Security News

A novel timing attack discovered against the npm's registry API can be exploited to potentially disclose private packages used by organizations, putting developers at risk of supply chain threats. The Scoped Confusion attack banks on analyzing the time it takes for the npm API to return an HTTP 404 error message when querying for a private package, and measuring it against the response time for a non-existing module.

Cequence Security released its first half 2022 report titled, "API Protection Report: Shadow APIs and API Abuse Explode." Chief among the findings was approximately 5 billion malicious transactions targeted unknown, unmanaged and unprotected APIs, commonly referred to as shadow APIs, making this the top threat challenging the industry. Top threat #1: 31% of all malicious attacks target shadow APIs.

In this Help Net Security video, Shay Levi, CTO at Noname Security, discusses the findings from a recent API security report, which reveals a growing number of API security incidents, a concerning lack of API visibility, and a level of misplaced confidence in existing controls. 76% of senior security professionals experienced an API security incident in the last year.

Authenticating an API requires the developer to have a complete understanding of the transaction - from the user interaction through to the outcome - so it requires them to go beyond the limits of the API specification itself. These range from HTTPS and a username and password to API keys which generate a unique string of characters for each OAuth authentication request, which sees developers use a well-known authorization framework to automatically orchestrate approvals.

Introducing the book: Project Zero TrustIn this Help Net Security video interview, George Finney, CSO at Southern Methodist University, talks about his latest book - "Project Zero Trust: A Story about a Strategy for Aligning Security and the Business". How the CIO's relationship to IT security is changingIn this Help Net Security video, Joe Leonard, CTO at GuidePoint Security, illustrates how the role of the CIO is changing as cybersecurity priorities and responsibilities are creeping into the job description.

It's hard to write good API specifications, and since most API gateways use them as IAC, they should be carefully checked for common mistakes. Writing an API that sticks to the original design is extremely difficult, and it must be validated because it differs from the original spec in some places.

The application programming interface has been around pretty much as long as computing itself, but it's perhaps only since the early years of the millennium that its use exploded with a mass shift to web applications. So much so that many of the most popular applications we all use on a daily basis would stall without them.

Noname Security announced the findings from its API security report, "The API Security Disconnect - API Security Trends in 2022", which revealed a rapidly growing number of API security incidents, concerning lack of API visibility, and a level of misplaced confidence in existing controls. 76% of respondents have suffered an API security incident in the last 12 months, with these incidents primarily caused by Dormant/Zombie APIs, Authorization Vulnerabilities, and Web Application Firewalls.

Malicious actors such as Kinsing are taking advantage of both recently disclosed and older security flaws in Oracle WebLogic Server to deliver cryptocurrency-mining malware. The Kinsing actors have also been involved in campaigns against container environments via misconfigured open Docker Daemon API ports to launch a crypto miner and subsequently spread the malware to other containers and hosts.

How can you protect your APIs from bots and bot attacks? Keep reading to learn effective ways for API bot detection and protection. Why is the risk of bot cyberattacks on APIs so high and common? 40% of organizations reported that more than half of their applications are exposed to third-party services or the internet owing to APIs.