The post Powering ServiceNow Vulnerability Response with Complete and Accurate Data for All Devices appeared first on Security Boulevard.

Hard work is exactly why Salt is an Overall Leader in the latest KuppingerCole API Management and Security Leadership Compass and why we stand out among the pack of 20 vendors that range from well-established big-names to new entrants in the market. According to the author Alexei Balaganski, all 20 claim to provide at least some API security capabilities, but despite their claims, Salt is a leader, and here’s why.‍

Focus is critical

While all vendors covered in the Leadership Compass claim some level of API security capabilities, for most, the main focus remains on API management. Security in these platforms includes authentication, authorization, encryption, and rate-limiting - all foundational but not enough to protect against top API threats.

The market is quickly coming to terms with the need for focused solutions that protect APIs beyond the basic capabilities. One sign of enlightenment is Gartner’s latest report, Advance Your Platform-as-a-Service Security, highlighting API security as a new, distinct pillar in their updated reference architecture. 

The new API Security pillar sits among Control Plane Security, Data Plane Security, and Internet Edge Security, a category that includes traditional tools such as WAFs, WAAPs, and API gateways - clearly highlighting that these tools fall short of protecting APIs and focused solutions are needed. You can read more about Gartner’s latest reference architecture and what it means for API security in our blog here.

What makes a leader

In short, it’s our hard work, laser focus on API security, track record of innovation, and our growing customer base. More specifically, as Alexei writes, Salt stands out for:

A strong focus on runtime protection

‍We’ve been focused on runtime protection from day one, seeing that pre-production efforts and existing app security tools weren’t enough to protect APIs. We took a new look at the problem, built a platform based on big data, AI, and ML, and got a patent for our approach to identifying and preventing malicious API attacks.

No signatures, configuration, or training

‍Each API is unique, and so are its vulnerabilities meaning that signatures are irrelevant. Relying on configuration or training is an approach that can’t keep up with rapid API changes. Automation is the only way, and our approach based on continuous analysis of API traffic gives our platform an understanding of each API’s unique behavior and the context needed to pinpoint attackers and stop attacks.

Automatic and continuous discovery

‍We all know you can’t protect what you can’t see. By analyzing API traffic, Salt discovers all your APIs, including the unknown ones (shadow and zombie), uncovers the granular details, highlights sensitive data exposure, alerts to changes, and maintains an API catalog. With Salt Discovery, you always have an up-to-date view of your attack surface and an accurate understanding of risk.

Security across the full API lifecycle

‍Runtime protection is essential, but without eliminating vulnerabilities, you’re stuck playing a virtual game of whack-a-mole. That’s why we turn attackers into penetration testers, learning from their actions as they probe your APIs and sending insights to dev teams for quick remediation of gaps. We also help identify gaps early in the dev cycle, enabling developers to harden APIs before release.

Customers say it all

Another area where Salt leads is in the Market category that looks at customers and product adoption. Not only are we the only pure-play API security vendor in this leader category, we’re also among big-name vendors with arguably a strong market presence. Our leadership here reflects our hard work and traction in the market and reinforces the previous point highlighting the need for focused API security solutions. 

‍A leader any way you slice it

Looking at multiple criteria is another way the report evaluates vendors. The view above combines the Market and Product categories showing how each vendor stacks up with market penetration and product capabilities. Salt sits above the line as an "overperformer," while vendors below lack customer adoption and platform features. 

Why focus matters

Salt leads the pack again in the combined view of Market and Innovation. Although we’re not above the line with other well-known vendors, it’s our customer traction and continued innovation in our product that makes us stand out. With API security being a rapidly evolving market segment, innovation is critical to meet emerging challenges and ensure the best protection possible.

We’re honored to be recognized by Alexei and the KuppingerCole team in this report for our hard work and leadership in API security. If you want to learn more about the Salt solution, why we were a leader in API security, and how to protect the APIs critical to your business, connect with us for a personalized demo.

The post Salt is Leading the Pack in API Security appeared first on Security Boulevard.

At Salt Security we’re committed to security and we continually invest in our platform to ensure that were innovating and delivering leading edge features to keep our customers protected.  We also think it’s as important to invest in keeping our service secure and in turn our customers’ data in our service protected.

Today we’re proud to announce that Salt Security has completed our SOC 2 audit.  This is a big effort for any organization and shows not only our commitment to securing our service but also shows our commitment to protecting our customers’ critical data.  With Salt being a cloud hosted service we think it’s imperative that our customers know that we take security seriously and their data is safe in our cloud.

In the process of going through the SOC 2 audit our service is evaluated for the protections, process  and controls that we have in place, our development practices, and ongoing activities that we employ to ensure our service and your data is secure.  This is not a one time thing for us as Salt but rather an ongoing effort to show our commitment to what we do to the best of our ability with security first and foremost.

