2023 OWASP Top-10 Series: API2:2023 Broken Authentication

Welcome to the 3rd post in our weekly series on the new 2023 OWASP API Security Top-10 list, with a particular focus on security practitioners. This post will focus on API2:2023 Broken Authentication. In this series we are taking an in-depth look at each category – the details, the impact and wha...

Beware of BOLA (IDOR) Vulnerabilities in Web Apps and APIs

Introduction In a recent advisory, the Cybersecurity and Infrastructure Security Agency CISA warned vendors, designers, developers, and end-user organizations of web applications about the dangers posed by Insecure Direct Object Reference IDOR vulnerabilities, now commonly referred to as BOLA...

2023 OWASP Top-10 Series: API1:2023 Broken Object Level Authorization

Welcome to the 2nd post in our weekly series on the new 2023 OWASP API Security Top-10 list, with a particular focus on security practitioners. This post will focus on API1:2023 Broken Object Level Authorization. In this series we are taking an in-depth look at each category – the details, the...

API Security in 2023: Major Insights from Postman’s State of the API Report

📣 Good news for all tech enthusiasts! The highly anticipated 2023 State of the API Report, conducted by Postman - one of the leading dev tools for building APIs, is now available. This comprehensive report, produced annually, is backed by an extensive survey and offers a deep dive into the...

2023 OWASP Top-10 Series: Introduction

In early June 2023, OWASP released the final version of the OWASP API Security Top-10 list update. At that time we published a “hot take” on this final version and followed that up with an in-depth look at the new risk ratings for 2023. Today we’re kicking off a multi-post series in which we take...

Wallarm at Black Hat USA 2023 Booth #3131

Wallarm is excited to be back at Black Hat USA this year and meet with our friends in the community wanting or perhaps needing to learn more about integrated web app and API protection. We look forward to seeing you there! Expo Hours If you’re attending in person, the Business Hall is open for tw...

Q2-2023 API ThreatStats™ Report: API Exploits Are Everywhere: from NVIDIA to Reddit and more!

Our Q2-2023 API ThreatStats™ report is out. It provides API builders, defenders, breakers, and decision-makers with a comprehensive look at the API security vulnerabilities, threats and exploits reported this past quarter. This report provides everyone involved in API development, security and...

Maximizing Performance with Wallarm Filtering Nodes in Amazon’s Global Infrastructure

Introduction In todays digital landscape, ensuring the security and performance of web applications is paramount. To achieve optimal protection against cyber threats, organizations deploy web application and API protection WAAPs like Wallarm. However, to truly leverage the benefits of Wallarm,...

Introducing Integrated API Abuse Prevention to Combat Bad Bots

In recent years theres been a rise in "API Abuse" attacks, which includes detrimental automated behaviors such as malicious bots, account takeover ATO, credential stuffing, application layer L7 DDoS, data scraping, and more. For instance, in April-2021 malicious actors scraped the personal data o...

GCP ESPv2 Hit with Critical API Authorization Bypass CVE-2023-30845

This post delves into a very impactful JWT Authentication Bypass vulnerability CVE-2023-30845 found in ESP-v2, an open-source service proxy that provides API management capabilities using Google Service Infrastructure. This vulnerability allows malicious API clients to bypass JWT authentication...

What You Need To Know About MOVEit

The MOVEit Vulnerabilities and Latest Exploits. Impact On Governmental Agencies And Large Organizations Governmental agencies and large organizations around the world are being hit by ransomware attacks exploiting several vulnerabilities in MOVEit, a widely used file transfer solution. The...

OWASP APIsec Top-10 2023 Is Here | API Security Newsletter

Welcome to our May API newsletter, recapping some of the events of last month. As the old proverb goes, April showers bring May flowers – and this means the bees at the Wallarm hive have been in full foraging mode and the honey is flowing: lots of updates & improvements to the platform, and much...

