion in 2017) on cybersecurity products that are poorly developed, improperly or never deployed, and rarely tested by a third party. By doing so, we are creating a false sense of security.

Here is an excerpt from Alexei’s article:

However, the exact reason for my today’s rant is somewhat different and, in my opinion, even more troubling. While reading the documentation for a security-related product of one reputable vendor, I’ve realized that it uses an external MySQL database to store its configuration. That got me thinking: a security product is sold with a promise to add a layer of protection around an existing business application with known vulnerabilities. However, this security product itself relies on another application with known vulnerabilities (MySQL isn’t exactly known for its security) to fulfill its basic functions. Is the resulting architecture even a tiny bit more secure? Not at all – due to added complexity it’s in fact even more open to malicious attacks.

For complete article, see: The Cargo Cult of Cybersecurity.”

Four Pillars of API Security

By | Date posted: August 18, 2017

API Security is complex! Vendors like Forum Systems, IBM, CA and Axway have invested almost 2 decades of engineering effort and significant capital in building API Security stacks to lockdown APIs. The API Security stack diagram shown below is essential for rapidly locking down APIs. In this article, we review “The Four Pillars of API Security” — SSL, Identity, Content Validation and Architecture.

API Security Stack

Before addressing the Four Pillars of API Security, it is essential to recognize that a robust PKI is a must for enterprise-grade API Security. Without proper key life-cycle management, the API Security Pillars cannot be built.

Once a solid PKI foundation is in place, an organization can build API Security Pillars on this foundation. Without a robust PKI foundation to stand on, API security pillars will collapse. With a solid foundation and strong pillars, a corporation’s API attack surface area is significantly reduced. To deploy API Security, we recommend the following four pillars:

Read more

API Security – Taking the plunge

By | Date posted: August 10, 2017

Dear Readers:

Forum Systems and the security community need your help in raising API Security awareness. Forum Systems has been at the forefront of API Security for over 16 years. Our relentless efforts in educating IT professionals on how best to expose their IT assets securely via APIs has paid off: OWASP has recognized API Security as a Top 10 vulnerability as a part of its 2017 Release Candidate 1 (RC1).

OWASP has finally dipped its toes into the API Security waters. The API waters run deep and can sink every enterprise IT component with security vulnerabilities that impact network devices, load balancers, application servers, ESBs, databases and even legacy mainframe systems. No component is immune since almost all components expose their functionality via APIs.

It is for this reason we are asking your help in reinforcing the need for API Security.

The OWASP 2017 RC1 includes A10 – Unprotected APIs. We believe that A10 should be ratified in the OWASP Top 10 2017 to ensure that API vulnerabilities are actively addressed by the security community.

You can help ratify A-10 in OWASP 2017 by:

For example, see the excellent and very polite discussion on the emphasizing XXE.

Thank you for your efforts, we look forward to continuing our work with security thought leaders and the API community in making enterprise and cloud APIs secure.

-Forum Systems

API Security and OWASP Top 10

By | Date posted: August 7, 2017

API Security and OWASP Top 10 are not strangers. Many years ago (circa 2009), we presented our test results on Techniques in Attacking and Defending XML/Web Services. Fast forward to 2017, OWASP has recognized API Security as a primary security concern by adding it as A10 – unprotected APIs to its list of top 10 vulnerabilities facing web applications. Forum Systems has been at the center of building solutions that address API Security and looks forward to further working with security thought leaders in making enterprise and cloud APIs secure.

API-Security
Read more

Three Federated API Requirements for Enterprise Cloud Computing

By | Date posted: May 15, 2014
API-100

Successful enterprise API implementations are built on a set of localized, project-level efforts with services that have clearly identified and accountable business and technology owners. Ownership defines an API domain. Deciding what services are core to a business owner and should be implemented within the owner’s API domain versus consumed from a third-party API domain becomes a critical part of building a Federated API.

Read more

OpenSSL is Fṓṝked

By | Date posted: May 12, 2014
Heartbleed

The flensing began rather quickly with the OpenBSD team cleaning up 90,000 lines of code within a week of Heartbleed.  OpenSSL then got royally fṓṝked by OpenBSD and LibreSSL was born.  The divergence between OpenSSL and LibreSSL continues while OpenSSL fights against change and LibreSSL tries to modernize and flense the OpenSSL codebase.

Read more

Load balancers that use OpenSSL

By | Date posted: April 18, 2014
Heartbleed

A list of market leading load balancers that use OpenSSL to protect HTTP and FTP traffic includes F5, Citrix, Radware, Riverbed, and Barracuda.  Load balancers spread traffic amongst multiple servers and enable high availability for business transactions. They serve as a central conduit for critical business transactions. The load balancer vendors have done a good job in patching their products to prevent the latest OpenSSL vulnerability: Heartbleed.

Read more

Forum Systems Exec running Boston Marathon 2014

By | Date posted: April 17, 2014
sentry-100

Boston Marathon 2014 is special.  For many years, this event has been the grand slam of marathons, an elite race for many around the world.  This year, it has changed from a symbol of an individual’s physical strength and endurance to an icon of a community’s emotional connection and camaraderie.  Reflecting this spirit, Forum Systems’ Director of Marketing, Chris Pisarkiewicz, is running the Boston Marathon as a tribute to Boston’s first responders.

Sarah Castanellos, Technology Reported, Boston Business Journal published a piece: Why these tech execs and employees are running the Boston Marathon, in their own words

Chris Pisarkiewicz, director of marketing at Newton-based API and cloud gateway technology firm Forum Systems is running his first-ever marathon on Monday along with his fiance.

“This year is special to me because the events that took place last year hit close to home,” he wrote in an email. “Every year my future father-in-law, a Boston fireman, runs the marathon with the Boston Fire Department. Last year, my fiancé and I were two blocks from the finish waiting for him to run by when the bombs went off. It was an experience I’ll never forget and it’s particularly important to me to be running with the BFD as a tribute to first responders.”

 

Heartbleed exposes privates

By | Date posted: April 14, 2014
Heartbleed

This is as serious as it gets. Heartbleed exposes your corporate private keys. Your crown jewels, your keys to the castle….well you get the idea. Your corporate privates are indeed exposed, they may not have been stolen yet, but they are unequivocally exposed through Heartbleed. It took researches less than 3 hours to extract private keys from a server as a result of a challenge issued by CloudFare.

Read more