Archives Jason Macy

Money Mule(Soft): Salesforce Acquires API Integration Company for $6.5 Billion

By | Date posted: March 28, 2018

Well, it has happened again.

Another tech behemoth has made a massive acquisition to bolster its cloud presence – this time in the most expensive cloud software deal in history.

Last fall, it was Google gobbling up Apigee; this week, it’s Salesforce subsuming MuleSoft.

Alliteration aside, what’s the significance of this latest deal, both for the broader industry and for Forum Systems’ customers and partners?
Read more

IAM Attacks, IoT Hubs and API Security Spend, Oh My! We Present Our 2018 Predictions

By | Date posted: December 20, 2017

2017 was a devastating year in security: Equifax, Verizon, WannaCry – enough said. Even more so, the Instagram vulnerability, OneLogin breach, Circle with Disney web filter flaws, Oracle’s Identity Manager vulnerability and Wishbone hack hit close to home, reinforcing what we’ve been preaching ad nauseam: that IAM tools and APIs remain at risk.

The good news, though, is that C-suite executives are continuing to ramp up their investments in security technologies, practices, and education. According to CEB (now part of Gartner), 2017 was the seventh continuous year of budget increases for security; and looking ahead to 2018, Gartner predicts that information security spending will continue to grow, reaching a total of $93 billion.

Read more

Identity Divorces Security…Again—The Oracle Edition

By | Date posted: November 14, 2017

Oracle recently released a Security Alert Advisory regarding a newly identified – and soon thereafter patched – vulnerability within Oracle’s Identity Manager, a user identity validation tool for granting access to enterprise systems.

The bug referred to by Threatpost’s Michael Mimoso as one that’s “as bad as it gets,” scored a 10 on the CVSS score – the highest severity possible. As explained via NIST’s National Vulnerability Database, the vulnerability is “easily exploitable” and “can result in a takeover of Oracle Identity Manager.”

Read more

Forum Sentry API Security Gateway protects all customers against Apache OptionsBleed

By | Date posted: September 22, 2017

Apache Optionsbleed is yet another vulnerability in an ever-growing list of threats targeting REST-based back-end applications aimed at compromising server memory.  In this case, it is Apache’s https program can be compromised by using HTTP method OPTIONS as described here:

– https://nakedsecurity.sophos.com/2017/09/19/apache-optionsbleed-vulnerability-what-you-need-to-know/
– https://arstechnica.com/information-technology/2017/09/apache-bug-leaks-contents-of-server-memory-for-all-to-see-patch-now/

Forum Sentry protects against this attack as one of the many API threat vectors that Sentry protects against.  This particular threat vector was detailed as #3 in our “Top 10 API Threats” list.  The HTTP method is heavily utilized in REST-based apps and services where commonly used HTTP methods such as POST, GET, PUT and DELETE for CRUD (Create Read Update Delete) services.   Forum Sentry API Security policies restrict the methods allowed to be used.  Additionally, these restrictions can be user-specific with granular authorization that can be applied to any HTTP method.

Forum Sentry protected 100% of its customers from Heartbleed, and today protects 100% of its customers from this latest OptionsBleed vulnerability.

Click here to learn more about how Forum Sentry can protect your APIs

Instagram API Security – Too Little Too Late

By | Date posted: September 1, 2017

The Instagram API vulnerability was exposed via a REST API used by the Instagram Mobile App to perform a password reset.  By capturing the format that the Instagram App used to make the password reset, a brute force attack was then created to iterate permutations on this API to extract information about other users returned back in JSON format.

This attack was exposed because of the lack of API security mechanisms protecting the API. An Instagram spokesman told Fox News. “We fixed the bug swiftly and are running a thorough investigation.” Guess what, too little too late! With API breaches, the damage is done.

This is precisely why API Security should not be left solely in the hands of API developers. Developing secure APIs is certainly the right intent and approach, but there is simply no way that developers should be tasked with understanding and protecting against all of the security threat vectors that exist in the API realm. This would be akin to foregoing a corporate firewall, and instead just relying on your developers to prevent network attacks.

API breaches represent the continuing saga of cloud and mobile applications being exposed by API development toolkits that do not have inherent API security capabilities enabled. This is largely because API developers are not security specialists and API toolkits and API Management platforms are not security platforms. This increasing trend of API vulnerabilities will continue until the industry recognizes the need for API Security Gateway technology to protect their APIs. If you have a Web Application, you use a Web Application Firewall (WAF) to protect it, you don’t rely on your developers to protect the application. If you have an API, you use an API Security Gateway to protect it, you don’t rely on your developers for this.

The API Security wake-up call is growing louder each day, breach by breach.

Cloud(ed) Judgment: OneLogin’s Breach Continues to Fuel the Security Debate

By | Date posted: June 26, 2017

When it comes to the next big data breach, it’s never a matter of if, but a discussion of when.

This time, the target was identity and access management firm OneLogin, which recently shut down its U.S. data center due to compromised Amazon Web Services (AWS) keys. With the company serving more than 2,000 enterprises across 44 countries, the incident has been referred to as a “massive leak” and once again raised questions about cloud security.

As we continue to learn, everything that the cloud represents is great… until it’s not.
Read more

The President’s New EO Gets the Gist of NIST

By | Date posted: June 8, 2017

President Trump introduced his long-awaited Cybersecurity Executive Order last month. While some focused on its similarities to EO 13636 issued by the Obama administration more than four years earlier, we were more concerned with, and quite frankly, excited by, the fact that it (rightly) cast a renewed spotlight on the National Institute of Standards and Technology (NIST) Framework.

Read more

Trust, but Verify: The Missing Link in IAM

By | Date posted: May 18, 2017

Identity and Access Management (IAM) is well-entrenched in enterprise and government infrastructures.

However, in our API-driven world, merely establishing a “trusted user” – e.g., a device or a person – and granting them access to information provides an incomplete security profile. Lacking the ability to inspect the bidirectional flow of data traversing our modern computing architectures, IAM technologies cannot answer the two most critical questions about trusted users:

What information are they bringing into the network?

What information are they removing from the network?

Read more

PSD2: An Open Concept in Banking Mandating the Use of APIs

By | Date posted: April 25, 2017

A revolution is occurring in European banking and APIs are leading the way.

Adopted in 2007, the Payment Services Directive (PSD) “provides the legal foundation for an EU single market for payments, to establish safer and more innovative payment services across the EU.” Legislated by the European Commission, the objective of the PSD “is to make cross-border payments as easy, efficient and secure as ‘national’ payments within a Member State.”

To accommodate the rapid rise of new online payment providers – third-party payment providers (TPPs) – the European Commission proposed a revision in 2013. Building on the PSD’s key principles, PSD2 was ‘born’ to make payments safer and more secure, enhance consumer protection, foster innovation and promote competition while ensuring a level playing field for all payment service providers.

In force since 2016, EU Member States must implement PSD2 by January 2018.

Read more