The API Security Blog | Salt Security

What happened in the Experian API leak?

While it is technically true that Experian’s systems weren’t directly breached, private data was most certainly leaked

May 5, 2021

How APIs streamlined app dev for DeinDeal – and broke security

We’re thrilled to announce that Salt is enabling DeinDeal, the Swiss e-commerce leader, to secure its APIs across build and runtime.

Michelle McLean

April 28, 2021

How shift-left extremism is harming your API security strategy

Establishing and gaining adoption of secure build pipeline approaches is a multi-year endeavor for organizations.

Michael Isbitski

April 26, 2021

Building API Context With A New Tech Talk Video Series

Today we’re kicking off a new tech talk video series called Building Context, where we’ll be covering a range of topics around APIs and API security.

Chris Westphal

April 23, 2021

MythBusters API Edition: Zero Trust and its limitations for API Security

Zero trust principles and the technologies that have emerged inevitably promote dynamic access control that is informed by application context, identity, and behaviors.

Michael Isbitski

April 20, 2021

3 Reasons You Might Be Failing at API Security

As APIs have increased in prominence and as a target for attacks, organizations have become more aware of the need for proper security, but as with adopting any new technology, misconceptions persist about how to get it right.

Chris Westphal

April 15, 2021

High-stakes API Security – Protecting Armis’ Security Platform

Armis wanted an approach to API security that would cover the full lifecycle of APIs – both build and runtime. After researching options, the Armis team picked Salt.

Michelle McLean

April 14, 2021

Salt Security + MuleSoft – Supercharge Your API Security Strategy

Salt Security is combining efforts with MuleSoft to bring best-of-breed API security to the market leader in API management and integration, the MuleSoft Anypoint Platform.

Michael Isbitski

April 1, 2021

Understanding the Security Impacts of the iPhone Call Recording App Vulnerability

Our discussion focuses on steps you can take for better API security, and we also include some interesting mobile security and cloud security aspects.

Michael Isbitski

March 18, 2021

Stopping API Attacks: Columbo, Correlation, and Context

Columbo was a master of context. The lieutenant was famous for his catchphrase “Just one more thing,” heard countless times by suspects as he chipped away at a case, gathering small, obscure pieces of the puzzle and putting them together to form the bigger picture and ultimately solve the case.

Chris Westphal

March 8, 2021

API10:2019 Insufficient Logging & Monitoring

Insufficient logging and monitoring combined with missing or ineffective integration with incident response, allows attackers to perform reconnaissance, exploit or abuse APIs, compromise systems, maintain persistence, advance attacks, and move laterally across environments without being detected.

Michael Isbitski

March 5, 2021

API9:2019 Improper Assets Management

Maintaining a complete, up to date API inventory with accurate documentation is critical to understanding potential exposure and risk.

Michael Isbitski

March 3, 2021

Taking Home the Gold! And the Silver, and another Silver …

We here at Salt are excited to share that our company and industry-first API security platform have earned us three major kudos.

Michelle McLean

March 1, 2021

API8:2019 Injection

Injection flaws are very common in the web application space, and they carry over to web APIs.

Michael Isbitski

February 26, 2021

API7:2019 Security Misconfiguration

This issue is a catch-all for a wide range of security misconfigurations that often negatively impact API security as a whole and introduce vulnerabilities inadvertently.

Michael Isbitski

February 25, 2021

API6:2019 Mass Assignment

API security solutions must be able to identify anomalous API activity where attackers send manipulated API requests with unauthorized parameters.

Michael Isbitski

February 19, 2021

API5:2019 Broken Function Level Authorization

API security solutions must be able to identify and prevent attackers or unauthorized users from accessing administrative level capabilities or unauthorized functionality.

Michael Isbitski

February 18, 2021

Lessons from the FinTech Trenches Securing APIs at Finastra

On a recent webinar with Security Boulevard, we were fortunate to host Nir Valtman, Finastra head of product and data security, to share insights into his API security journey. You can view the entire session on the Salt YouTube channel, and here are some of the highlights from the discussion.

