Subscribe to the Salt blog

API Security Best Practices

Read the guide

Salt Security blog

Welcome to our blog about all things in and around the world of APIs and API security.

Subscribe to Salt blog

Forbes Singles out Salt’s Amazing Growth

Having Forbes single out Salt Security as one of only 25 of the “Next Billion-Dollar Startups” testifies to the combination of both the significant lead we enjoy in the market and the enormity of the problem we solve.

Michelle McLean
Michelle McLean
October 14, 2021

API Threat Research: Elastic Stack Misconfiguration Allows Data Extraction

Salt Labs researchers investigated a large business-to-consumer (B2C) online platform that provides API-based mobile applications and software as a service to millions of users globally. 

Salt Labs
Salt Labs
September 29, 2021

API Security Checklist

This API Security Checklist will help you close the gaps in your API security strategy based on industry best practices.

Michael Isbitski
Michael Isbitski
September 20, 2021

“Best in API Security” – ‘Nuff Said

It’s one thing for us at Salt to say we’re the best in API security – it’s quite another for the team at API World to say it. And they just did.

Michelle McLean
Michelle McLean
September 16, 2021

Salt Celebrates National Working Parents Day

It’s National Working Parents Day, and for all of us at Salt this day provides an awesome opportunity to recognize everyone’s hard work!

Ahuvy Mrad
Ahuvy Mrad
September 16, 2021

Salt is Leading the Pack in API Security

Salt is the only pure-play API security company to make the Market Leader category in the latest KuppingerCole Leadership Compass on API management and security.

Chris Westphal
Chris Westphal
September 13, 2021

Securing APIs With Salt Security Using Agentless Amazon VPC Traffic Mirroring

Our fully automated process makes it quick and easy to set up VPC Traffic Mirroring and enable advanced protection for all your AWS-based APIs.

Elad Koren
Elad Koren
September 9, 2021

API Security Tipping Point – Gartner just “Created the Category”

API security earns its own pillar in Gartner Security Reference Architecture.

Michelle McLean
Michelle McLean
August 31, 2021

API Attacks up 348% in Six Months, per Latest “State of API Security” Report

The data makes it clear: more companies are suffering more API attacks than ever, and companies remain as ill-prepared as ever.

Salt Labs
Salt Labs
July 28, 2021

Insights into Gartner’s Tips for Protecting APIs

Recently Gartner analysts Mark O'Neill and Dionisio Zumerle teamed up on a webinar titled API Security: Protect your APIs from Attacks and Data Breaches. Read on for highlights, insights and perspective on the session covering API security.

Chris Westphal
Chris Westphal
July 26, 2021

Now Boarding: All Passengers for Securing Travel and Expense APIs

Salt Security streamlines API security with automated protection for TripActions

Michelle McLean
Michelle McLean
July 21, 2021

More Kudos for Salt – now a CRN Emerging Vendor

Salt Security named by CRN as a top emerging vendor in security for our leadership role in API security

Michelle McLean
Michelle McLean
July 19, 2021

Formalizing our API Security Research with the Launch of Salt Labs

With the formal launch of Salt Labs, we will now take the time to document our findings publicly, after we follow responsible disclosure processes, so the broader industry can learn from our discoveries.

Roey Eliyahu
Roey Eliyahu
July 14, 2021

API Threat Research: Detailed Financial Records Exposed on Financial Services Platform

Threat research report shares information to improve awareness around API security by detailing relevant attack patterns, technical details, and mitigation techniques for each vulnerability.

Salt Labs
Salt Labs
July 14, 2021

What is Credential Stuffing – and How to Defend Against it

Credential stuffing is a type of attack in which bots are used to breach a network using lists of compromised usernames and passwords.

Michael Isbitski
Michael Isbitski
July 12, 2021

Open Banking - Security Implications of the Global Trend

APIs are at the core of open banking, enabling financial institutions to standardize how they create and connect to an ecosystem of providers to exchange financial data. To a large degree, open banking has ushered in a democratization of banking across the globe and this has all been possible thanks to APIs.‍

Chris Westphal
Chris Westphal
June 30, 2021

5 Takeaways from Gartner Report: API Insights for Software Engineering Leaders

With the proliferation of APIs in all modern applications, understanding the ins and outs of APIs is more critical than ever.

