Open-Source API Firewall Unveils New Feature: Default Deny Lists for Compromised API Tokens and Cookies

Discovering and securing any API is one of the most difficult challenges for developers. The API security landscape is constantly evolving, with new threats and vulnerabilities emerging at a rapid pace. Since commercial API security solutions can be expensive for some organizations especially...

10 Years Journey into API Security Vulnerabilities with Ivan, the CEO of Wallarm

Ivan Novikov, CEO at Wallarm, is an API security expert, bug hunter, security researcher, and blackhat speaker with 24 years of experience in the cybersecurity field. He spent decades in this industry and witnessed exploits as well as growth. Read ahead to understand Ivan’s API Security journey a...

OWASP Top-10 2022: Forecast Based on Statistics

For tech innovators and security experts, what OWASP Top-10 says or predicts is much attention-worthy as this globally recognized document guide about the hidden and damage-causing security threats. As the year 2022 has begun, the people willing to learn about the latest security trends and...

Update on Spring Data MongoDB SpEL Expression Injection Vulnerability (CVE-2022-22980)

Background On June 20, 2022 Spring released Spring Data MongoDB 3.4.1 and 3.3.5 to address a critical CVE report: CVE-2022-22980: Spring Data MongoDB SpEL Expression injection vulnerability through annotated repository query methods. This vulnerability was originally reported on June 13, 2022...

Update on the Confluence 0-day vulnerability (CVE-2022-26134)

We want to share this update regarding the critical Confluence 0-day vulnerability CVE-2022-26134. On June 02, 2022 Atlassian released a security advisory for their Confluence Server and Data Center applications, highlighting a critical severity unauthenticated remote code execution RCE...

RSAC 2022 – The Year of API Security

Not only is RSAC back in person, but API security is coming to the forefront. Wallarm, the G2 leader in Application Security, is thrilled to be back at RSAC where we will show off all of our new API Security capabilities and tools since we last saw everyone in 2020. Highlights of What’s New:...

Three new API exploits causes GitLab data privacy and availability issues

On May 10, 2022, and May 11, 2022, CVE-2022-1352 CVE-2021-1431, and CVE-2022-1545 were fixed and published on Gitlab-ORG public repository. There are no technical details or exploits yet, but according to the high-level description and titles, they gonna be critical Gitlab API vulnerabilities tha...

Two critical security flaws found in Nginx-Ingress controller

Ingress controllers allow users to configure an HTTP load balancer for applications running on Kubernetes. It’s needed to serve those applications to clients outside of the Kubernetes Cluster. It’s also configured with Kubernetes API to deploy objects called Ingress Resources The NGINX Ingress...

CVE-2022-1388: Critical security vulnerabilities in F5 Big-IP allows attackers to execute arbitrary code

On May 5, 2022, MITRE published CVE-2022-1388, an authentication bypass vulnerability in the BIG-IP modules affecting the iControl REST component. The vulnerability was assigned a CVSSv3 score of 9.8 The vulnerability was discovered internally by the F5 security team and there is no evidence of...

OSS API Firewall Unveils new Feature: Blacklist for Compromised API Tokens and Cookies

Discovering and securing any API is one of the most difficult challenges for developers. The API security landscape is constantly evolving, with new threats and vulnerabilities emerging at a rapid pace. Since commercial API security solutions could be really expensive for organizations, its never...

Update on 0-day vulnerabilities in Spring (Spring4Shell and CVE-2022-22963)

Quick update There are two vulnerabilities: one 0-day in Spring Core which is named Spring4Shell very severe, exploited in the wild no CVE yet and another one in Spring Cloud Function less severe, CVE-2022-22963 Wallarm has rolled out the update to detect and mitigate both vulnerabilities No...

Cryptographer – Job Description and How to Become

Introduction Cryptography is perhaps the main instrument for building a secure computerized framework. These professionals assume a major part in building these frameworks. This makes them probably the most generously compensated and profoundly esteemed laborers inside the growing universe of...

Malware Analyst – Job Description and How to Become

Introduction Malware investigation is the review or cycle of deciding the usefulness and possible effect of a given malware like an infection, worm, trojan, rootkit, or secondary passage. Malware or malignant programming is any PC programming planned to hurt the host working framework or to take...

Security Assessor – Job Description and How to Become

Introduction It requires a ton of work to turn into a QSA and keep your affirmation. In truth, there is an enormous rundown of standards to meet to be thought of. What is a Cyber security control assessor? The Security Control Assessor SCA is a cybersecurity personnel that utilizes security testi...

Information Security Consultant – Job Description and How to Become

Introduction As per Centrify, a forerunner in the Privileged Access Management PAM market that forms programming to forestall cyberattacks, the huge ascent of people working from a distance during the COVID-19 pandemic has raised the probability of a digital break. Therefore, network protection h...