Chris Westphal

February 16, 2021

API4:2019 Lack of Resources & Rate Limiting

API requests consume resources such as network, CPU, memory, and storage. The amount of resources required to satisfy a request greatly depends on the input from the user and the business logic of the endpoint.

Michael Isbitski

February 12, 2021

API3:2019 Excessive Data Exposure

Exploitation of Excessive Data Exposure is simple, and is usually performed by sniffing the traffic to analyze the API responses, looking for sensitive data exposure that should not be returned to the user.

Michael Isbitski

February 10, 2021

Top Findings from Industry’s First State of API Security Report

Learn what pain points we uncovered as we set out to understand the state of API security – a critical window into broader enterprise security trends given that APIs underlie every revenue-generating application today.

Michelle McLean

February 3, 2021

API2:2019 Broken User Authentication

Authentication in APIs is a complex and confusing topic. Software and security engineers might have misconceptions about what the boundaries of authentication are and how to correctly implement it.

Michael Isbitski

February 2, 2021

OWASP API Security Top 10 Explained

In this post and subsequent additions to the series, we dig into each of the Open Web Application Security Project (OWASP) API Security Top 10 in detail.

Michael Isbitski

January 27, 2021

Unpacking the Parler Data Breach

While the shutdown of Parler remains politically charged, the event offers some valuable technical lessons worth reviewing, many of which tie directly into API security and how best to protect sensitive data.

Michael Isbitski

January 21, 2021

GET ‘https://salt.security/ api/v1/ helloworld?id=michaelisbitski’

Yes, that’s a vain attempt at an API joke and not your browser having issues. I wanted to draft this post to shed some light...

Michael Isbitski

January 8, 2021

Three API Security Challenges Every Security Professional Should Be Prepared For

Changes to APIs create new challenges for security teams. See what should be top of mind for any security professional tasked with protecting APIs.

Chris Westphal

December 23, 2020

APIs Have Changed – and They’re Changing the Security Landscape

The reality is, APIs today are very different from the web APIs of the early 2000s, and these changes impact the way we need to think about the API security landscape.

Chris Westphal

December 18, 2020

The Power of Having Sequoia in your Court

We set out to empower customer success and innovation by securing every API. On the heels of our Series A funding, we’ve raised a $30 million B round, led by Sequoia Capital, with Carl Eschenbach joining our board.

Michael Nicosia

December 7, 2020

Securing APIs – It’s Different Than Securing Apps

I recently tuned into a CISO panel discussion and one of the panelists said something that struck me – “Application security today is less about the applications and more about the APIs.”

Chris Westphal

November 24, 2020

Is OAS Enough For API Security?

The OpenAPI Specification (OAS) is a way to describe and create API documentation. Learn some of the ways dev and security teams use the OAS and why it falls short when it comes to securing your APIs.

Chris Westphal

November 19, 2020

Can API Security Be Wholly Solved in Development?

Organizations are working hard to “shift left” with security and improve the security of code. Learn why in APIs, improving security during build and initial deployment cannot provide the full answer.

Chris Westphal

November 13, 2020

ITProTV Technado Podcast With Roey Eliyahu

Salt Security co-founder and CEO Roey Eliyahu joined the Technado Podcast this week to discuss arguably one of the most vulnerable things security teams often overlook: APIs.

Chris Westphal

October 30, 2020

What Are JWTs And Are They Vulnerable To Attacks?

In episode 5 of API Security With A Pinch Of Salt, we talk about JSON Web Tokens (JWTs), an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting info between parties as a JSON object.

Chris Westphal

August 28, 2020

What Can Attackers Do With API Vulnerabilities?

Episode number 4 of API Security With A Pinch Of Salt is here. In this episode Chris and Ran talk about what attackers are going after when they target APIs and what they can do if they find and successfully exploit a vulnerability.

Chris Westphal

August 4, 2020

WAFs, What Are They Good For?

Get ready for episode number 3 of our video series called API Security With A Pinch Of Salt. In this episode, Adam and Chris answer the question - WAFs, what are they good for?