We’re really excited to take this step as a company to show our commitment to API Protection and our customers.  As we continue to innovate, SOC audits and other certifications will be an important part of our commitment to you, our customers.

‍

The post We’re Committed To Security and Have SOC 2 To Prove It appeared first on Security Boulevard.

Before getting into the details of what Salt does to protect GraphQL APIs, we’ll set the stage with some background on GraphQL to provide the foundation for why this query language creates unique challenges for security.‍

GraphQL efficiencies‍

GraphQL is one of the up-and-coming technologies in the world of APIs. Brought to life at Facebook in 2012, GraphQL provided a way to overcome some of the limitations of REST and meet the demands for the highly interactive Facebook mobile app. Three years later, in 2015, GraphQL was released to the world, and in 2018 the GraphQL Foundation was established to shepherd the project and advance the specification.

Unlike REST which is an architectural style for APIs based on a set of design principles, GraphQL is a query language built on a standard specification that provides a complete and understandable description of the data in a GraphQL instance.

Developers use GraphQL for the same reasons Facebook was motivated to create it. Efficiency. One of the primary efficiencies developers take advantage of with GraphQL is the ability to query the exact data their apps need to overcome the challenges of REST overfectching or underfetching data. 

With REST, developers have to build client-side functionality to either filter out over fetched data or request more data in the case of underfetching. Both scenarios increase development time with the need to build functionality and compensate for the shortcomings of REST.

Apps are impacted by REST’s shortcomings too. Adding functionality to filter or request more data results in more code and a bigger app footprint while impacting app performance and consuming more infrastructure resources. 

With GraphQL, developers innovate faster and build more efficient, responsive, lightweight apps.‍

Realities of GraphQL adoption‍

GraphQL efficiency is a big draw, but that doesn’t mean GraphQL is a good fit for every developer, every app, and every use case. GraphQL is indeed seeing rapid adoption, but as seen in The State of API Report 2020 from SmartBear, GraphQL adoption is still well behind REST. 

In reality, GraphQL is not a wholesale replacement for REST, and the two will likely be found together in most environments for years to come. The top three reasons are:

• GraphQL and REST each have their place - GraphQL is best for front-end use cases, especially those that require a highly responsive user experience, a common requirement for mobile and single-page apps (SPAs). GraphQL is not optimized for back-end use cases, so it's common to find GraphQL on the front-end with REST on the back-end. Also, many current apps use REST, and the effort to retool and retrain developers outweighs the benefits GraphQL offers.
• A steep learning curve - GraphQL has a standard specification that defines the consistency and predictability needed to enable its efficiency. Developers must take the time to learn the GraphQL way, which includes learning a new vocabulary of terms and new syntax for schema definitions and queries. GraphQL also requires proper coordination between developers, implementers, and back-end service owners to ensure each GraphQL instance is implemented and used correctly. For organizations already using REST, getting developers trained and teams coordinated can be a lower priority behind pushing out apps using technologies already in place.‍
• New tooling and management needs - GraphQL is about a decade behind REST and lacks the healthy development community and mature tool ecosystem needed to build, deliver, and support APIs throughout the entire lifecycle. Tools currently used for REST provide partial capabilities at best but lack the native functionality required for scale. Teams using GraphQlL are left to compensate for the shortcomings of their current tools with manual efforts as tools with native support emerge.‍

GraphQL security misconceptions‍

A common misconception is that GraphQL APIs are more secure when compared to REST. The reality is that GraphQL is susceptible to many of the same vulnerabilities as REST and comes with its own list of unique pitfalls. Developers like GraphQL for its efficiencies, but these efficiencies can also create unique opportunities for attackers. Some of the common security pitfalls of GraphQL include:

• Introspection - If not turned off or restricted in production, attackers get visibility into the schema, supported queries, and the entire layout of databases. If documentation is available, attackers also have access to detailed descriptions of every query supported, including the hidden ones.
• Verbose errors - Like introspection, errors must be properly configured and restricted in production to keep attackers from using details returned in error messages to understand the schema and build valid queries.
• Access controls - Each layer of the graph requires a distinct set of access controls, creating complexity and potential for errors. If access controls are missing or not properly implemented, attackers can exploit these gaps and target many of the threats defined in the OWASP API Security Top 10.
•  Injection - GraphQL is simply a layer between the client and databases. Without proper controls, attackers can still target REST proxies and other infrastructure with SQLi, NoSQL injection, OS Command, SSRF, and CRLF attacks.
• Rate limiting - Batched queries are efficient for developers but are a risk without properly configured limits. An attacker can batch multiple queries with 2FA tokens in a single request to target authentication mechanisms while bypassing all traditional rate-limiting controls.‍
• Denial of Service - Nested queries are another efficiency for developers that require properly configured limits. An attacker can bypass traditional security controls and cause a denial-of-service (DoS) with a single request containing an excessive number of nested queries.

