The (winter) solstice is fast approaching, along with the end-of-year holidays - before we know it, it'll be 2023 already! And with the fall behind us, our hive has been busy putting the finishing touches on many new and improved capabilities – such as weak JWT detection, API Abuse Prevention, API Risk Scoring, and full OWASP API Security Top-10 coverage. Read on for this month's bit o' honey.
I’ve been playing around with the new ChatGPT tool. It’s an interesting (and fun) capability – for instance, see this thread from the inestimable Brian Krebs, which demonstrates both the silly (e.g., the data breach notification) and the more scary (e.g., the watering hole attack).
There are obvious implications of AI for both attackers and defenders, and I predict we’ll be hearing a lot more about it even after the novelty wears off – new payload ideas, new & expanded fuzzing ideas, new approaches for known issues searches such as WAF bypasses, and much more.
Just look at how good it is in API security already:
As a pioneer in cyber AI, we know how hard it is to get results like that. If you are interested in our early AI research, take a look at my 2017 NeuralFuzz presentation on AI-fuzzing (PDF) and my 2019 BSidesSF presentation on WallNet, an AI-based false positive tuning approach.
On a completely different note, just before Thanksgiving we decided to move the API Security Community from a group to a page format. This will allow users to share content while avoiding noisy marketing and sales folks group messages (shame on them!). From now on, all new posts about #apisecurity exploits and updates will be published on the API ThreatStats LinkedIn page. Join us!
Finally, I'll close with our monthly poll. First, last month we asked about integrating API security into your SOC – it looks like a vast majority of you are doing so:
And we’d love to have you weigh in on the next LinkedIn poll we're conducting: How mature is your DevSecOps process? Please let us know where you stand on this – connect with me or follow us at Wallarm to register your vote.
Thanks, and have a great December!
– Ivan, CEO & Co-Founder, Wallarm
PS – Congratulations to Wallarm advisor Frank Kim, who recently joined YL Ventures as their new full-time CISO-in-Residence!
- Why APIs Should Be A C-Level Concern (Forbes) – Today, APIs are growing exponentially and can catalyze both business innovation and customer convenience, but very few at the C-level are involved in these critical infrastructure choices. Should this be different?
- Why API security is a fast-growing threat to data-driven enterprises (VentureBeat) – Significant data leaks are possible due to faulty, vulnerable or hacked APIs, or if an API is incorrectly secured, making API security a vital aspect for data-driven businesses today.
- More API Inventory Auditing Necessary to Limit Incidents (Security Boulevard) – Insecure APIs are becoming all-too-common and part of the reason is that teams simply don’t know they exist.
- Credential Stuffers Steal $300K from DraftKings Customers (Infosecurity Magazine) – It appears that the cyber-criminals hijacked these accounts, changed the passwords, and enabled 2FA for a phone number in their possession, locking out the legitimate customer.
- Apps with over 3 million installs leak 'Admin' search API keys (BleepingComputer) – Researchers discovered 1,550 mobile apps leaking Algolia API keys, risking the exposure of sensitive internal services and stored user information.
- 3 Cyber Warfare Books Every API Hacker Should Read Over The Holidays (Dana Epp’s Blog) – A few unconventional books regarding the history and future of cyber warfare to take along as you travel and enjoy the upcoming holidays.