Holistic API Security Strategy for 2023

In the digital landscape of 2023, Application Programming Interfaces APIs have taken center stage in business operations. APIs act as the backbone of many digital services, enabling software applications to communicate and exchange data with each other. As businesses increasingly rely on APIs for...

OWASP API Security Top-10 for 2023 Risk Ratings

As you know by now, the final version of the OWASP API Security Top-10 2023 has been released. At first blush, the final 2023 release seems to retain most of the changes in category naming, language and intent from the 2019 edition which we saw in the RC version. In this post, we are going to...

OWASP API Security Top-10 Risks for 2023 Released

Back in April we took an in-depth look at the proposed OWASP Top-10 API Security Risks list for 2023. This Release Candidate RC contained a few changes from the 4-year-old version, most notably: 1. Created a new category API3:2023RC Broken Object Property Level Authorization by essentially...

Private APIs at Risk: Q1-2023 API ThreatStats™ Report

According to a Mar-2022 API survey by Gartner, 98% of organizations use or are planning to use internal APIs – up from 88% in 2019. And 90% of organizations use or are planning to use private APIs provided by partners – up from 68% in 2019. Obviously, there’s a big blind spot in your API security...

Find APIs Hiding in the Shadows

What’s hiding in the shadows? It’s a well understood reality that unmanaged IT assets tend to be unmonitored IT assets, and that both introduce risk. Whether it’s a forgotten about application, or an unmanaged cloud storage volume, you can’t protect what you don’t know about. Attackers thrive on...

ChatGPT: Friend or Foe? | API Security Newsletter

Welcome to our April API newsletter, recapping some of the events of last month. This month’s topic is Generative AI tools e.g., ChatGPT in cybersecurity. It – along with API Security – dominated the 2023 RSA Conference, and there’s plenty of digital ink being spilled on the topic. Be sure to wat...

Connect with Wallarm at RSA 2023

We’re looking forward to seeing you at this year’s RSA Conference! Don’t forget to set up a meeting with our executives, as they would love to hear more about your team’s application security needs and chat with you about how Wallarm can help. Visit Us at Booth 6585 in the North Expo Hall Wallarm...

Changes in OWASP API Security Top-10 2023RC | API Security Newsletter

Welcome to our March API newsletter, recapping some of the events of last month. And what a month it was. Among other buzzworthy news, OWASP published the initial Release Candidate for the 2023 API Security Top-10 list – we analyzed the ins & outs and presented them over the course of a couple of...

ChatGPT Injection: a new type of API Abuse attack may steal your OpenAI API credits

ChatGPT is spreading like wildfire all over the internet, being used in everything from casual tools to cybersecurity and even industrial applications. Its so popular, I wouldnt be shocked if it starts running a nuclear power plant soon if it isnt already! Using OpenAIs ChatGPT-3.5, ChatGPT-4, an...

Insights into the New OWASP API Security Top-10 for CISOs

ICYMI, we recently presented A CISOs Guide to the New 2023 OWASP API Security Update. In this first of two planned webinars, Stepan Ilyin and Tim Ebbers provided an overview of what’s in and what’s out in the planned update and had a lively discussion about how this impacts your API security plan...

Predictions for 2023 from Latest API Threat Research | API Security Newsletter

March has arrived and is roaring like a very confused lion, at least in the northern hemisphere. And much like in the wild, brood production is increasing. Weve already seen some fruits of that labor, such as the Q4-2022 and 2022 Year-End ThreatStats™ Report, and some very tasty product upgrades...

2022 Year-End API ThreatStats™ Report

In 2022, the Wallarm Threat Research team went through almost 350,000 reports to find 650 API-specific vulnerabilities, and tracked 115 published exploits impacting these vulnerabilities – all of which could negatively impact your business risk posture. The 2022 Year-End API ThreatStats™ Report...

VMware NSX Manager vulnerabilities being actively exploited in the wild

The Wallarm Detect team has found exploit attempts in the wild of CVE-2022-31678 and CVE-2021-39144. The original vulnerabilities were found in VMware NSX Manager at the end of last year, and can lead to remote code execution RCE by pre-authenticated attackers. The CVE-2022-31678 vulnerability wa...