Security Software Developer – Job Description and How to Become One

Introduction The cybersecurity industry is daily growing bigger daily and creating numerous roles for anyone to specialize in. One of the eye-catching perks of the industry is the annual pay which varies according to the role. This guide focuses on teaching a security software developer job...

Security Manager Guide – Job Description and How to Become

Introduction This guide discloses how to turn into a security supervisor, as well as the means to take to begin in this productive and intriguing industry. Keep perusing to find about the instructive, and certificate prerequisites for cybersecurity managers in the work environment. Bosses look fo...

Security Architect Guide – Job Description and How to Become

Introduction In the steadily changing field of online protection, companies need thoroughly prepared staff to assist them with staying aware of their developing security needs. Associations that neglect to focus on these web security wind up paying the consequences for it. Things being what they...

Information Security Analyst – Job Description and How to Become

Introduction A security expert is a wide work term that alludes to persons who keep up with the security of PC frameworks and organizations. Let us go through an information security analyst jobs description What is an information security analyst? Huge data breaks at colossal associations have a...

Penetration tester Guide – Job Description and How to Become

What is a penetration tester? In the realm of data security, pentesters are the specialists. The reason, likewise with other PI works out, is to recognize hazards before any potential meddling bosses get an opportunity to set up their framework. Helpless entertainers will endeavor to take advanta...

Cybersecurity Engineer Guide – Job Description and How to Become

Introduction The interest for network security occupations is soaring, but the arrangement is at an incredible insufficient. Experts anticipate a 2021 increment of 3,500,000 empty web-based security occupations all over the planet, as shown by the New York Times. Essentially, there arent sufficie...

Best cyber security jobs in 2022 – Highest paying

Web protection is a worthwhile and quickly extending field that spotlights on shielding organizations from current attacks and guarding their information and frameworks. Specialists in network security distinguish blemishes, give programming and gear answers for diminish hazards, and foster plans...

16 Best DDOS Attack Tools in 2022

What are DDOS attack tools? DDOS attacks are cyber- attacks targeted at rendering certain computers, network systems and servers non-functional. The processes involved in its execution can be however complicated. Attackers have to carry out a long series of actions that involve social engineering...

SSH Host Based Authentication

Introduction Are you an organization that manages or hosts a huge pool of resources on remote locations/servers? Well, host-based authority-validation technique is the most-suited way to manage the access and control rights related to your hardware and applications. Once implemented, this identit...

What is fuzz testing? What is it used to test for?

Fuzz testing, regularly known as fuzzing, is a product testing procedure that incorporates embedding flawed or arbitrary information FUZZ into a product framework to recognize coding issues and security issues. Fuzz testing involves infusing information into a framework utilizing robotized or...

Best IP Stresser Tool

Introduction Testing the restriction of your Web laborer incorporates pushing legitimately greater measures of traffic to it. You can either get delivered traffic or catch as of late experienced traffic and replay it at a higher concurrence than truly happened. There are organizations that can gi...

PCI Penetration Test – Everything You Need to Know

Introduction For any association that cycles, stores or sends charge card information, entrance testing has been a commitment since 2013. That is the point at which the consistence necessities set up by the Payment Card Industry Security Standards Council PCI SSC were refreshed to mirror the...

What Is Local File Inclusion Vulnerability?

Introduction This article clarifies what nearby record consideration LFI weaknesses are, including the way assailants can take advantage of them on weak web applications and what safe coding practices can assist you with forestalling local document incorporation assaults. Record incorporations ar...

What is Code Obfuscation?

Introduction The hazards of hacking and its corresponding disasters have become so precarious that the developers and organizations take utmost care to lessen their occurrence and the impact. Code obfuscation is one such strategic move that, when performed, keeps administered codes away from the...

5 things you must know about Log4Shell

This is the largest vulnerability we have seen in years. 1. You may still be vulnerable even if your project is not based on Java. Many tech stacks are vulnerable because so many tools use the Log4js including infrastructure, dev-tools, and CI/CD products. 2. Log4Shell will be here for a while...

Log4j 0day mitigation update CVE-2021-44228

Wallarm has rolled out the update to detect and mitigate CVE-2021-44228. No additional actions are required from the customers Attempts at exploitation will be automatically blocked in a blocking mode When working in a monitoring mode, consider creating a virtual patch Log4Shell A 0-day exploit i...

5 things you need to know about Log4Shell (CVE-2021-44228)

The post 5 things you need to know about Log4Shell CVE-2021-44228 appeared first on Wallarm...

Update on Log4Shell (CVE-2021-44228)

The post Update on Log4Shell CVE-2021-44228 appeared first on Wallarm...

What is a Logic Bomb?

Cyber-attacks have become a norm these days as many as 4,000 attacks are happening every day, alone in the US. Bad actors have ample ways to target it’s the victim and the logic bomb is one of them. Logic bomb virus may seem subtle on the surface but can be profoundly damaging, if not taken care ...