Chris Westphal
Chris Westphal
June 18, 2021

The Award Case is Filling Up

Today we’re thrilled to announce that Salt has added yet another award to the case. This one is a GOLD for the 2021 Globee Disruptor of the Year award.

Chris Westphal
Chris Westphal
June 16, 2021

Here We Go Again – Series C, Another Preemptive Round!

We're announcing our $70 million Series C funding, with yet another set of investors ready to extend our leadership and market velocity once more.

Michael Nicosia
Michael Nicosia
May 26, 2021

What Does the Biden Administration’s Cybersecurity Executive Order Mean for API Security?

The latest executive order (EO) zones in on a few areas of cybersecurity, but a primary focus is software supply chain security after incidents such as the SolarWinds attack

Michael Isbitski
Michael Isbitski
May 24, 2021

And the Award Goes to …. Salt Security! (Again!)

Today’s accolades come from Cyber Defense Magazine, as we take home awards for “Most Innovative in API Security” and top billing in the “Best Cybersecurity Startup” category!

Michelle McLean
Michelle McLean
May 17, 2021

The Peloton API Security Incident - What Happened and How You Can Protect Yourself

Researchers found Peloton APIs were leaking PII. Learn how to avoid this with your APIs.

Michael Isbitski
Michael Isbitski
May 13, 2021

Extending our Lead in API Security – Augmenting our “Shift Left” Features

Salt is uniquely focused on securing APIs across their full lifecycle – we believe organizations need to both “shift left” and “protect right,” as in RIGHT NOW.

Michelle McLean
Michelle McLean
May 12, 2021

The Experian API Security Incident - What Happened and How can you Protect Yourself

While it is technically true that Experian’s systems weren’t directly breached, private data was most certainly leaked

Michael Isbitski
Michael Isbitski
May 5, 2021

How APIs Streamlined App Dev for DeinDeal – and Broke Security

We’re thrilled to announce that Salt is enabling DeinDeal, the Swiss e-commerce leader, to secure its APIs across build and runtime.

Michelle McLean
Michelle McLean
April 28, 2021

How Shift-Left Extremism is Harming your API Security Strategy

Establishing and gaining adoption of secure build pipeline approaches is a multi-year endeavor for organizations.

Michael Isbitski
Michael Isbitski
April 26, 2021

Building API Context with a New Tech Talk Video Series

Today we’re kicking off a new tech talk video series called Building Context, where we’ll be covering a range of topics around APIs and API security.

Chris Westphal
Chris Westphal
April 23, 2021

MythBusters API Edition: Zero Trust and its limitations for API Security

Zero trust principles and the technologies that have emerged inevitably promote dynamic access control that is informed by application context, identity, and behaviors.

Michael Isbitski
Michael Isbitski
April 20, 2021

3 Reasons You Might Be Failing at API Security

As APIs have increased in prominence and as a target for attacks, organizations have become more aware of the need for proper security, but as with adopting any new technology, misconceptions persist about how to get it right.

Chris Westphal
Chris Westphal
April 15, 2021

High-stakes API Security – Protecting Armis’ Security Platform

Armis wanted an approach to API security that would cover the full lifecycle of APIs – both build and runtime. After researching options, the Armis team picked Salt.

Michelle McLean
Michelle McLean
April 14, 2021

Salt Security + MuleSoft – Supercharge Your API Security Strategy

Salt Security is combining efforts with MuleSoft to bring best-of-breed API security to the market leader in API management and integration, the MuleSoft Anypoint Platform.

Michael Isbitski
Michael Isbitski
April 1, 2021

Understanding the Security Impacts of the iPhone Call Recording App Vulnerability

Our discussion focuses on steps you can take for better API security, and we also include some interesting mobile security and cloud security aspects.

Michael Isbitski
Michael Isbitski
March 18, 2021

Stopping API Attacks: Columbo, Correlation, and Context

Columbo was a master of context. The lieutenant was famous for his catchphrase “Just one more thing,” heard countless times by suspects as he chipped away at a case, gathering small, obscure pieces of the puzzle and putting them together to form the bigger picture and ultimately solve the case.