- [2022-Nov-07] Object First Use of Cryptographically Weak JWT Token (CVSS score: 9.8) – The JWT token uses a secret key that is not cryptographically strong, which an attacker can predict and use to access the Web UI. (CVE-2022-44796)
- [2022-Nov-16] Apache SOAP RPCRouterServlet Available Without Authentication (CVSS score: 9.8) – Apache SOAP allows unauthenticated users to potentially invoke arbitrary code. (CVE-2022-45378)
- [2022-Nov-18] Linaro Automated Validation Architecture (LAVA) Server Code Execution (CVSS score: 9.8) – Remote Code Execution (RCE) can be achieved on the LAVA server through user-submitted Jinja2 template. (CVE-2022-45132)
- [2022-Nov-26] KubeView Missing Authentication (CVSS score: 9.8) – Attackers can get control of a Kubernetes cluster because api/scrape/kube-system does not require authentication. (CVE-2022-45933)
- [2022-Nov-23] Tailscale Windows Daemon is Vulnerable to RCE via CSRF (CVSS score: 9.6) – An attacker-controlled coordination server can send malicious URL responses to the client, which allows the attacker to remotely execute code on the node. (CVE-2022-41924)
- [2022-Nov-30] Default Installation of Grafana Synthetic-monitoring-agent Expose Sensitive Information (CVSS score: 3.3) Despite the low CVSS score, exposure of the API token through a debug endpoint that was enabled by default for profiling purposes, is deemed “high severity” – see fix here. (CVE-2022-46156)
Wallarm customers are protected from known attacks against these vulnerabilities. However, we recommend that you assess your portfolio for exposure to these vulnerabilities, apply updates where possible, and monitor for further incidents.
Wallarm is excited to announce several additions to the executive leadership team to help guide our strategic growth in the API security market, which according to Forrester is a top-5 priority for 2023 cybersecurity investment.
- Adi Lavi will lead the Wallarm partner and channel programs as VP of Channels.
- Tim Ebbers will lead the Wallarm solution engineering team as Field CTO and VP of Solution Engineering.
- Michael Inbar joins as Chief Financial Officer (CFO) to head up the company’s finance team.
Some of the new and improved features and capabilities coming in December:
- Expanded API Discovery Dashboard – Increased visibility into your APIs, such as: have there been any changes in your API structure; how many endpoints do you have? what kind and how much sensitive data are being transferred in your applications? which are the most attacked or the most risky endpoints?
- API Risk Scoring – Increased visibility into the risk posture of your APIs, based on factors such as vulnerabilities, sensitive data flows, potential for BOLA exploits, and more.
- Automatic BOLA Protection – Out-of-the-box automated protection against one of the most popular API attack types: Broken Object Level Authorization (BOLA).
- API Abuse Prevention – New, behavior-based ability to block bad actors from abusing your APIs, such as Account Takeover (ATO), Credential Stuffing, Fake Account Creation, Spamming, Scalping and Content Scraping.
- Weak JWT Detection – Increased visibility of weak JSON Web Tokens (JWTs) which could allow attackers to gain access to user or even admin rights.
Talk with your customer support engineer or your account manager about enabling these capabilities in your instance.
Did You Know? You can subscribe to our update announcements to keep up-to-date with the latest product news.
Upcoming:
Webinar [2023-Jan-05] — Wallarm Platform Democast: What’s New
Join us for a live, interactive product demo of Wallarm on January 5, where you can learn more about the key components of the platform and recent feature enhancements.
Past:
Webinar [on-demand] — Q3 API ThreatStats Report: DevOps Tools Under Attack
Listen to our discussion of the results of the Wallarm Research team's extensive analysis of published API vulnerabilities and exploits for Q3-2022.
Webinar [on-demand] — Wallarm + Kong: Better Together
Listen to this recorded webinar with Andrew Kew from Kong and Tim Ebbers from Wallarm, where they discuss a real-world customer deployment of the joint solution with Jiju Jacob, Director of Engineering at Revenera.
Wow! You read all the way to the bottom of this newsletter?!? Clearly we did something right, so please let us know what you liked (or didn’t) at newsletter@wallarm.com. If we did a really great job and you’re interested in learning more about API Security and Wallarm, we’d love to show you a demo of our platform, or you can trial it yourself.
Where APIs meet apis
And now for something completely different. Since the theme of The APIary newsletter is based on hardworking & industrious bees, we thought we’d share this bee-meme with you. This month’s image comes courtesy of DALL-E, using the prompt: an oil painting by Wassily Kandinsky of a bee in a santa hat. Enjoy!