Another misconception is that current API security tools and controls can secure GraphQL APIs. In reality, without native support to understand the complexities of GraphQL, traditional security controls provide limited protection at best and leave teams with a false sense of security.

GraphQL has a unique structure and capabilities, and this results in unique challenges when it comes to security. Awareness of the unique pitfalls and vulnerabilities is needed to help teams properly secure GraphQL deployments, and education is needed to help developers apply best practices when building GraphQL APIs. 

DevOps teams can’t do it alone. They need to move fast and release new code, and vulnerabilities will slip through to production, with many only found at runtime. Tools with native GraphQL support are needed to complement DevOps security efforts, protect APIs at runtime, create a feedback loop for continuous hardening, and support rapid innovation.‍

Protecting GraphQL APIs with Salt‍

With native support for GraphQL, we understand the unique capabilities, pitfalls, and challenges required for security. Our patented platform with big data, AI and ML understands the complex structure of each GraphQL query to gain the context required to secure GraphQL APIs. 

All the capabilities that you expect from Salt to protect your REST APIs are now extended to GraphQL giving you a single platform to protect all of your APIs. With Salt you can now:

• Discover all GraphQL APIs automatically and continuously including shadow (unknown) and zombie (outdated) APIs to maintain a single view of your entire API landscape and eliminate blind spots.
• Uncover GraphQL APIs expose sensitive data such as PII and understand when exposure changes to maintain a complete view of risk and meet compliance requirements.
• Prevent attacks targeting GraphQL APIs by leveraging Salt big data, AI, and ML to establish a baseline for each GraphQL API and gain the context needed to pinpoint and stop attackers early in their reconnaissance.

• Eliminate GraphQL vulnerabilities with insights from across the API lifecycle to help teams continuously improve security and ship more secure APIs.

At Salt we never stop taking on new challenges and never stop innovating, laser focused on our mission to make all APIs attack proof. To learn more about Salt and how we can stop attacks targeting GraphQL and secure all your APIs, reach out to schedule a personalized demo.

‍

The post Salt Continues to Lead API Security With Innovation to Protect GraphQL APIs appeared first on Security Boulevard.

Such tactics have indeed helped organizations improve their security posture, but in APIs as in most applications development areas, improving security during build and initial deployment cannot provide the full answer. Security in production or runtime mode is still essential. Consider the number of high-profile API breaches and vulnerability disclosures at organizations including Uber, T-Mobile, Panera Bread, Verizon, Facebook, USPS, Google, and many others. We can assume that these organizations have sophisticated development practices, security-conscious developers, and tools to improve security at multiple steps along the development lifecycle – attackers still found a way in, and these companies ended up in the news.

It’s inevitable that gaps and vulnerabilities will make their way into production environments, no matter how much effort is put into security during the build and deploy phases. The following challenges help explain why:

Challenge: API-based Applications are Complex

Each API an organization creates has unique logic and therefore unique vulnerabilities. Most applications rely on a combination of APIs, increasing the mesh of logic. In addition, a variety of internal groups typically create the different APIs, adding more complexity to the business logic. These groups often make a range of assumptions about security, such as that another portion of the application has handled authorization, leaving gaps and creating points of exploitability.

Challenge: APIs are Constantly Changing

Thanks to agile development practices such as CI/CD, APIs change frequently – in just weeks, days, or in some cases, hours. At today’s speed of development, no security testing in the build phase can capture 100% of coding gaps and vulnerabilities.

Challenge: Zero-day Vulnerabilities Exist in APIs Too

Just like any other software, APIs also contain zero-day vulnerabilities. Just like with any other zero-day, you may not know it’s there until it’s exploited and someone makes off with your data or wreaks havoc with your services. If you’re lucky, a researcher or your own testing efforts will eventually find zero-days, so developers can eliminate them, but often it’s an attacker who gets to them first. Worse yet, the open gap stays open until the dev team can provide a fix. Typically, it takes days or months before you’ll become aware that a zero-day exists in your API.

Challenge: Secure Development Practices Require Continuous Learning

Teaching developers to be more security aware and to write more secure code is an ongoing effort. While developers continue to get smarter, the reality is that developers don’t think like attackers, and they never will. A developer builds for functionality and efficiency, thinking “How do I make this feature work?” An attacker looks for ways to get features to do unintended things, instead thinking, “What will happen if I do this?”

Challenge: Scanning Solutions Miss the Bulk of API Vulnerabilities

Most of the security mechanisms applied in development revolve around scanning code. Scanning tools help in certain areas but fall far short of providing full security. Note Gartner’s take on the demise of the RASP market in the 2020 Application Security Hype Cycle: “[RASP] has failed to live up to its potential because of the complexity of its interaction with both applications and the surrounding ecosystem…”

A major shortcoming of scanning tools is their dependence on signatures and configuration. Also, because of their expense, they are often deployed in a limited fashion, focusing only on primary applications. Signatures are often out of date, configuration is never perfect, and you won’t cover all your applications with scanning.

