2017 was a devastating year in security: Equifax, Verizon, WannaCry – enough said. Even more so, the Instagram vulnerability, OneLogin breach, Circle with Disney web filter flaws, Oracle’s Identity Manager vulnerability and Wishbone hack hit close to home, reinforcing what we’ve been preaching ad nauseam: that IAM tools and APIs remain at risk.
The good news, though, is that C-suite executives are continuing to ramp up their investments in security technologies, practices, and education. According to CEB (now part of Gartner), 2017 was the seventh continuous year of budget increases for security; and looking ahead to 2018, Gartner predicts that information security spending will continue to grow, reaching a total of $93 billion.
In thinking ahead to 2018, we can’t help but look back. We kicked off 2017 talking about the (in)security of IoT and the infamous DDoS attack on Dyn, via the Mirai botnet, which infiltrated tens of millions of IP addresses.
What’s changed since then? Unfortunately, not as much as we’d hoped.
Forum Systems will be exhibiting at the Cloud Expo Europe 2018, taking place March 21st-22nd, 2018 at the ExCel, London, UK
Oracle recently released a Security Alert Advisory regarding a newly identified – and soon thereafter patched – vulnerability within Oracle’s Identity Manager, a user identity validation tool for granting access to enterprise systems.
The bug referred to by Threatpost’s Michael Mimoso as one that’s “as bad as it gets,” scored a 10 on the CVSS score – the highest severity possible. As explained via NIST’s National Vulnerability Database, the vulnerability is “easily exploitable” and “can result in a takeover of Oracle Identity Manager.”
APIs are the foundation of architecture design and modernization. Because they serve as building blocks for strategic business enablement, industry leaders have come to understand and realize the full potential of APIs. However, we continue to see instances where security controls are blissfully overlooked.
Since 1946, AFCEA has been bringing together industry experts and government agencies to provide a forum for collaboration that better aligns technology and strategy with the needs of our government and military. AFCEA is widely recognized as a hub for industry innovation and thought leadership, and Forum Systems is excited to announce that we’ve joined the non-profit international organization as an official member.
Forum Systems API Security Summit, Orlando, FL
Date: Thursday, November 9th, 2017
Time: 09:00 AM – 04:30 PM
Location: Walt Disney World Swan Hotel
Cost: The event and dinner are free
Apache Optionsbleed is yet another vulnerability in an ever-growing list of threats targeting REST-based back-end applications aimed at compromising server memory. In this case, it is Apache’s https program can be compromised by using HTTP method OPTIONS as described here:
Forum Sentry protects against this attack as one of the many API threat vectors that Sentry protects against. This particular threat vector was detailed as #3 in our “Top 10 API Threats” list. The HTTP method is heavily utilized in REST-based apps and services where commonly used HTTP methods such as POST, GET, PUT and DELETE for CRUD (Create Read Update Delete) services. Forum Sentry API Security policies restrict the methods allowed to be used. Additionally, these restrictions can be user-specific with granular authorization that can be applied to any HTTP method.
Forum Sentry protected 100% of its customers from Heartbleed, and today protects 100% of its customers from this latest OptionsBleed vulnerability.
Click here to learn more about how Forum Sentry can protect your APIs