Q4-2022 API ThreatStats™ Report

We’re pleased to present the latest quarterly review and analysis of API vulnerabilities and exploits. This time, we’re going to split our discussion into two parts: today this quarterly review, and soon hereafter our year-in-review report. The Q4-2022 ThreatStats™ Report...

Octopus Strike! Three Argo CD API Exploits In Two Weeks

Argo CD is a popular Continuous Deployment tool that enables DevOps teams to manage their applications across multiple environments. However, in the past two weeks, three critical vulnerabilities have been detected in the tool, exposing sensitive information and compromising the security of the...

Yet More ImageMagick Vulnerabilities

ImageMagick is a popular open-source image manipulation library used by many websites and software applications to process and display images. A couple of vulnerabilities have recently been discovered in ImageMagick by MetabaseQ. Two vulnerabilities CVE-2022-44267 and CVE-2022-44268 allow attacke...

Don’t Let API Leaks Sink Your Ship | API Security Newsletter

Leaks of API keys and other secrets. The industry has been abuzz with news about attacks – and the ongoing ripple effect – involving leaked API keys, credentials and other secrets. This adds another dimension to your API attack surface, which in turn complicates your defenses and adds to your...

Learn from the T-Mobile API Breach to Improve Your API Security Program in 2023

A CISO’s job has never been more challenging. Engineering teams move fast, especially as organizations are accelerating their digital transformation efforts. The tech stack is exploding and varies greatly across the organization. And there is a surge of internal, external, and partner APIs. It’s...

Introducing Proactive API Leak Management

Read the press release announcing the early release of Wallarm API Leak Management The recent surge in hacks involving leaked API Keys and other API secrets such as credentials, passwords, certificates, tokens and encryption keys has put everyone involved on notice – organizations need a way to...

Wallarm Releases New End-to-End Solution to Reduce Risk and Time-to-Remediate Leaked API Keys and Secrets

Advancement to API Security Technology Will Combat Recent Surge in Hacks Leveraging Leaked API; Early Release Now Available San Francisco, CA –BUSINESS WIRE– January 19, 2023 – Wallarm, the end-to-end API security company, today announced the early release of the Wallarm API Leak Management...

Wallarm adds Cybersecurity Leaders to its Board of Advisors

New Advisory Board Members Bring Extensive Experience to Assist Organizations Needing to Enhance and Accelerate their API Security Posture January 12, 2023 02:30 PM Eastern Standard Time SAN FRANCISCO -BUSINESS WIRE- Wallarm, the end-to-end API security company, is pleased to introduce the newest...

Slack GitHub Account Hacked via Stolen Employee API Token

On December 29, 2022, Slack was alerted to suspicious activity on their GitHub account. Upon investigation, the company discovered that a limited number of employee tokens had been stolen and misused to gain access to an externally hosted repository. The threat actor had also downloaded private...

What ChatGPT know about API Security?

There is no doubt that you heard about and seen the latest OpenAIs brilliant called ChatGPT. It can write poems, speak many languages, answer questions, play chess, make code and impress everyone. In this post, we show a few more of how this AI model is good in cybersecurity, in particular in API...

Can ChatGPT be used to attack your APIs? | API Security Newsletter

The winter solstice is fast approaching, along with the end-of-year holidays - before we know it, itll be 2023 already! And with the fall behind us, our hive has been busy putting the finishing touches on many new and improved capabilities – such as weak JWT detection, API Abuse Prevention, API...

Q3-2022 API ThreatStats™ Report

The latest quarterly review and analysis of API vulnerabilities and exploits is in. Our initial take had us thinking it was smooth sailing for the state of API vulnerabilities in Q3—or was it just a lull in the storm? As it turns out, it’s neither. Read on to learn more about Wallarm’s analysis o...