The biggest reason scanning won’t solve your API security challenge is that these tools provide very limited coverage across API vulnerabilities. As an example, Broken Object Level Authorization, the #1 vulnerability in the OWASP API Security Top 10, is not a vulnerability that code scanning will identify.

Challenge: Penetration Testing and Bug Bounties Provide Only Partial Coverage

Just as with scanning tools, penetration testing and bug bounty programs provide only partial coverage in identifying API vulnerabilities and gaps. As with any security initiative, applying limitless time and budget will help you approach 100% coverage, but no customer has such a luxury. As a result, organizations must focus these programs on just their primary applications, leaving gaps.

Combining Security Efforts Across the Release Lifecycle

DevOps teams dedicate significant time and effort to identify and eliminate gaps early in the development cycle, before releasing APIs into production. At a certain point, though, spending more time identifying, prioritizing, and remediating security gaps in pre-production stands in the way of rapid app dev practices and with API-based applications, many gaps do not surface until they’re in production. Organizations succeed when they combine security efforts across the release lifecycle to include pre-production, runtime, and post-production.

Our customers benefit from runtime protection to identify and stop attackers early during reconnaissance as they try to uncover and exploit zero-day vulnerabilities. In addition, details of an attacker’s reconnaissance efforts provide invaluable remediation insights for development teams to eliminate gaps in post-production. By essentially using attackers as penetration testers, developers clearly understand what in the API is vulnerable and how to eliminate the gap. As a result, development teams can more easily prioritize their remediation efforts, be more efficient in their remediation, and improve workflows. Remediation insights also improve secure development practices so developers release code with fewer gaps and vulnerabilities in the future.

Visit https://salt.security/demo/ to learn how Salt Security makes it safe for you to innovate by protecting your APIs.

‍

‍

The post Can API Security Be Wholly Solved in Development? appeared first on Security Boulevard.

These three concerns should be top of mind for any security professional tasked with protecting APIs.

API Visibility

The first challenge for anything in security is to understand what it is that you need to protect. Comprehensive visibility of the attack surface provides the foundation to framing security strategies and aligning solutions, and this need is no different for API security.

Two aspects make visibility into APIs more challenging: the growing number of APIs in an environment, and the rate of change for those APIs. Most organizations have hundreds if not thousands of APIs, and they’re changing frequently, giving rise to an extremely large, ever-changing attack surface.

It’s not enough to know that you have an API. You also need to know the details of that API and the data it exposes. Details include knowing the endpoints that are part of that API, what they should and should not do, who or what should have access to the API, and what if any sensitive data each API exposes. To add to the complexity, applications often comprise multiple APIs, each with its own logic. Add to these factors the frequent updates and it’s easy to understand the challenge of achieving and maintaining comprehensive visibility of the API attack surface.

Most organizations don’t have a good handle on their API attack surface, with many unknown APIs (aka Shadow APIs) and unknown exposure of sensitive data like personally identifiable information (PII). Many organizations try to have developers manually create a catalog of all APIs, but since APIs are constantly changing, those manual catalogs quickly go out of sync. Automation is the only real way to address the scale, rate of change, and granular details needed to protect APIs.

Stopping API Attacks

Today’s APIs expose more sensitive data than ever, and attackers are increasingly targeting APIs, looking for vulnerabilities and pathways to that data. Security teams need a way to detect attackers early and stop them before they are successful. A big challenge with APIs is that they are unique in every organization and therefore have unique vulnerabilities. Traditional tools such as WAFs and API gateways simply don’t provide the right level of protection. These traditional tools are based on proxy architectures and are limited to analyzing API traffic at the transaction level and lack the needed context to identify sophisticated API attacks.

API attacks are low and slow as attackers spend time to map the API structure, understand the logic, and look for vulnerabilities to exploit. Traditional tools miss this kind of subtle attacker activity,  which requires analysis of large amounts of data to detect bad actors early in their efforts.

Another strike against proxy-based tools is that they depend on signatures and can stop only known attacks. But you can’t create a signature for an unknown vulnerability. Even configuring a security tool to customize it for the environment is not enough. Most organizations, regardless of size, have complex API environments, so manually creating policies is not practical. The rapidly changing nature of APIs requires continuous upkeep of security policies, a process that risks lagging behind API updates and leaving gaps that attackers can exploit.

Many traditional tools are also notorious for false positives, because they analyze activity in isolation at the transaction level and alert on any anomalous activity. Lacking context, these tools cannot distinguish between a benign anomaly and a truly malicious API call that is part of an attacker’s larger reconnaissance effort.

Organizations must shift from proxy-based tools that depend on signatures and require configuration upkeep to solutions that continuously gather and analyze API activity. By capturing and understanding large amounts of data, these solutions gain the context needed to connect the dots across multiple subtle activities of an attacker. The focus must move from transactions to attackers – this approach enables earlier attack detection and reduces the number of false positives, because alerts and triggers tie back to a user, not an individual transaction.