Chris Westphal
Chris Westphal
March 8, 2021

Taking Home the Gold! And the Silver, and another Silver …

We here at Salt are excited to share that our company and industry-first API security platform have earned us three major kudos.

Michelle McLean
Michelle McLean
March 1, 2021

Lessons from the FinTech Trenches Securing APIs at Finastra

On a recent webinar with Security Boulevard, we were fortunate to host Nir Valtman, Finastra head of product and data security, to share insights into his API security journey. You can view the entire session on the Salt YouTube channel, and here are some of the highlights from the discussion.

Chris Westphal
Chris Westphal
February 19, 2021

API10:2019 Insufficient Logging & Monitoring

Insufficient logging and monitoring combined with missing or ineffective integration with incident response, allows attackers to perform reconnaissance, exploit or abuse APIs, compromise systems, maintain persistence, advance attacks, and move laterally across environments without being detected.

Michael Isbitski
Michael Isbitski
February 18, 2021

API9:2019 Improper Assets Management

Maintaining a complete, up to date API inventory with accurate documentation is critical to understanding potential exposure and risk.

Michael Isbitski
Michael Isbitski
February 17, 2021

API8:2019 Injection

Injection flaws are very common in the web application space, and they carry over to web APIs.

Michael Isbitski
Michael Isbitski
February 16, 2021

API7:2019 Security Misconfiguration

This issue is a catch-all for a wide range of security misconfigurations that often negatively impact API security as a whole and introduce vulnerabilities inadvertently.

Michael Isbitski
Michael Isbitski
February 15, 2021

API6:2019 Mass Assignment

API security solutions must be able to identify anomalous API activity where attackers send manipulated API requests with unauthorized parameters.

Michael Isbitski
Michael Isbitski
February 12, 2021

API5:2019 Broken Function Level Authorization

API security solutions must be able to identify and prevent attackers or unauthorized users from accessing administrative level capabilities or unauthorized functionality.

Michael Isbitski
Michael Isbitski
February 11, 2021

API4:2019 Lack of Resources & Rate Limiting

API requests consume resources such as network, CPU, memory, and storage. The amount of resources required to satisfy a request greatly depends on the input from the user and the business logic of the endpoint.

Michael Isbitski
Michael Isbitski
February 10, 2021

API3:2019 Excessive Data Exposure

Exploitation of Excessive Data Exposure is simple, and is usually performed by sniffing the traffic to analyze the API responses, looking for sensitive data exposure that should not be returned to the user.

Michael Isbitski
Michael Isbitski
February 9, 2021

API2:2019 Broken User Authentication

Authentication in APIs is a complex and confusing topic. Software and security engineers might have misconceptions about what the boundaries of authentication are and how to correctly implement it.

Michael Isbitski
Michael Isbitski
February 8, 2021

API1:2019 Broken Object Level Authentication

APIs often expose endpoints that handle object identifiers, creating a wide potential attack surface. Object level authorization is an access control mechanism usually implemented at the code level to validate a user’s ability to access a given object.

Michael Isbitski
Michael Isbitski
February 5, 2021

OWASP API Security Top 10 Explained

In this post and subsequent additions to the series, we dig into each of the Open Web Application Security Project (OWASP) API Security Top 10 in detail.

Michael Isbitski
Michael Isbitski
February 4, 2021

Top Findings from Industry’s First State of API Security Report

Learn what pain points we uncovered as we set out to understand the state of API security – a critical window into broader enterprise security trends given that APIs underlie every revenue-generating application today.

Michelle McLean
Michelle McLean
February 3, 2021

Unpacking the Parler Data Breach

While the shutdown of Parler remains politically charged, the event offers some valuable technical lessons worth reviewing, many of which tie directly into API security and how best to protect sensitive data.

Michael Isbitski
Michael Isbitski
January 21, 2021

GET ‘https://salt.security/ api/v1/ helloworld?id=michaelisbitski’

Yes, that’s a vain attempt at an API joke and not your browser having issues. I wanted to draft this post to shed some light...

Michael Isbitski
Michael Isbitski
January 8, 2021

Three API Security Challenges Every Security Professional Should Be Prepared For

Changes to APIs create new challenges for security teams. See what should be top of mind for any security professional tasked with protecting APIs.