Chris Westphal

July 16, 2020

The Importance Of API Documentation

It’s time for episode number 2 of our video series called API Security With A Pinch Of Salt. In this episode, Adam, Chris and Ran dig into the topic of the importance of API documentation.

Chris Westphal

June 25, 2020

When Gartner Realizes How “Cool” You Are

You always think the tech you’re working on is cool, but when Gartner names you a Cool Vendor, you know you’ve delivered a powerful solution.

Roey Eliyahu

May 18, 2020

Using API Gateways For Security

Today we kick off a video series called API Security With A Pinch Of Salt where we dig deep into API security. In this first episode, Adam, Chris and Ran tackle the topic of using API Gateways for Security.

Chris Westphal

May 6, 2020

Protecting Digital Platforms – What I’m Hearing From CISOs

In light of accelerated transformation, digital platforms are now a more critical part of our lives and I’m thankful for the companies that continue to provide these services. Had we seen a similar situation 15 or 20 years back, how would we have managed?

Roey Eliyahu

April 7, 2020

Salt Security COVID-19 Update

Whether you’re already a Salt Security customer or considering Salt Security to help you protect your critical applications and services from API attacks, we are committed to API security and have comprehensive plans in place to ensure the Platform remains up and running to support our customers.

Roey Eliyahu

March 17, 2020

What Sutton’s Law Means For Open Banking

Bank robber Willie Sutton (1901-1980) did reasonably well making off with an estimated $2 million in illegal earnings throughout his career. He was a rash and resourceful robber who used disguises and trickery to achieve his ends.

Adam Fisher

February 12, 2020

Salt Security API Protection Explained

Are you wondering what Salt Security does, what challenges we solve for, and how we do it? Check out this explainer video that answer all of those questions in just over one minute.

Chris Westphal

February 11, 2020

Why I Joined Salt Security

Imagine you’re on ICQ one night, and you see this dude jumping into your chat room. Before long the two of you start to argue like a couple of schoolgirls and the “dude” says that he’s gonna burn you, so you challenge him to bring it on!

Adam Fisher

October 31, 2019

What Is The OWASP API Security Top 10

The Open Web Application Security Project has been around since 2001 and is best known for the OWASP Web Application Security Top 10 which has set the standard for how orgs have approached security to protect traditional web applications.

Chris Westphal

October 8, 2019

How Martial Arts Can Help You Eliminate API Vulnerabilities

In college, a good friend of mine got deeply involved in the martial art Aikido and instead of directly attacking, the defender would wait for a move from their opponent, like a lunge, and harness that momentum to take control.

Chris Westphal

August 21, 2019

Announcing Salt Security Integration With Kong API Gateway

At Salt Security one of our philosophies is to provide solutions that help simplify processes, and save time, rather than introduce additional complexities. This is especially important when it comes to security.

Chris Westphal

August 5, 2019

Testing and Hacking APIs + OWASP TLV Sessions

If you didn’t make it to OWASP Global AppSec Tel Aviv last month I wanted to share that the team recently published videos from the event...…you can check out the entire lineup of 44 videos in the playlist here.

Salt

July 23, 2019

OWASP Global AppSec Tel Aviv Recap

OWASP Global AppSec 2019 happened recently in Tel Aviv and I was lucky enough to attend, present a few sessions, meet some new people and have lots of great conversations.

Salt

June 26, 2019

How to Control Top API Security Risks

Whether you realize it or not APIs are everywhere around us and they exchange sensitive data constantly, making them a rich target for attackers, which explains why we’ve seen a significant increase in attacks targeting APIs in recent years.

Chris Westphal

April 4, 2019

How Modern Web Applications Changed the Way Enterprises Should Handle Security

The non-stop news of security breaches in recent years underscores a growing realization that organizations need to fundamentally rethink the way they protect their applications and data.

Roey Eliyahu

March 21, 2019

Come See Us At RSAC 2019

RSA Conference 2019 is just a week away and we couldn’t be more excited. 2019 has been a big year for us already and we continue the momentum with RSAC 2019.