Improving API Security Posture

Security is not a “set it and forget it” exercise, especially when it comes to API-based applications. These environments are constantly changing and evolving with new applications and new capabilities. As the API environment changes, so does the attack surface. These changes create challenges for organizations to ensure their security tools and strategy continue to evolve to provide up-to-date protection. Security teams and developers need to work and continuously learn together to keep up with the latest threats and implement security best practices.

Organizations should work to identify vulnerabilities early in the development cycle, but inevitably, some vulnerabilities will make it to production. Protecting APIs at runtime and stopping attacks is crucial. The best way to improve the API security posture is to take learnings from attacks detected and stopped at runtime and use them to eliminate vulnerabilities – such an effort requires security and development teams to work together.

Security teams can provide developers with rich insights into vulnerabilities found in production APIs. Solutions that capture and analyze all production API activity can provide that insight with valuable context. Insights include details on the vulnerability found, how the attacker tried to manipulate it, how the application responded, and the context of what normal activity looks like for the targeted API. Insights can also include recommendations on how to best remediate the vulnerability. With this detail, security and development teams better understand the vulnerability and can work together to properly prioritize remediation efforts.

Conclusion

Salt Security has pioneered an API security architecture built on big data and artificial intelligence (AI). The patented solution captures and analyzes all API activity to provide automated discovery of APIs and ensure an up-to-date catalog and view of the API attack surface. By analyzing API traffic, the Salt platform can identify the subtle activity of attackers during reconnaissance and connect the dots of their activity to pinpoint and block them before attacks are successful. The platform also turns attacker efforts into remediation insights, helping  security and development teams work together to eliminate vulnerabilities. Schedule a demo to learn more about how Salt can help you overcome the challenges of securing your APIs.

The post Three API Security Challenges Every Security Professional Should Be Prepared For appeared first on Security Boulevard.

Columbo was a master of context. The lieutenant was famous for his catchphrase “Just one more thing,” heard countless times by suspects as he chipped away at a case, gathering small, obscure pieces of the puzzle and putting them together to form the bigger picture and ultimately solve the case. Each piece of the puzzle in isolation looked insignificant, but the bigger picture started to emerge when Columbo correlated a series of seemingly unrelated events.

These complex cases had no single “smoking gun.” Gathering all the clues and correlating them, to understand the whole context, was the only way to solve the crime. 

So it goes with API attacks. These events involve a similarly complex series of events, uninteresting when looked at in isolation but very revealing when put together.

The “low and slow” nature of API attacks

To attack your APIs, hackers have to learn them – they use reconnaissance techniques to understand the structure and logic of your APIs. The attacker’s ultimate goal is to find a vulnerability, manipulate the API logic, and make the API do what it was not intended to do – such as return all of the data from a database instead of the info for just a single user.

Reconnaissance takes time as the attacker probes the API to map out the structure, determine the application components in use, understand the API logic, and look for vulnerabilities. Reconnaissance can take hours, if not days or weeks, as the attacker uses subtle methods to achieve their goal while avoiding detection.

Attackers don’t need special access to begin probing an API. Any public-facing application such as one from an online retailer, ride-hailing service, social platform, or cloud service will expose an API, and that API will, necessarily, expose its structure and logic. The attacker needs only an account, which can usually be set up within minutes. Even an API that is considered private or more restrictive isn’t immune to an attacker’s prying eyes. Any determined attacker will find a way to access credentials through phishing or other means.

Once attackers gain access to an API, they need only creativity, tenacity, and a few commonly available tools that aren’t limited to just the dark web. Attackers use the same tools your developers and QA teams use to debug and test your APIs.

Attackers start with activity that looks like any other user as they map the API’s structure and uncover its unique logic. They make slight tweaks to API calls to see how the API responds, and none of this activity raises a flag or triggers a security alert. In fact, attackers targeting APIs will use subtle methods to stay under the radar as much as possible, sending calls to test API logic such as:

• What if I replace my user ID with another user ID? Can I access the other account?
• What if I enumerate an object ID? Can I access information that I’m not supposed to? 
• What if I try to escalate my user privileges? Can I get admin rights?

Reconnaissance is a process of little successes and many failures. Looking at this activity in isolation, one transaction at a time, doesn’t reveal any risk, but putting the pieces together can provide meaningful context and insight that someone is probing your API and up to no good. 

Traditional security and API tools lack context

Attacker reconnaissance activity looks like normal API traffic to traditional tools such as WAFs and other proxy solutions. The architecture of these tools limits them to inspecting transactions one at a time, in isolation, and they depend on signatures to detect well-known attack patterns such as Cross Site Scripting (XSS) and SQL Injection (SQLi). If the transaction does not match a signature of a known attack, the WAF will send it through. Since each API is unique with unique vulnerabilities, signatures cannot help prevent API attacks. Tools such as WAFs not only miss the attacks that target unique API vulnerabilities, they also miss the hallmarks of an attacker’s reconnaissance activities.