Chris Westphal
Chris Westphal
December 23, 2020

APIs Have Changed – and They’re Changing the Security Landscape

The reality is, APIs today are very different from the web APIs of the early 2000s, and these changes impact the way we need to think about the API security landscape.

Chris Westphal
Chris Westphal
December 18, 2020

The Power of Having Sequoia in your Court

We set out to empower customer success and innovation by securing every API. On the heels of our Series A funding, we’ve raised a $30 million B round, led by Sequoia Capital, with Carl Eschenbach joining our board.

Michael Nicosia
Michael Nicosia
December 7, 2020

Securing APIs – It’s Different Than Securing Apps

I recently tuned into a CISO panel discussion and one of the panelists said something that struck me – “Application security today is less about the applications and more about the APIs.”

Chris Westphal
Chris Westphal
November 24, 2020

Is OAS Enough For API Security?

The OpenAPI Specification (OAS) is a way to describe and create API documentation. Learn some of the ways dev and security teams use the OAS and why it falls short when it comes to securing your APIs.

Chris Westphal
Chris Westphal
November 19, 2020

Can API Security Be Wholly Solved in Development?

Organizations are working hard to “shift left” with security and improve the security of code. Learn why in APIs, improving security during build and initial deployment cannot provide the full answer.

Chris Westphal
Chris Westphal
November 13, 2020

ITProTV Technado Podcast With Roey Eliyahu

Salt Security co-founder and CEO Roey Eliyahu joined the Technado Podcast this week to discuss arguably one of the most vulnerable things security teams often overlook: APIs.

Chris Westphal
Chris Westphal
October 30, 2020

What Are JWTs And Are They Vulnerable To Attacks?

In episode 5 of API Security With A Pinch Of Salt, we talk about JSON Web Tokens (JWTs), an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting info between parties as a JSON object.

Chris Westphal
Chris Westphal
August 28, 2020

What Can Attackers Do With API Vulnerabilities?

Episode number 4 of API Security With A Pinch Of Salt is here. In this episode Chris and Ran talk about what attackers are going after when they target APIs and what they can do if they find and successfully exploit a vulnerability.

Chris Westphal
Chris Westphal
August 4, 2020

WAFs, What Are They Good For?

Get ready for episode number 3 of our video series called API Security With A Pinch Of Salt. In this episode, Adam and Chris answer the question - WAFs, what are they good for?

Chris Westphal
Chris Westphal
July 16, 2020

The Importance Of API Documentation

It’s time for episode number 2 of our video series called API Security With A Pinch Of Salt. In this episode, Adam, Chris and Ran dig into the topic of the importance of API documentation.

Chris Westphal
Chris Westphal
June 25, 2020

When Gartner Realizes How “Cool” You Are

You always think the tech you’re working on is cool, but when Gartner names you a Cool Vendor, you know you’ve delivered a powerful solution.

Roey Eliyahu
Roey Eliyahu
May 18, 2020

Using API Gateways For Security

Today we kick off a video series called API Security With A Pinch Of Salt where we dig deep into API security. In this first episode, Adam, Chris and Ran tackle the topic of using API Gateways for Security.

Chris Westphal
Chris Westphal
May 6, 2020

Protecting Digital Platforms – What I’m Hearing From CISOs

In light of accelerated transformation, digital platforms are now a more critical part of our lives and I’m thankful for the companies that continue to provide these services. Had we seen a similar situation 15 or 20 years back, how would we have managed?

Roey Eliyahu
Roey Eliyahu
April 7, 2020

Salt Security COVID-19 Update

Whether you’re already a Salt Security customer or considering Salt Security to help you protect your critical applications and services from API attacks, we are committed to API security and have comprehensive plans in place to ensure the Platform remains up and running to support our customers.

Roey Eliyahu
Roey Eliyahu
March 17, 2020

What Sutton’s Law Means For Open Banking

As our society continues to increasingly operate online with banking, shopping, food delivery, ride-sharing, and the many cloud services, cybercriminals have a never-ending route to breach the defenses of financial companies.

