Subscribe to the Salt blog to learn about the latest developments in API Security

Blog Post

Salt Labs

Formalizing our API Security Research with the Launch of Salt Labs

Roey Eliyahu
Jul 14, 2021

In many ways, our announcement today about the formation of Salt Labs has been five years in the making. I came up with the need for Salt Security as a result of the expertise gained in the elite cyber security unit in the IDF and spending years in a number of roles where I saw the growing problem of API security. My research showed APIs to be a highly fruitful target and among the least protected assets — API security research has been at our heart from day one.

And my love of hacking goes back much farther. Ever since I started programming at the age of 9, hacking has been a big part of my exploration and self education. Sometimes, when we are evaluating a SaaS solution, I get curious about how well secured the system's APIs are. For example, I was recently pitched on a stock option management platform — the company balked when I declined to sign on, noting their APIs weren’t secure enough, and through a common vulnerability I was able to retrieve the stock details and  option tally of the chairman of the board for one of their lead reference customers.

From the start, Salt Security has been the leading company in API security — we’ve defined and shaped this product category, and that leadership role brings with it a great responsibility. It's impossible to lead if you are not out in front of the latest and greatest in API threats. We’ve educated hundreds of organizations on API security, and our researchers have been core to this process from the beginning. The results of their hacking — performed with permission — forms a major part of our customers’ education. That's why we are evolving and formalizing our research activities with Salt Labs, to make sure that we stay ahead of any API threat to come and to educate the broader community.

We have so much to share. We nearly always find stunning security gaps in the APIs of the customers we’re supporting. To date, we’ve shared those findings only with those organizations. By anonymizing that information and extracting best practices and remediation insights, we have the opportunity to educate the broader market on API programming mistakes to avoid.

In today’s inaugural vulnerability research from Salt Labs, we detail stunning API security gaps at a large financial institution. Our security researchers found  inadequate authorization for data access, inadequate authorization for function access, susceptibility to parameter tampering, and improper input filtering. As a result, the Salt Labs team was able to show that:

1. Any user could read any financial records of any customers, despite lacking the proper authorization

2. Any user could delete any customer’s user accounts across the financial platform

3. Any user could tamper with authentication parameters and take over any account

4. Any user could launch an application-level denial of service attack that would render entire applications unavailable

Get the comprehensive list of best practices to guide your API security journey.

Unfortunately, such missteps in APIs are common — in our research, we also frequently hack public applications and services, looking for API security gaps we can incorporate into our ML and AI algorithms to make our platform more beneficial for all our customers. With this formal launch of Salt Labs, we will now take the time to document those findings publicly, after we follow responsible disclosure processes, so that once again, the broader industry can learn from our discoveries.

We’ll also incorporate broader data sources, including aggregated customer data, industry research, and survey data into our body of work. We’ll fold the “State of API Security” report under the Salt Labs team, for example, and undertake additional research on how different industries are grappling with API security.

As we take this core capability of the Salt team and open it up more publicly, we’re excited to get your feedback and input. Please let us know where you want us to focus the considerable research talents of Salt Labs going forward — use the Contact Us page to share your feedback.

Tags

Salt Security Blog

Sign up for the Salt Newsletter for the latest resources and blog posts.

June 18, 2024

Salt Labs
Research Team

Salt Labs

Increasing API Traffic, Proliferating Attack Activity and Lack of Maturity: Key Findings from Salt Security’s 2024 State of API Security Report

The latest Salt Security State of API Security Report is out now, and we’re thrilled to give a little sneak peek of its contents.

Read more

June 12, 2024

Elad Hoffer
Head of Product R/T Protection

Product

Salt Security Leading the Way in AI-Driven API Security for Next-Generation Threat Protection and Attacker Insights

Learn how the recent introduction of advanced LLM-driven attacker insights further solidifies Salt's position as a leader in API security solutions.

Read more

June 7, 2024

Eric Schwake
Head of Product Marketing

A Salt Security Perspective on the 2024 Gartner® Market Guide for API Protection

Salt Security's API Protection Platform is AI-infused and designed to address the challenges outlined in the Gartner report.

Read more

Download this guide for advice on evaluating key capabilities in API Security

Learn everything you need to know to keep your APIs secure

Get the guide
Back