Findings from long-standing internal research team will now be made public to increase education on API vulnerabilities and security issues as API attacks grow to an all-time high
PALO ALTO, Calif. – July 14, 2021 – Salt Security, the leading API security company, today announced the launch of Salt Labs, a now-public forum for publishing research on API vulnerabilities. Through its vulnerability and threat research as well as industry reports, Salt Labs will be a resource for enterprises looking to harden infrastructure against API risk. It will also be a source of more wide-spread public awareness of API security threats, furthering the mission of Salt Security to provide comprehensive API security and accelerate business innovation by making APIs attack-proof.
API security concerns have become a significant inhibitor of business innovation. According to the Salt Security State of API Security Report, 66% of organizations have delayed the deployment of a new application because of API security concerns. To counter these concerns, Salt Labs will provide research and reports organizations can use to improve their API security posture and mitigate threats impacting API-centric businesses. Utilizing a deep technical understanding of API threats, security gaps, and misconfigurations, Salt Labs will focus on delivering high-impact threat research, uncovering the latest API attack vectors, and providing remediation best practices to make API security programs increasingly agile and actionable.
“APIs represent an important and often overlooked threat vector that presents a range of challenges often not included in research efforts,” said Steve Ward, CISO, The Home Depot. “We look forward to the dividends of the public research efforts of Salt Labs, which will increase our awareness of emerging API risks and help us harden our application environments to better protect both our employees and customers.”
The private sharing of API threat research findings to date has highlighted the need for more education related to key API security issues and vulnerabilities, which are too often thought to be thwarted by traditional tools such as web application firewalls (WAFs) and API gateways. Salt Labs aims to enhance users’ abilities to recognize security gaps within their own APIs, enabling them to take aggressive, proactive action to harden their APIs and associated back-end systems. As a result, more companies will be able to secure the integrity and protection of sensitive customer and business-critical data.
“With the growth of APIs and the central role they play in today’s application environments, the need for unbiased, relevant, and reliable research has prompted us to share the groundbreaking API security research that our team has been conducting for years,” said Roey Eliyahu, co-founder and CEO, Salt Security. “Salt Labs is dedicated to extending the safety of enterprises as they innovate in our increasingly digital and connected world. By now making this research public, we will increase education around API security and related attack vectors so that organizations of all types can strengthen their API security measures.”
Today’s inaugural vulnerability research highlights several API security gaps at a large financial institution. Salt Labs researchers identified inadequate authorization for data access, inadequate authorization for function access, susceptibility to parameter tampering, and improper input filtering across the financial platform used by thousands of customers and financial partners. The Salt Labs researchers exploited these vulnerabilities to demonstrate that:
1. Any user could read any financial records of any customer, despite lacking the proper authorization
2. Any user could delete any customer’s user accounts across the financial platform
3. Any user could tamper with authentication parameters and take over any account
4. Any user could launch an application-level denial of service attack that would render entire applications unavailable
To learn more about Salt Labs and its research, or to join the Salt Labs team, please visit https://salt.security/salt-labs.