Featured

HostingAdvice – API Security By Design

By | Date posted: October 3, 2019


“…Application programming interfaces (APIs) — or sets of instructions that allow apps to interact with one another — are popular because they reduce coding time, serve as a consistent baseline for many apps, and help spur innovation.

But, as with many things in life, they have a downside: More and more, we see APIs targeted as some of the most vulnerable points of modern infrastructure. In August 2017, for example, reporters revealed that hackers had exploited an unauthenticated API on the Panera Bread website to leak the personal data of 37 million customers.

The problem, according to Jason Macy, CTO of Forum Systems, is that lightweight API gateways and software-based identity enforcement points aren’t purpose-built to protect API endpoints or the technology serving integration points.
…”

Read full article on HostingAdvice.com

 

Autonomous Security in Containers

By | Date posted: August 28, 2019

“With the advent of DevOps, the development world has quickly moved to agile development practices and containerized applications. At Forum Systems, we have responded to this trend by putting our API security software, Forum Sentry, into virtual form factors such as Amazon Machine Image, Azure Image, VMware Image, Linux, Windows and Docker….”

 

Why Containerize API Security?

“Container technology such as Docker has become a popular means to deploy API micro-services, a collection of loosely coupled services which are fine-grained and lightweight. The move toward virtual and cloud was initially driven by fully virtualized images with their own operating system, but the adoption of lightweight services and on-demand environments has led to widespread adoption of container technologies run on a shared operating system. These container architectures provide flexibility and ease of deployment, but come with the same set of API risks.”

Read full article on DevOps.com

API and IAM security – Product vs Toolkit

By | Date posted: June 26, 2019

 

Marketing departments are great at capitalising on the latest industry trends. Whether it’s slapping the ‘cloud’ badge onto their product or putting ‘security’ in their verbiage to appease their customers, it is a common marketing approach to reposition a product in a way that will improve sales. In the current era of conglomerate-acquired technologies, large-scale marketing departments will pay top dollar to get air cover from analysts (such as paying for a dot on the Gartner Magic Quadrant) to claim universal capabilities in niche market segments.

The term ‘security’ when used in the context of application programming interface (API) and identity access management (IAM) solutions doesn’t always mean what you might expect.

Many frameworks aimed at these areas are often little more than increasingly large collections of features built on a baseline that is inherently insecure, argues Jason Macy of Forum Systems. Security products are built with a locked-down architecture with self-integrity checks to ensure that the product itself cannot be compromised. And the two functions are being combined in technology known as an API security gateway.

Read full article on Science Direct journals

13 data breach predictions for 2019

By | Date posted: December 19, 2018

 

…”Data breaches are inevitable at any organization. But what form will those breaches take? How will the attackers gain access? What will they steal or damage? What motivates them to attempt the attacks? CSO has gathered predictions from industry experts about where, how and why cyber criminals will attempt to break into networks and steal data during the coming year.”
Senior Editor, CSO

 

1. Biometric hacking will rise

The growing popularity of biometric authentication will make it a target for hackers. We will likely see breaches that expose vulnerabilities in touch ID sensors, facial recognition and passcodes, according to the Experian Data Breach Industry Forecast. “Expect hackers to take advantage not only of the flaws found in biometric authentication hardware and devices, but also of the collection and storage of data. It is only a matter of time until a large-scale attack involves biometrics either by hacking into a biometric system to gain access or by spoofing biometric data. Healthcare, government, and financial industries are most at risk,” said the report’s authors.

2. A cyber attack on a car will kill someone

The ability to hack and take control over a connected vehicle has been proven. Such a hack can not only turn off the car’s engine but disable safety features like…

Continue to read full article on CSO

 

 

 

API Security Critical to Federal IT Modernization Strategy

By | Date posted: December 5, 2018

 

…As Federal agencies seek to incorporate an application programming interface (API) strategy into their IT modernization initiatives, a word of caution: make sure you have API-specific security integrated into your IT infrastructure.

 

“Modern applications often involve rich client applications and APIs, such as JavaScript in the browser and mobile apps, that connect to an API of some kind (SOAP/XML, REST/JSON, RPC, GWT, etc.). These APIs are often unprotected and contain numerous vulnerabilities,” according to the OWASP report..

OWASP has identified five key steps for protecting APIs. The organization recommends that agencies should fully understand the threat model and what defenses they have in place, especially as it concerns the often overlooked APIs that are tying everything together. Their specific advice can be broken down into five major points. They include:

  1. Ensure that you have secured communications between the client and your APIs.
  2. Ensure that you have a strong authentication scheme for your APIs, and that all credentials, keys, and tokens have been secured.
  3. Ensure that whatever data format your requests use, that the parser configuration is hardened against attack.
  4. Implement an access control scheme that protects APIs from being improperly invoked, including unauthorized function and data references.
  5. Protect against injection of all forms, as these attacks are just as viable through APIs as they are for normal apps.

Read full article in Meritalk

Public Cloud API Security Risks: Fact or Fiction?

By | Date posted: November 28, 2018

 

…Most cloud services use multi-tenant API gateways (meaning shared across different customers and applications) to identify and verify users, as well as to act as the single point of entry across many disparate APIs.

There is an obvious problem here in that the very location that is designed to share information is also the same place that needs to be most highly protected and secured.

The growth in the public cloud worldwide shows no sign of slowing down, with the market predicted to be worth around 160 billion U.S. dollars by 2020. And this trend has become even more widespread in the UK since the introduction of the Government’s Cloud First policy in 2013, which aims to make the cloud the default choice for a variety of computing services. While the UK Government’s Austerity Programme has had some effect on take up, the overall trend is still consistent. Many UK departments have already made this decision based on risk management assessments.

Migration to the cloud essentially means moving sensitive government data to a third-party infrastructure and often relying on that third party for security.

Read full article in Computer Business Review

Public cloud API security: How safe is our data?

By | Date posted: November 21, 2018

 

…APIs let applications (and devices) seamlessly connect and communicate. An API can create a seamless flow of data between apps and devices in real time.

ProgrammableWeb, a site that tracks more than 15,500 APIs, lists Google Maps, Twitter, YouTube, Flickr and Amazon Product Advertising as some of the most popular ones. APIs allow you to order pizza, book a hotel room, check the weather forecast, rate a book, or download a song. APIs make the interactivity that we expect on the internet happen – and at a lightning quick speed.

The reason APIs have become the centre point of innovation for the cloud is that they represent a consistent, standards-based means of communicating, and thus allow companies to more easily adopt APIs regardless of the disparate technologies in their architecture.

Since APIs allows simplified connection to applications and services, essentially acting as a door that anyone with the right key can enter, they also present a heightened cybersecurity risk. Most cloud services use API gateways to identify and verify users, and to act as the single-entry point into the service so, of course, this is the main focus of attack for most hackers. As APIs are connectors to the cloud, they are a veritable ‘all-you-can-eat buffet’ for hackers who seek to compromise APIs to gain access to sensitive data for fraud, theft or even blackmail…

Read full article in IT Pro Portal