Azure CLI Code Injection CVE-2022-39327 hits 9.8/10 CVSS score

The most recent Azure CLI Code Injection vulnerability is a rare and dangerous case. It’s not often that the most popular cloud platform client is vulnerable to such critical issues as code injection. Regardless overall high risk of injections by OWASP Top 10 and OWASP API Security Top 10, code...

Wallarm at API World and KubeCon 2022 this week

This is a busy week for the whole Wallarm team as we are sponsoring two big conferences at the very same time. API World 2022 Wallarm will be at API World in San Jose starting today. Stop by booth 209 to chat with our apisecurity experts about everything APIs, and check out a demo of Wallarm WAAP...

Evolution of API Security – A Practical Guide to Addressing API Threats in 2023

The kind of API security scenarios we witnessed today were never like this from the beginning of time. It has gone to extra lengths to become responsive and productive as it’s now. How was it in the beginning? What changes has it faced? What more can we expect in the future? If this is what bothe...

New text2shell RCE vulnerability in Apache Common Texts CVE-2022-42889

Yet another RCE with a CVSS score of 9.8 out of 10 was disclosed a few hours ago. This issue looks like the same Log4shell and it seems even more dangerous since Common Texts are used more broadly. The Apache Foundation published a vulnerability in the Apache Commons Text project code and publish...

8 KB is not enough: why WAFs can’t protect APIs

WAFs were a top-notch security instrument a decade ago, but now they are not. They fail to protect APIs. Meanwhile, the number of API-specific vulnerabilities grew more than twofold in 2022. According to a report by Wallarm, many such vulnerabilities have critical severity, and 33% are immediatel...

How Uber was hacked in 2022

What happened? The first information about the incident was issued yesterday, September 15th, 2022. We know that a hacker called “Tea Pot” successfully accessed Uber infrastructure and critical cloud services such as AWS, Slack, Google Workspace, and others. Most likely, Uber understood what had...

What’s most important for a CISO in API security?

As threats to networks and systems have changed, so have CISOs’ priorities. API security has grown more important with everything as a service and in the cloud. Todays CISOs must ensure they have a plan for protecting APIs. To learn what’s most crucial when protecting APIs, we surveyed CISOs and...

Integrating API Security and WAF into K8s Kong API Gateway

Article by Jiju Jacob, Director of Engineering at Revenera This is an update of Mr. Jacobs’ 05/23 post in his Medium blog. He is a Director of Engineering at Revenera. Revenera, born as InstallShield and now a Flexera company, helps software and technology companies use open source solutions more...

What are JWT Injections, and Why do You Need to Know About Them

JSON Web Tokens JWTs for short are the new standard for transmitting identity information in the digital age. JWTs are JSON objects that act as an identifier for your user or application. They’re used to authenticate users and securely transmit secrets as part of an API, application, or service...

Wallarm at Black Hat USA 2022

Black Hat USA is celebrating its 25th anniversary, and Wallarm will be on hand for the festivities. If you’re headed to Vegas this year, we invite you to meet our crew and talk about API security. Tuesday 08/09 – Pre-Event Evening Party Join us on Tuesday 08/09 evening at the Emerging Technology...

GitLab Security Issues: Six Months of Vulnerabilities

Have you ever thought the most popular CI/CD platform – GitLab – may have security issues? In fact, it is inevitable with such a massive infrastructure. Don’t worry! The platform is still reasonably secure: it scores well over 700 on BitSight, monitors alerts in real-time, and addresses them...

API Vulnerabilities Jump Up 3.7x in Q2-2022

Since the beginning of 2022, the Wallarm security research team has been analyzing API vulnerabilities and exploits, and releasing quarterly reports. The Q1 report got a lot of attention and positive feedback from the cybersecurity community, as well as a few valuable ideas and suggestions. We...

Wallarm extends AWS API security with the official Terraform module

Wallarm API Security solution is now available in AWS as an official Terraform module, with a full feature set including autoscaling groups, API Gateway connector, mirroring, and agentless out-of-band deployments. To address modern cloud-native threats, API security vendor Wallarm released extend...