Going back to the Columbo example, using a WAF to stop an API attack is like using a red light camera to solve a crime. While these tools might be good at identifying specific, predictable, malicious activity, they cannot collect large amounts of data, identify broader clues, or put the pieces together to solve, or better yet, prevent a crime.

Architecture is key

An attacker’s reconnaissance activity – when successfully detected and correlated – provides clear warning that someone is probing your API and up to no good. But to detect this activity, solutions need context that cannot be learned looking at each transaction in isolation. Solutions must analyze as much data as possible to understand normal behavior, identify the outliers, and put together the pieces to form a bigger picture. Proxy tools lack big data, artificial intelligence (AI), and machine learning (ML) – so they cannot gather and analyze large amounts of data. 

It’s not enough for solutions to identify outliers from normal behavior. Solutions must differentiate between user mistakes or behavior that changes in response to a changed API vs. malicious activity, such as an attacker probing an API and manipulating API logic. Theoretically, a WAF could be configured to alert based on each outlier event, but they’re never configured in this way because organizations would be crippled under the overwhelming number of false positives.

What’s needed is the ability to put together the previously disparate outliers to gain a picture of attackers and their activity risk. Knowing that a single entity has generated a large number of errors is one clear indicator of an attack – WAFs don’t hold that kind of information correlated over time, and they don’t understand the risk of anomalous activity either.

Salt Security – the Columbo of APIs

Just like Columbo, Salt Security correlates disparate pieces of behavior and uses the resulting context to pinpoint attackers. Unlike WAFs, Salt uses big data to collect API traffic and applies AI and ML to analyze activity. 

Through analysis, Salt creates a baseline of normal behavior and identifies anomalies. With the context it’s able to create, Salt differentiates between API changes or simple mistakes vs. malicious attacker activity. Correlating activity allows Salt to pinpoint attackers and stop them early in their reconnaissance process to prevent successful attacks.

The Salt alerts contain the context incident response teams need to understand and respond to events quickly. Salt alerts contain the full timeline of attacker activity, so teams gain insight into what the attacker did and how the application responded. Teams have no need to correlate information manually.

The context Salt provides is also essential to helping development teams eliminate vulnerabilities quickly. Remediation insights from Salt contain details on the location of a vulnerability and what normal activity looks like for that API as well as recommendations on how developers can close the gap and improve the security posture.

Want to see Columbo on the hunt in your environment? Request a personalized demo to see how Salt uses context to protect APIs, prevent attacks, and improve your API security posture.

‍

The post Stopping API Attacks: Columbo, Correlation, and Context appeared first on Security Boulevard.

According to the folks at Globee, “disruptor companies are privately owned businesses all over the world that have the potential and competence to displace existing solutions, companies, and even entire industries. They are ready to take on an enormous challenge and find solutions for the biggest pain points customers experience.”

We think that’s a great way to describe Salt and our approach to API security. We started in 2016 to take on the enormous challenge of API security. We shook up the market, the incumbents, and traditional approaches to application security with a dedicated API security platform. We continue to innovate to protect our customers and focus on protecting against what Gartner says is becoming “the most-frequent attack vector, resulting in data breaches for enterprise web applications.” 

Today, Salt is the only API security solution that combines big data with patented AI and ML for complete coverage across environments. With our platform, we discover all APIs and exposed sensitive data, stop API attackers in their tracks, and provide insights to improve API security posture. 

As a pioneer in the API security market, we continue to lead the pack with the longest time in market giving us the most mature product. As a result, our customers benefit from a platform that is easy to deploy with no agents and no code changes, the most ecosystem integrations, and support for the broadest set of use cases across internal, external, and third-party APIs.

We recently closed a preemptive C round bringing our total funding to $131 million, the most funding of any company in API security. With this support, we continue to invest in our platform, innovate, and secure the APIs of customers across all industries such as financial services, healthcare, and retail.

The Globee award keeps us in the lead with the most awards among vendors in our space and is yet another validation point for our approach to API security and leadership in the market. If you’re looking for an industry-leading solution to protect your APIs, request a personalized demo today to see how Salt can make your APIs attack-proof.

‍

The post The Award Case is Filling Up appeared first on Security Boulevard.

The first dedicated WAF was introduced to the market in 1997 by Perfecto Technologies with their AppShield product. Perfecto, renamed as Sanctum, is also credited with defining the first top ten list of web application hacking techniques which, at the time, included:

• Hidden field manipulation
• Cookie poisoning
• Parameter tampering
• Buffer overflow
• Cross site scripting (XSS)
• Backdoor or debug options
• Stealth commanding
• Forced browsing
• Third party misconfigurations
• Known vulnerabilities

This list evolved into the OWASP Top Ten, first published in 2003, and since then we’ve seen both the Top 10 and WAFs evolve to keep up with the latest and greatest threats to applications over the years.