Invisible rat: how Sentry, Datadog, and others used by XSS and JavaScript malware

We all know how it’s convenient to use tools like Sentry or Datadogs for JavaScript events monitoring. It allows to catch errors in real-time, organize and manage issues resolution process, and genuinely shift left operations to developers. But Wallarm security experts warn of dangerous patterns ...

Scholarship Results

Its time to sum up the results of the 2021 scholarship! As you know, we extended the scholarship for 1 month until October 30th because there were many applications and few finished papers. By October 30 the situation had not changed, only 1 essay had been added and became 4, the number of...

Discovering Shadow APIs with Wallarm API firewall

Shadow APIs can be defined as active endpoints that you are not aware of. Some APIs are deployed but never documented. Others are services that don’t have an owner anymore. Some are even old v2 versions that have been deprecated for years, yet still exposed. Long story short: these APIs are not...

Wallarm starts to highlight CVE to address OWASP Top-10 A6 Vulnerable and Outdated Components

Attacks against known vulnerabilities are one of the most common security risks. Have you seen an updated OWASP Top-10? A risk that used to be A09 Using Components with Known Vulnerabilities is now titled A06:2021-Vulnerable and Outdated Components. This category moved up to 06 from 9 in 2017. We...

The‌ ‌Biggest‌ ‌Hacker‌ ‌Attacks‌ ‌on‌ ‌Gambling‌

Introduction With online gambling clubs turning into a staple alternative across nations like the United Kingdom, numerous sites are showing up out of nowhere and not all are protected or secure. Numerous club regulars pick to utilize correlation locales, as the UK gambling clubs recorded at...

The scholarship deadline extended to October 30

Greetings, dear scholarship recipients! Applications for the scholarship draw should have closed on September 31st, but we are still receiving applications from you. At the moment there were 148 applications and only 3 people managed to submit them in time, now they are sent to our technical...

Wallarm API Firewall outperforms Nginx in a production environment

Wallarm API Firewall is a free light-weighted API Firewall that protects your API endpoints in cloud-native environments with API schema validation. Wallarm API Firewall relies on a positive security model allowing calls that match a predefined API specification, while rejecting everything else...

An Introduction to the Specifics of Start-Ups Security

Security probably would not be too interesting to you at all if you were a liquor store, restaurant, or work in similar sectors of the economy. However, security should definitely be a front-row concept if you are a start-up in the technology space or a business that depends on technology for...

5 Themes for Product Security and Fostering Organizational Growth

In this article we would like to review what Raj Umadas, Product Security Manager at Compass, has shared during our recent webinar highlighting recurring themes that have led to impactful collaborations and organizational risk reduction. Product security ProdSec is crucial in the process of growi...

Securing REST with free API Firewall. How-to guide

In our modern world, web applications are becoming ever more important. Bad actors know this and they target them more frequently than ever before. This is not likely to stop any time soon as the number of web applications the world needs will only go up with its reliance on technology. To fully...

Wallarm NG WAF is ranked as a “High Performer” by G2, Spring 2021!

We are proud to announce that Wallarm NG WAF was ranked as a “High performer” by G2 in the Web Application Firewall category. This award from the G2 platform confirms that our solution is highly rated by current verified Wallarm WAF users, who left unbiased reviews and answers to WAF-related...

What does Zero Trust mean for API security?

The old mentality of building a moat around important assets and trusting anyone or anything that is already inside the castle perimeter has failed us. Attackers have developed many techniques to jump the moat and scale the castle walls to get at what they want. Thus, the new rallying cry is to...

Wallarm API Discovery: Discover API endpoints automatically and secure them

What do you know about your APIs? Why are the vulnerable v2 and v3 still exposed if they are deprecated for almost a year? What else is exposed and you don’t even know? Are Swagger specs up to date? Teaser: Surely not. A lot of questions, right? Meet Wallarm’s latest feature for API Discovery and...

http2smugl: HTTP2 request smuggling security testing tool

HTTP/2 become the standard defacto for the modern web and causes new application security risks. The HTTP2 request smuggling is one of a few HTTP/2 vulnerabilities with the high severity that raised last year. In this post, we will describe it in detail and suggest an open-source tool http2smugl...

Weekly exploit digest – March, 15-21 – VMware View Planner, Win32k ConsoleControl, Microsoft Windows Containers DP API

Welcome to our weekly exploit digest! We should say this hasnt been a big week because guys keep producing exploits for the vulnerabilities discovered in the 1st half of March. Nevertheless, we have some new good arrivals for VMware, MS Windows and Win32 to talk about. New 4+ scored exploits have...

Web vulnerabilities exploit weekly digest #1. March 8-15th 2021. VMware vCenter and Apache OFBiz RCE.

Welcome to the Wallarm weekly web exploits digest! Since this week, we will publish our weekly digests consists of web exploits with CVSS scores higher than 5. It will be followed by explanations, risks analysis, related stories and news. So, here we go! The most sophisticated and interesting...