API Security Newsletter - Issue #1

I recently switched jobs and went from working in the virtualization/cloud industry to working in the security/API industry, hence I'm switching my Multi-Cloud Musings Newsletter to an API Security focused one. I'll also be using a different platform (https://twitter.com/revue) for the newsletter so you get

API Security News

On Friday, February 11th 2022, a security researcher (Tree_of_Alpha on Twitter) discovered a flaw in Coinbase’s new Advanced Trading feature that allowed users to sell cryptocurrencies without owning them. According to the Coinbase blog, the flaw was resolved in a matter of hours without any malicious exploitation. And Coinbase paid Tree of Alpha the largest-ever bug bounty of $250,000.

Within this rapidly evolving landscape, here are the nine key security trends that will shape how organizations should think about the year ahead.  

APIs cannot remain the most used, most abused and least visible part of our enterprise infrastructure. Though APIs have enormous benefits for those who utilize them, the extent to which they are used can, unfortunately, lead to blind spots in our security programs, particularly with the increased use of zombie and shadow APIs

We scoured industry reports to gather the most noteworthy findings on the state of the API economy. Here are 20 eye-opening statistics.

According to the Google Cloud's "The State of API Economy 2021 Report" API security is amongst the most critical components of a successful API program.

https://pages.apigee.com/api-economy-report-confirmation-ty.html

According to our survey data, technology leaders recognize API performance analytics (26%) and API security and governance (23%) capabilities as the most critical components of a successful API program.

A buggy app with one-star reviews led one student to discover a glaring security flaw.

The API was not checking if a student’s credentials were valid. That meant Johnson, or anyone else on the internet, could communicate with the API and take over another student’s account without having to know their password. Johnson said the API only checked the student’s unique ID, but warned that these are sometimes the same as a university-issued student username or student ID number, which some schools publicly list on their online student directories, and as such cannot be considered a secret.

Low- and no-code tools can speed up software development. But how do you make sure they work with the APIs you need, and don't create new headaches?

Security can also be an issue when low-code or no-code software connect to your APIs and your critical infrastructure. Giving “citizen developers” the ability to create applications can create new vulnerabilities.

API Security Tooling and Best Practices

API security testing tools speed up and streamline secure application development. Discover some of the leading options on the market today.

To start, financial institutions must include risk assessment and threat modeling as part of their software development lifecycle.

The implementation and deployment are where most security vulnerabilities arise. For example, one financial institution’s implementation of the Financial Data Exchange API may be secure, whereas another institution’s offering of the same API may have serious security vulnerabilities. By incorporating security in design, teams can contribute significantly to secure delivery.

API security risk has dramatically evolved in the last two years. Jason Kent, Hacker-in-Residence at Cequence Security, discusses the top API security concerns today and how to address them.

Learn about Shift Left Testing - The manual API testing process. Understand the steps and options for testing APIs and how they support API security efforts.

A security researcher discovered a flaw in Coinbase’s new Advanced Trading feature that allowed users to sell cryptocurrencies without owning them.

API Video Series

On this episode of Erik Wilde's YouTube Series, former Postman Director of API Ecosystems Matthew Reinbold talks us through the key findings of the 2021 State of the API Report.

The report shines a light on general trends in the API space, and shows where and how the API community is developing and investing

In this episode of API Shorts, Brenton House shows how to equip yourself and your organization to defend against API attackers with a solid API Security strategy.

Upcoming API (Security) events

April 4 ‒ 6, 2022 | The Hague | API Conference offers many exciting Sessions, Keynotes & Workshops for API Developer! Get your ticket now!

Disclaimer: The author of this newsletter is employed by Noname Security, but this is not an official Nonane Security publication, the newsletter is meant to provide independent API Security News. I encourage you to reach out with comments and/or suggestions for the newsletter via https://twitter.com/filipv (DM's are open).