Fast forward to 2019 and the OWASP community decided that API vulnerabilities are unique enough that it was time to define a Top 10 list specific to API-based applications and API Security.

So the question is – how does the WAF stand up as APIs have increasingly become the centerpiece of applications and a primary target for attackers? Check out the video to hear what we think and let us know your thoughts in the comments below.

The post WAFs, What Are They Good For? appeared first on Security Boulevard.

API are becoming the most frequent attack vector

The session kicks off with the well-known quote that anyone familiar with API security should be familiar with - “By 2022, API abuses will move from an infrequent to the most frequent attack vector, resulting in data breaches for enterprise web applications.”

Mark reminds us that 2022 is just around the corner, not that a switch will flip on Dec 31, 2020, but more so to remind us that API incidents have been increasing for a while. In fact, APIs are already a component of some of the largest security incidents of 2021. Do a search for “API” + Experian, Peloton, or LinkedIn, and you’ll see what I mean.

Recently Gartner updated this prediction, saying that “By 2024, API abuses and related data breaches will nearly double.” as if things in the world of API security weren’t challenging enough. At Salt, we’d have to agree with Gartner’s prediction. Our State of API Security Q1 2021 report showed that nearly all respondents (91%) had suffered a security incident in their production APIs in 2020. The bottom line is that attackers are quickly realizing the opportunity of targeting APIs, and organizations across the globe are starting to realize the risk of not securing their APIs. 

How are APIs attacked?

APIs are susceptible to many threats, and Mark and Dionisio outline the following four main ways APIs can be attacked:

1. Unsecured API keys in repositories and storage
2. Hard-coded credentials (incl. API Keys) in applications
3. API logic flaws
4. Sniffed API calls

Arguably the first two and number four on the list can and should be addressed by best practices. 

• Unsecured API keys should not be left exposed in places like cloud storage or code repos like Git. Exposure of these credentials could allow an attacker to gain unauthorized access to an API as a legitimate user or administrator.
• API keys and other credentials should not be hardcoded into applications and devices such as IoT endpoints. Similar to the point above, finding keys and credentials could allow an attacker to gain unauthorized access to an API. Dionisio goes into more details about this later in the session and provides some options to avoid this scenario. 
• Teams must ensure that attackers cannot find successful API calls in logs or by sniffing to prevent them from replaying these calls in their attacks. Attackers use several common tools such as Portswigger Burp Suite to replay API calls during their attack.

Number three on the list, API logic flaws, is not something you can easily train your development team to avoid and not something you can protect with just any application security tool. Yes, there are best practices to follow when it comes to developing an API. However, as Mark points out, “Every API is different. You have to understand the working of the API to secure it.” and understanding the granular details of an API can be a tedious task.

While developers continue to get better about security, expectations are to develop code and innovate quickly. This rapid pace of development can compromise security, meaning that API will inevitably release with potential vulnerabilities. 

Another component that adds to the complexity of securing APIs is that many applications are a combination of APIs and, therefore, a combination of logic. Often it’s not just one group that is developing the APIs for an application, but more commonly, it’s multiple groups, and those groups can be 3rd parties. Leveraging externally developed APIs creates even less visibility and control over the logic being used for the API, adding to the complexity of protecting it.

If multiple APIs and external development aren’t enough, add to that the rate of change that APIs undergo. APIs are often a key component to enabling CI/CD development practices meaning their functionality, and therefore logic is being updated regularly, which can be as frequent as every week or even every day. For security, this constant change makes APIs a moving target.

The reality is that your APIs will release with vulnerabilities, and you can’t completely depend on your developers and dev-time efforts to address API security. You need to complement development efforts with protection at runtime.

When it comes to runtime protection for APIs, Mark points out that “there is no one size fits all way to secure APIs.” This means you can’t apply the same signatures or security policies across all of your APIs and expect them to be effective. Each API needs to be understood and protected differently because their usage is unique, and their vulnerabilities are also unique.

To illustrate the risk of API logic flaws, Mark highlights the number one threat on the OWASP API Security Top 10 list - Broken Object Level Authorization (BOLA). This threat takes advantage of API logic flaws, specifically authorization flaws, to gain unauthorized access to data. BOLAs are a surprisingly common API security issue seen in most API attacks and highlighted in almost all API vulnerability disclosures.

Who is responsible for API security?

As organizations take steps to address API security, one of the first places they may look to is the development team. A poll asked the question "who has responsibility for API security" and it was no surprise to see "Application Developers" in the lead.

We saw a similar response in our State of API Security survey earlier in 2021, where 36% of respondents say developers or DevOps teams hold primary responsibility for securing APIs. It’s natural to think that developers create APIs, and if they employ security best practices and leverage tools to uncover gaps before runtime, then the problem is solved.