Chris Westphal

February 25, 2019

We’re Committed To Security and Have SOC 2 To Prove It

Confidence is important when you decide to engage with a vendor. You want to know that vendor is able to deliver the service and you want to have confidence that your data is secure in their hands (or cloud as the case may be).

Chris Westphal

January 28, 2019

What Moving To the Bay Area Taught Me About Loving My Pentesting Tools

Most app security engineers I’ve met have settled down and found their special one. They stick with that one, stay committed, and never have a second thought about another. I’m talking about Burp and Fiddler.

Salt

December 6, 2018

Lessons Learned – USPS API Vulnerability and 60 Million Exposed Users

You’ve probably seen the news about the USPS vulnerability where an attacker with simple access to usps.com, an understanding of the API logic, and no special tools could easily manipulate that logic to get a dump of data.

Chris Westphal

November 28, 2018

API Protection – What You Need To Know In The New API Economy

Technology is constantly evolving. We’ve seen this in recent years in the way applications are developed (e.g. CI/CD), delivered (e.g. microservices and cloud), and consumed (e.g. more SaaS and mobile devices).

Salt

November 14, 2018

Subscribe to the Salt blog

Salt Security Blog

Welcome to our blog about all things in and around the world of APIs and API security.

What happened in the Experian API leak?

How APIs streamlined app dev for DeinDeal – and broke security

How shift-left extremism is harming your API security strategy

Building API Context With A New Tech Talk Video Series

MythBusters API Edition: Zero Trust and its limitations for API Security

3 Reasons You Might Be Failing at API Security

High-stakes API Security – Protecting Armis’ Security Platform

Salt Security + MuleSoft – Supercharge Your API Security Strategy

Understanding the Security Impacts of the iPhone Call Recording App Vulnerability

Stopping API Attacks: Columbo, Correlation, and Context

API10:2019 Insufficient Logging & Monitoring

API9:2019 Improper Assets Management

Taking Home the Gold! And the Silver, and another Silver …

API8:2019 Injection

API7:2019 Security Misconfiguration

API6:2019 Mass Assignment

API5:2019 Broken Function Level Authorization

Lessons from the FinTech Trenches Securing APIs at Finastra

API4:2019 Lack of Resources & Rate Limiting

API3:2019 Excessive Data Exposure

Top Findings from Industry’s First State of API Security Report

API2:2019 Broken User Authentication

OWASP API Security Top 10 Explained

Unpacking the Parler Data Breach

GET ‘https://salt.security/ api/v1/ helloworld?id=michaelisbitski’

Three API Security Challenges Every Security Professional Should Be Prepared For

APIs Have Changed – and They’re Changing the Security Landscape

The Power of Having Sequoia in your Court

Securing APIs – It’s Different Than Securing Apps

Is OAS Enough For API Security?

Can API Security Be Wholly Solved in Development?

ITProTV Technado Podcast With Roey Eliyahu

What Are JWTs And Are They Vulnerable To Attacks?

What Can Attackers Do With API Vulnerabilities?

WAFs, What Are They Good For?

The Importance Of API Documentation

When Gartner Realizes How “Cool” You Are

Using API Gateways For Security

Protecting Digital Platforms – What I’m Hearing From CISOs

Salt Security COVID-19 Update

What Sutton’s Law Means For Open Banking

Salt Security API Protection Explained

Why I Joined Salt Security

What Is The OWASP API Security Top 10

How Martial Arts Can Help You Eliminate API Vulnerabilities

Announcing Salt Security Integration With Kong API Gateway

Testing and Hacking APIs + OWASP TLV Sessions

OWASP Global AppSec Tel Aviv Recap

How to Control Top API Security Risks

How Modern Web Applications Changed the Way Enterprises Should Handle Security

Come See Us At RSAC 2019

We’re Committed To Security and Have SOC 2 To Prove It

What Moving To the Bay Area Taught Me About Loving My Pentesting Tools

Lessons Learned – USPS API Vulnerability and 60 Million Exposed Users

API Protection – What You Need To Know In The New API Economy