The unsafe consumption of APIs can lead to security breaches, exposing sensitive data, user credentials, or proprietary information, as attackers may exploit vulnerabilities in API usage to gain unauthorized access, execute arbitrary code, or perform unauthorized actions within the system.
Improper Inventory Management is the ninth security threat listed in the OWASP API Security Top 10. By exploiting this vulnerability, attackers can gain unauthorized access to sensitive data, or even gain full server access through old, unpatched or vulnerable versions of APIs.
There are certainly cases where security misconfiguration can be the result of something basic like a missing patch, but some misconfigurations are far stealthier and can be obscured by complex architectures.
A Server Side Request Forgery (SSRF) API attack occurs when an attacker manipulates an API endpoint to make the targeted server perform unintended requests on behalf of the attacker.
This threat has replaced Mass Assignment as number 6 on the OWASP API Security Top 10 list. It occurs when an API exposes a business flow without compensating for how the functionality could cause harm if used excessively through automation.
Broken function level authorization (BFLA) has been identified as the fifth most critical threat to APIs in the OWASP API Security Top 10, and for good reason.
API requests consume resources such as network, CPU, memory, and storage. The amount of resources required to satisfy a request greatly depends on the input from the user and the business logic of the endpoint.
An API security solution must be able to identify and report on the large variety of sensitive data types that can be sent in API requests and responses, as well as any anomalous activity where attackers send manipulated API requests with unauthorized parameters.
Broken authentication is the second most critical API security threat listed in the OWASP API Security Top 10. Common examples of attacks targeting broken authentication include API enumeration and brute-forcing attacks that make high volumes of API requests with minor changes.
Failure to enforce authorization at the object level can lead to data exfiltration as well as unauthorized viewing, modification, or destruction of data.
In this post and subsequent additions to the series, we dig into each of the Open Web Application Security Project (OWASP) API Security Top 10 in detail.
Because organizations can’t know every possible application logic flaw that exists when they put an API into production, these attacks can be extremely difficult to detect.
The latest Salt Labs State of API Security report is out, and we’re excited to share with you some of the key findings.
Unfortunately, threats do not stop at API security. Today’s organizations – and the world – face inordinate security risks. What other threats and trends can we expect to see in the coming year?
Salt has released a new ebook, “How Protecting Your APIs Protects Your Bottom Line," exploring some of the bottom-line gains leaders can point to while considering investing in API security.
In our new White Paper, we have taken a close look at the MITRE ATT&CK Enterprise Matrix – essentially a superset of all the matrices.
WAAPs are more advanced than WAFs, and play an important role in an organization’s larger API security strategy, but still don’t and can’t holistically solve the problem of API security.
Technology has advanced incredibly fast in the automotive field, and manufacturers are developing new applications quickly to capitalize on the endless possibilities. But what about security?
Third-party APIs contribute to a sprawling API attack surface and can be a security risk if they are not properly inventoried, governed, tested, monitored, or maintained.
To adopt open banking fully, consumers must trust the safety and security of their data, and to woo customers, banks must apply new security measures in this new digital banking world.
Dr. Anton Chuvakin, security advisor at Office of the CISO, Google Cloud, joined our recent API Security Summit. Dr. Chuvakin’s session – co-hosted by Salt Security's Michelle McLean – provided an in-depth discussion on why API security has become a “now” problem.
The monetary growth opportunities promised by APIs are immense, but to harness them, CISOs must ensure the protection of their APIs.
With the industry moving to microservices and API-driven applications, new security threats and attack vectors have emerged. The PCI Security Standards Council has worked to address these threats in its newest PCI DSS 4.0 standard.
It’s not enough to find and block attackers exploiting a vulnerability in your API. You will also want to remediate the security gap in your APIs.
Why are we seeing such a constant stream of API-based attacks? Quite simply, APIs are lucrative for attackers.
Zombies, Shadows, and Ghosts hide in plain sight as APIs in your infrastructure, quietly extending your attack surface, patiently waiting to be called upon by some black hat.
Learn what an API Gateway is and get a better understanding of how the various API tools can layer together to detect and prevent the most frequent API attacks.
Get all your API security questions answered and learn what’s needed to effectively protect your organization’s APIs across the entire API lifecycle.
Salt Security's Roey Eliyahu and TAG Cyber's Ed Amoroso sat down together for a joint webinar on API security and zero trust. Check out the takeaways.
As attackers have jumped on the API bandwagon, API threats have also changed, contributing further to the risks and demanding a new approach to protect APIs.
The booming API ecosystem leaves some industries are more at risk than others. Financial services organizations, insurance companies and retail brands rise to the top.
It’s cool to win banks as customers – it’s even more cool when they go public with the news!
In today’s digitalized financial services landscape, find out what's propelling an urgent need for better API security.
Only Salt Security, the industry’s only patented API security solution, can fully protect against the next generation of API attacks.
Account Takeover, or ATO, is a form of cybersecurity attack in which a cybercriminal steals usernames and passwords.
Your complete guide to API Security, covering the OWASP API Security Top 10, the most common types of API attacks, best practices to reduce risk and how to deploy in production.
Salt Security describes and analyzes the top misconceptions that we’ve found people often have about their API security
Sharing runtime insights to harden APIs brings a lot of value into the process. Listen to the API Security Summit on-demand.
The Salt Security team recently achieved another milestone with the launch of the industry’s first API Security Summit.
