One Article Review
| Source |  AlienVault Lab Blog |
|---|---|
| Identifiant | 6906513 |
| Date de publication | 2022-09-15 10:00:00 (vue: 2022-09-15 10:07:05) |
| Titre | APIs: Risks and security solutions |
| Texte | This blog was written by an independent guest blogger. APIs have become a vital part of doing business. Organizations increasingly rely on the use of APIs for day-to-day workflows, particularly as cloud applications become something of a mainstay. A recent report found that the average number of APIs per company increased by 221% in 2021. Not only are APIs impossible to ignore, but the need to invest in API security cannot be overlooked. The trend in usage is closely followed by opportunists seeking ways to exploit vulnerabilities for their gain. To ensure adequate security, developers and organizations alike need to understand the risks and design their security strategy to mitigate them. Too often, security approaches are redesigned after a breach or hack occurs. By then, the damage has been done. Being proactive will save organizations time, money, and heartache. API security risks As cybercriminals work tirelessly to develop new ways to steal data and harm organizations, the list of threats is seemingly endless. That should not be cause for despair, however. While it can feel overwhelming, IT departments and financial controllers should not let it stunt them into doing nothing. In this article, we cover the most prominent threats to API security, and ways to employ tactics to protect users, data, and networks. Software bugs At a base level, software bugs are an easy point of exploitation for cybercriminals. Application errors will weaken API security, leaving your organization - and your valuable data - vulnerable to attackers. It’s crucial to have a system in place to regularly check for software updates and patches. Patches function like a software update, plugging potential holes that cyberattackers may use to enter your network or systems. Ensure you conduct regular vulnerability scans and perform security attacks on your implemented APIs. Of course, identifying these vulnerabilities is only the first step. Organizations must ensure they have a workflow in place to address weaknesses swiftly. Broken object-level authorization attacks Another key API security risk is at exposed endpoints that relate to object identifiers. These can be seen as a welcome mat for attackers to enter the endpoints, leaving a wide attack area with access to objects and data. To mitigate this risk, organizations must implement authorization checks at the object level. Checking every function that accesses a data source through input from users will help protect you from criminal activity. Consider using an API gateway, access tokens, object-level authorization checks, and implementing proper authorization credentials to stay protected. Misconfiguration Security misconfigurations are another common threat to API security. This risk is typically enabled through factors such as insecure default configs, misconfigured HTTP headers, unnecessary HTTP methods, or open cloud storage. It is crucial not to rely on default configurations and instead to configure APIs to fit your organization’s specific needs and requirements. Exposed data At times, developers leave object properties exposed, leaving it up to organizations to filter data before availing it to end users. While well intentioned, this unfortunately leaves a large amount of data exposed, luring cybercriminals to attack. Ensure the data exposed through APIs is strictly limited to only the necessary, trusted users. Evaluate access control and ensure you’re deliberate with what is available, and to whom. Injections The threat |
| Envoyé | Oui |
| Condensat | 2021 221 access accesses act activity address adequate after against alike amount another api apis apis: application applications approaches are area arises article attack attackers attacks authorization available availing average base become been before being best blog blogger breach broken bugs business but can cannot cause check checking checks closely cloud come command commands common company conduct configs configurations configure consider constant control controllers course cover credentials criminal crucial cyberattackers cybercriminals damage data day default deliberate departments dependence design designed despair develop developers does doing done easy employ enabled end endless endpoints ensure enter errors evaluate every execution exploit exploitation exposed factors feel filter financial first fit followed found from function gain gateway guest hack harm has have headers heartache help holes however http identifiers identifying ignore impenetrable implement implemented implementing impossible increased increasingly independent injections input insecure instead intentioned invest it’s key large leave leaves leaving let level like limited list luring mainstay major mat may methods misconfiguration misconfigurations misconfigured mitigate money most must necessary need needs network networks new not nothing number object objects occurs often only open opportunists organization organization’s organizations overlooked overwhelming part particularly party patches per perform place plugging point potential prey proactive proactively process prominent prompts proper properties protect protected prove providing query recent redesigned regular regularly reject relate relay reliable rely report requests requirements rises risk risks save scans security seeking seemingly seen seriously short should software solutions something source specific stay steal step storage strategies strategy strictly stunt such suspicious swiftly system systems tactics take them then these third threat threats through time times tirelessly tokens too trend tricks trusted type typically unauthorized understand understanding unfortunately unintended unnecessary unverified unwanted update updates upon usage use users using validation valuable vigilance vital vulnerabilities vulnerability vulnerable way ways weaken weaknesses welcome well what when where whom wide will work workflow workflows written you’re your |
| Tags | Hack Vulnerability Threat |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.