APIsecurity.io

Today we feature a comprehensive guide on API security design best practices from Yuri Kopylovski. This should prove useful to API developers particularly the coverage of error handling and anti-patterns to be aware of.https://habr.com/en/post/595075/ 

A new report from @F5 suggests that the number of APIs may now number 200 million globally — “If data is the new oil, then APIs will become the new plastic.” Read further to understand how to mitigate and manage this sprawl.https://devops.com/api-sprawl-a-looming-threat-to-digital-economy/ …

Scoring a perfect 10 on the CVSS scale the ‘Log4Shell’ vulnerability poses a critical threat to applications using Java logging package Apache Log4j.https://portswigger.net/daily-swig/log4shell-vulnerability-poses-critical-threat-to-applications-using-ubiquitous-java-logging-package-apache-log4j …

API Security weekly newsletter issue #163 is out. Main stories this week from @AmazicWorld on why API security strategy fails, @Werner at @AWSreInvent on API good design, and @securityblvd on the biggest API attacks in 2021.https://apisecurity.io/issue-163-why-api-security-strategies-fail-aws-keynote-on-good-api-design-biggest-breaches-in-2021/ …

Last week was AWS re:Invent and in the keynote CTO Werner Vogels addressed 6 rules for good API design — good to see APIs receiving prominent attention they deserve.https://thenewstack.io/werner-vogels-6-rules-for-good-api-design/ …

As we head to the end of the year a recap of some big API security breaches in 2021 — "For as long as security remains an afterthought in the development life cycle, hackers will continue to successfully exploit API security flaws."https://securityboulevard.com/2021/11/biggest-api-security-attacks-of-2021-so-far/ …

"The disconnect between the necessity of application programming interfaces (APIs) and their horrible reputation as security black holes" — views from @cisco's Vijoy Pandey on API security in @techrepublichttps://www.techrepublic.com/article/how-well-do-you-know-your-apis-not-well-enough-says-cisco/ …

Seven reasons your API security is failing — most important for me is "Putting the onus of API security on the developer"https://amazicworld.com/7-reasons-your-api-security-strategy-is-failing-how-to-fix-it/ …

API Security weekly newsletter issue #162 is out. Main stories this week from @hackernews on GCP vulnerabilities, @kcblogumi on GraphQL, André Rainho' Awesome API security list, and @AppSecEngineer on API security training.https://apisecurity.io/issue-162-compromised-googe-cloud-accounts-graphql-as-api-gateway-api-security-guide-and-training/ …

There are several API security guides online but this has to be the most comprehensive: Awesome API Security from André Rainho. Absolutely guaranteed to be something for everyone in here.https://github.com/arainho/awesome-api-security …

Interesting read from @kcblogumi on utilizing GraphQL as an enterprise API Gateway enabling security features such as depth limiting, rate limiting, and query cost limitations.https://levelup.gitconnected.com/graphql-is-the-new-api-gateway-383edeed4bcd …

Threat Horizons report published into vulnerable Google Cloud Platforms — "in most cases, the unauthorized access was attributed to the use of weak or no passwords for user accounts or API connections (48%)"https://thehackernews.com/2021/11/hackers-using-compromised-google-cloud.html …

Always good to see new API security training courses and this one is no exception: check out the @AppSecEngineer 2021 guide to API securityhttps://appsecengineer.com/hackerman-hub/2021-guide-api-security-what-you-need-know …

API Security weekly newsletter issue #161 is out. Main stories this week from @Ub3rsick on a vulnerability in Wipro Holmes Orchestrator, tips for API security from @InonShkedy, research from @alissaknight and views from on shift-left from @colindomoneyhttps://apisecurity.io/issue-161-vulnerability-in-wipro-holmes-orchestrator-report-into-vulnerabilities-in-fintech-and-banking-apps/ …

Today we have an excellent resource from @InonShkedy on API security tips — there are some really good insights in here, many of them real quick wins for any API developer. Definitely one to bookmark!https://github.com/inonshk/31-days-of-API-Security-Tips …

Today I'm featured in the ST Times discussing how a developer-first approach can benefit both development and security teams by embedding "security as code" into your software build process.https://sdtimes.com/api/a-developer-first-approach-what-does-this-mean-for-api-security/ …

Latest research from @alissaknight featured in a report “Scorched Earth: Hacking Bank APIs” — accessing 55 banks through their APIs, giving her the ability to change customers' PIN codes and move money in and out of customer accounts.https://www.businesswire.com/news/home/20211026006184/en/New-Research-Shows-Vulnerabilities-in-Banking-Cryptocurrency-Exchange-and-FinTech-APIs-Allow-Unauthorized-Transactions-and-PIN-Code-Changes-of-Customers …

Interesting views from Jason Kent on a possible update to the OWASP API Security Top 10 — definitely a shift in focus toward upfront design.https://threatpost.com/owasp-api-security-top-10/175961/ …