At our recent API Security Summit – the industry’s first summit dedicated entirely to API security – we had the opportunity to chat with six senior security executives about their approaches to protecting these vital assets.
Salt Security releases the latest findings of its bi-annual report on API security trends
Dedicated API security tooling, and specifically platforms that provide full life cycle security capabilities, help organizations that are facing the problem of API sprawl.
The Salt API Security Maturity Model was created with simplicity in mind rather than the complexity that comes with hundreds of activities and measures.
Salt Security has compiled a list of API security best practices based on field experience and customer feedback.
Gartner just released a new report on API Security, Predicts 2022: APIs Demand Improved Security and Management.
If 2022 is anything like 2021, we’ll see no shortage of API-related events this coming year. In no particular order of likelihood or preference, take a look at seven predictions for API security for 2022.
We’ve spotlighted the seven biggest API security incidents in 2021 that plagued many different companies of different sizes and across verticals and highlighted what we can take away from each event.
As part of our continuing mission here at Salt to educate the broader industry, our technical evangelist, Michael Isbitski, provides a comprehensive overview of the challenges and best practices in API security.
This API Security Checklist will help you close the gaps in your API security strategy based on industry best practices.
Our fully automated process makes it quick and easy to set up VPC Traffic Mirroring and enable advanced protection for all your AWS-based APIs.
Follow these REST API security best practices to ensure the design of your REST APIs takes into account security, performance, and ease of use.
The data makes it clear: more companies are suffering more API attacks than ever, and companies remain as ill-prepared as ever.
Recently Gartner analysts Mark O'Neill and Dionisio Zumerle teamed up on a webinar titled API Security: Protect your APIs from Attacks and Data Breaches. Read on for highlights, insights and perspective on the session covering API security.
APIs are at the core of open banking, enabling financial institutions to standardize how they create and connect to an ecosystem of providers to exchange financial data. To a large degree, open banking has ushered in a democratization of banking across the globe and this has all been possible thanks to APIs.
With the proliferation of APIs in all modern applications, understanding the ins and outs of APIs is more critical than ever.
Today we’re kicking off a new tech talk video series called Building Context, where we’ll be covering a range of topics around APIs and API security.
Zero trust principles and the technologies that have emerged inevitably promote dynamic access control that is informed by application context, identity, and behaviors.
As APIs have increased in prominence and as a target for attacks, organizations have become more aware of the need for proper security, but as with adopting any new technology, misconceptions persist about how to get it right.
Columbo was a master of context. The lieutenant was famous for his catchphrase “Just one more thing,” heard countless times by suspects as he chipped away at a case, gathering small, obscure pieces of the puzzle and putting them together to form the bigger picture and ultimately solve the case.
On a recent webinar with Security Boulevard, we were fortunate to host Nir Valtman, Finastra head of product and data security, to share insights into his API security journey. You can view the entire session on the Salt YouTube channel, and here are some of the highlights from the discussion.
Learn what pain points we uncovered as we set out to understand the state of API security – a critical window into broader enterprise security trends given that APIs underlie every revenue-generating application today.
Changes to APIs create new challenges for security teams. See what should be top of mind for any security professional tasked with protecting APIs.
The reality is, APIs today are very different from the web APIs of the early 2000s, and these changes impact the way we need to think about the API security landscape.
I recently tuned into a CISO panel discussion and one of the panelists said something that struck me – “Application security today is less about the applications and more about the APIs.”
The OpenAPI Specification (OAS) is a way to describe and create API documentation. Learn some of the ways dev and security teams use the OAS and why it falls short when it comes to securing your APIs.
Salt Security co-founder and CEO Roey Eliyahu joined the Technado Podcast this week to discuss arguably one of the most vulnerable things security teams often overlook: APIs.
In episode 5 of API Security With A Pinch Of Salt, we talk about JSON Web Tokens (JWTs), an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting info between parties as a JSON object.
Episode number 4 of API Security With A Pinch Of Salt is here. In this episode Chris and Ran talk about what attackers are going after when they target APIs and what they can do if they find and successfully exploit a vulnerability.
Get ready for episode number 3 of our video series called API Security With A Pinch Of Salt. In this episode, Adam and Chris answer the question - WAFs, what are they good for?
It’s time for episode number 2 of our video series called API Security With A Pinch Of Salt. In this episode, Adam, Chris and Ran dig into the topic of the importance of API documentation.
Today we kick off a video series called API Security With A Pinch Of Salt where we dig deep into API security. In this first episode, Adam, Chris and Ran tackle the topic of using API Gateways for Security.
In light of accelerated transformation, digital platforms are now a more critical part of our lives and I’m thankful for the companies that continue to provide these services. Had we seen a similar situation 15 or 20 years back, how would we have managed?
Are you wondering what Salt Security does, what challenges we solve for, and how we do it? Check out this explainer video that answer all of those questions in just over one minute.
The Open Web Application Security Project has been around since 2001 and is best known for the OWASP Web Application Security Top 10 which has set the standard for how orgs have approached security to protect traditional web applications.
In college, a good friend of mine got deeply involved in the martial art Aikido and instead of directly attacking, the defender would wait for a move from their opponent, like a lunge, and harness that momentum to take control.
Whether you realize it or not APIs are everywhere around us and they exchange sensitive data constantly, making them a rich target for attackers, which explains why we’ve seen a significant increase in attacks targeting APIs in recent years.
The non-stop news of security breaches in recent years underscores a growing realization that organizations need to fundamentally rethink the way they protect their applications and data.