Adam Fisher
Adam Fisher
February 12, 2020

Salt Security API Protection Explained

Are you wondering what Salt Security does, what challenges we solve for, and how we do it? Check out this explainer video that answer all of those questions in just over one minute.

Chris Westphal
Chris Westphal
February 11, 2020

Why I Joined Salt Security

Imagine you’re on ICQ one night, and you see this dude jumping into your chat room. Before long the two of you start to argue like a couple of schoolgirls and the “dude” says that he’s gonna burn you, so you challenge him to bring it on!

Adam Fisher
Adam Fisher
October 31, 2019

What Is The OWASP API Security Top 10

The Open Web Application Security Project has been around since 2001 and is best known for the OWASP Web Application Security Top 10 which has set the standard for how orgs have approached security to protect traditional web applications.

Chris Westphal
Chris Westphal
October 8, 2019

How Martial Arts Can Help You Eliminate API Vulnerabilities

In college, a good friend of mine got deeply involved in the martial art Aikido and instead of directly attacking, the defender would wait for a move from their opponent, like a lunge, and harness that momentum to take control.

Chris Westphal
Chris Westphal
August 21, 2019

Announcing Salt Security Integration With Kong API Gateway

At Salt Security one of our philosophies is to provide solutions that help simplify processes, and save time, rather than introduce additional complexities. This is especially important when it comes to security.

Chris Westphal
Chris Westphal
August 5, 2019

Testing and Hacking APIs + OWASP TLV Sessions

If you didn’t make it to OWASP Global AppSec Tel Aviv last month I wanted to share that the team recently published videos from the event...…you can check out the entire lineup of 44 videos in the playlist here.

Salt
Salt
July 23, 2019

OWASP Global AppSec Tel Aviv Recap

OWASP Global AppSec 2019 happened recently in Tel Aviv and I was lucky enough to attend, present a few sessions, meet some new people and have lots of great conversations.

Salt
Salt
June 26, 2019

How to Control Top API Security Risks

Whether you realize it or not APIs are everywhere around us and they exchange sensitive data constantly, making them a rich target for attackers, which explains why we’ve seen a significant increase in attacks targeting APIs in recent years.

Chris Westphal
Chris Westphal
April 4, 2019

How Modern Web Applications Changed the Way Enterprises Should Handle Security

The non-stop news of security breaches in recent years underscores a growing realization that organizations need to fundamentally rethink the way they protect their applications and data.

Roey Eliyahu
Roey Eliyahu
March 21, 2019

Come See Us At RSAC 2019

RSA Conference 2019 is just a week away and we couldn’t be more excited. 2019 has been a big year for us already and we continue the momentum with RSAC 2019.

Chris Westphal
Chris Westphal
February 25, 2019

We’re Committed To Security and Have SOC 2 To Prove It

Confidence is important when you decide to engage with a vendor. You want to know that vendor is able to deliver the service and you want to have confidence that your data is secure in their hands (or cloud as the case may be).

Chris Westphal
Chris Westphal
January 28, 2019

What Moving To the Bay Area Taught Me About Loving My Pentesting Tools

Most app security engineers I’ve met have settled down and found their special one. They stick with that one, stay committed, and never have a second thought about another. I’m talking about Burp and Fiddler.

Salt
Salt
December 6, 2018

Lessons Learned – USPS API Vulnerability and 60 Million Exposed Users

You’ve probably seen the news about the USPS vulnerability where an attacker with simple access to usps.com, an understanding of the API logic, and no special tools could easily manipulate that logic to get a dump of data.

Chris Westphal
Chris Westphal
November 28, 2018

API Protection – What You Need To Know In The New API Economy

Technology is constantly evolving. We’ve seen this in recent years in the way applications are developed (e.g. CI/CD), delivered (e.g. microservices and cloud), and consumed (e.g. more SaaS and mobile devices).

Salt
Salt
November 14, 2018

Tags

API Attack Analysis
API Attack Methodology
API Attack Prevention
API Security 101
API Security Strategy
API Vulnerability Analysis
Awards
CISO
Company Updates
Compliance
Customers
Events
Financial Services
OWASP API Top 10
Product Updates
Research
Salt Labs
Technology Partners
Video
Webinar

Posts by