Referring back to the previous section, while it’s valuable to leverage developers to employ best practices and continually improve API security, depending on dev team efforts alone is a risky proposition. Our State of API Security survey showed that of the respondents, 91% said they had suffered a security incident in their production APIs, highlighting that overconfidence in development teams for security was not enough.

A more realistic approach to API security is one that balances development team security efforts with runtime protections. Both Mark and Dionisio highlight Gartner research that echoes this sentiment outlining the importance of including security teams in API strategy, how this correlates to maturity, and how it positively contributes to the security of APIs and cloud-based applications.

Consider security across the full lifecycle

An important point that Mark points out is the need to think about API security in the context of the API lifecycle. The concept of the API lifecycle is something Gartner has applied to API management, and Mark argues for using the same concept for API security. He outlines where to apply API security with four key functions:

• API Discovery (design time) - You need to know what it is that you’re securing and discovery at this stage includes knowing who is creating APIs, what APIs they’re creating, and where those APIs reside.
• API security testing (design time) - Testing at this stage allows you to uncover and resolve potential vulnerabilities and risks early in the development cycle before APIs are released.
• API Discovery (runtime) - Performing discovery at this stage is important to help security teams understand the APIs used by different applications and the potentially sensitive data they may be exposing. Discovery at this stage can also help you identify shadow (unknown) and zombie (outdated) APIs not identified in the design-time stage.
• API threat protection (runtime) - Applying security at runtime helps you monitor production APIs for any misuse and stop attackers before exploiting vulnerabilities.

What products help with API security?

Mark and Dionisio outline a number of different product categories that can help improve API security, starting with API management which can include API gateways and portals. Mark is quick to point out that API management only secures the APIs registered with that tool, and it’s common for many APIs to operate outside of the boundaries of API management. 

It’s also important to consider that API management platforms typically depend on security capabilities such as authentication, authorization, encryption, message filtering, and rate-limiting. While these are important foundational security capabilities, they fall short when it comes to protecting APIs. Taking authentication as an example, the Salt Security State of API Security Report 2021 found that 96% of API exploits happen against authenticated APIs. Also, as pointed out above, many attackers take advantage of commonly found authorization flaws - defined as BOLAs, the number one threat on the OWASP API Security Top 10 list.

Next, Mark covers Web Application Firewalls (WAFs) and points out that many in this category depend on nothing more than traditional application security methods to protect APIs. These methods include the use of signatures to look for known attack patterns, and since each API is different with unique vulnerabilities, the use of signatures is ineffective. It’s also important to note that these proxy-based solutions lack the architecture needed to understand the context of APIs and, therefore, cannot understand the unique logic and cannot identify attackers targeting unique vulnerabilities.

Mark next mentions that many new API startups focus on the challenge of securing APIs, and it’s important to think about API security in a three-dimensional way that includes API security testing, API protection, and API access control. Organizations should consider a combination of products when it comes to protecting APIs and need to make sure that collectively their security stack provides security for both North/South and East/West traffic. Questions to ask vendors to understand their capabilities include: How do you discover APIs? How do you monitor and detect anomalies? And how do you block attacks on APIs?

Another important note is to think about not only what goes into the API such as who is using the API and is the input legitimate or malicious traffic, but also what the API returns in a response. Leaky APIs continue to be a problem and something many organizations overlook. Security tools must also analyze API responses to ensure that the API is not returning an excessive amount of data (OWASP API3: Excessive Data Exposure), especially sensitive data or an error message with too much information included.

Gartner’s Recommendations

Mark and Dionisio wrap up the discussion with the following three main takeaways:

Include your security team - Security and engineering teams can collaborate from the API strategy stage and should work together at every point in the API lifecycle to ensure security. Collaboration is essential given the increasing number of APIs used in application environments, the frequency of change those APIs undergo on a regular basis, and the potentially sensitive data that they expose.

Consider the whole picture for API security, not just the API gateway - In the past, the common thought was that a gateway was all you need to protect APis. However, API gateways don’t always apply to all APIs, and they have limitations when it comes to providing the security needed to protect APIs from attacks. API security needs to extend beyond the foundational capabilities of authentication, authorization, encryption, message filtering, and rate-limiting.

Think North/South as well as East/West - This can require different products, technologies, and strategies to ensure complete coverage. The important thing is not to think of your API products merely as gatekeepers but rather to look for tools that can help you to monitor usage, look for misuse, and stop attacks.

Protecting your APIs

Salt Security is an API protection solution built on big data, AI, and ML to help customers discover all APIs and exposed data, stop attackers early in their process, and provide insights to developers to enable a model of continuous improvement for security. Salt has a flexible, easy model for deployment, does not require changes to application code, and is not inline, so there’s no impact on developers or applications. 

If you’re building APIs to power your applications, reach out for a personalized demo to learn how Salt can make your APIs attack proof to protect your customers, your data, and your business.

‍

The post Insights into Gartner’s Tips for Protecting APIs appeared first on Security Boulevard.