“The importance of APIs in public cloud security: How secure do you think yours are? Jason Macy, CTO at Forum Systems explains why cloud security is not the only form of security required for systems and applications running in the cloud.
Most cloud services use their own rendition of API gateways to serve as the single-entry point into the application or service and to provide access control. Because APIs are exposed via API gateways, the gateway product itself has become the target of attack and compromise. Any hacker who can compromise the API gateway will have the ability to turn any “no” into a “yes”. The primary issue is that API gateway technologies were designed for integration, not for security. API security best practices instead use cyber-secure technology for API enablement, which performs the roles of an API gateway, but includes the IAM and cyber security technologies together within the gateway itself. This product technology is known as an API Security Gateway…
Last week, Broadcom announced its intent to acquire CA Technologies for nearly $19 billion. The news left Wall Street watchers incredulous and bewildered. Some analysts wondered about the two companies’ “business synergies,” while others questioned the “strategic logic” driving the deal.
As for us, what we’re most concerned about is the very thing that continues to drive our business: you, the end user.
API security: A modern-day gold rush? Read what our CTO Jason Macy has to say about it in SC Magazine UK.
The problem with a bolt-on approach to API security is that these API frameworks and toolkits are inherently insecure by definition and were never designed with security in mind, but rather designed for integration.
APIs (Application Programming Interfaces) exist to allow enterprises to make their key resources available to developers, mobile apps, consumers and other companies. They are one of the main ways that technology companies integrate with each other and act as the gateways to all types of functionality. Think of them as being like the plug that goes into an electric wall socket – they provide a standardised way to access the power of an application.
Last month, another major identity management vendor revealed a significant vulnerability. This time it was Auth0.
While conducting its own research, Cinta Infinita discovered the vulnerability in Auth0’s Legacy Lock API. The security firm noted it “was able to bypass password authentication when logging into Auth0’s Management Dashboard by forging an authentication token.”
Well, it has happened again.
Another tech behemoth has made a massive acquisition to bolster its cloud presence – this time in the most expensive cloud software deal in history.
2017 was a devastating year in security: Equifax, Verizon, WannaCry – enough said. Even more so, the Instagram vulnerability, OneLogin breach, Circle with Disney web filter flaws, Oracle’s Identity Manager vulnerability and Wishbone hack hit close to home, reinforcing what we’ve been preaching ad nauseam: that IAM tools and APIs remain at risk.
The good news, though, is that C-suite executives are continuing to ramp up their investments in security technologies, practices, and education. According to CEB (now part of Gartner), 2017 was the seventh continuous year of budget increases for security; and looking ahead to 2018, Gartner predicts that information security spending will continue to grow, reaching a total of $93 billion.
In thinking ahead to 2018, we can’t help but look back. We kicked off 2017 talking about the (in)security of IoT and the infamous DDoS attack on Dyn, via the Mirai botnet, which infiltrated tens of millions of IP addresses.
What’s changed since then? Unfortunately, not as much as we’d hoped.
Oracle recently released a Security Alert Advisory regarding a newly identified – and soon thereafter patched – vulnerability within Oracle’s Identity Manager, a user identity validation tool for granting access to enterprise systems.
The bug referred to by Threatpost’s Michael Mimoso as one that’s “as bad as it gets,” scored a 10 on the CVSS score – the highest severity possible. As explained via NIST’s National Vulnerability Database, the vulnerability is “easily exploitable” and “can result in a takeover of Oracle Identity Manager.”
Apache Optionsbleed is yet another vulnerability in an ever-growing list of threats targeting REST-based back-end applications aimed at compromising server memory. In this case, it is Apache’s https program can be compromised by using HTTP method OPTIONS as described here:
Forum Sentry protects against this attack as one of the many API threat vectors that Sentry protects against. This particular threat vector was detailed as #3 in our “Top 10 API Threats” list. The HTTP method is heavily utilized in REST-based apps and services where commonly used HTTP methods such as POST, GET, PUT and DELETE for CRUD (Create Read Update Delete) services. Forum Sentry API Security policies restrict the methods allowed to be used. Additionally, these restrictions can be user-specific with granular authorization that can be applied to any HTTP method.
Forum Sentry protected 100% of its customers from Heartbleed, and today protects 100% of its customers from this latest OptionsBleed vulnerability.
Click here to learn more about how Forum Sentry can protect your APIs