The API Security Newsletter - Issue #16

DevSecOps is a variant of DevOps that adds security to the software development workflow. Application Programming Interfaces (API) security needs to be part of DevSecOps. This article explores how DevSecOps works and the role that API security plays in making applications that result from DevSecOps as secure as possible.

DevSecOps is a variant of DevOps that adds security to the software development workflow. Application Programming Interfaces (API) security needs to be part of DevSecOps. This article explores how DevSecOps works and the role that API security plays in making applications that result from DevSecOps as secure as possible.

The massive data breach affecting customers of Australian telecom Optus was reportedly caused by abuse of an API, revealing the API security risks that many software providers now face.

Sometimes a major "hack" isn't really a hack at all, such as with some breaches caused by the mishandling of APIs. The latest such breach attributed to negligence with APIs, or application programming interfaces that are used for exchanging data across applications, is the massive theft of customer data from Australian telecom Optus.

Noname Security revealed a rapidly growing number of API security incidents, and concerning lack of API visibility.

Noname Security announced the findings from its API security report, “The API Security Disconnect – API Security Trends in 2022”, which revealed a rapidly growing number of API security incidents, concerning lack of API visibility, and a level of misplaced confidence in existing controls.

API pentesting is a frequently misunderstood area of application security. Let's review core concepts of API pentesting and look at how these assessments are performed. The post API Penetration Testing Explained appeared first on Virtue Security.

The recent growth of APIs has introduced a number of new security challenges. And while API penetration testing shares a lot in common with an application pentest, there are new and unique vulnerabilities not always covered by these assessments.

Check out the 5 essential books that every API hacker should read and keep on their bookshelf. The post 5 Books Every API Hacker Should Read appeared first on Dana Epp's Blog.

If you’re into web API security testing, then you know that API hacking books are a valuable resource. They can teach you new things, introduce you to new concepts around breaking web application programming and help you stay up-to-date on the latest trends in your field. That’s why I’ve put together this list of 5 essential books for any API hacker!

Fast Company customer records remain unaffected though the hacker claims they have employee data, including emails, usernames, IPs, and post drafts.

Considering the hacker was able to push out notifications on Apple News, it is reasonable to assume they also accessed Apple News API keys which postpixel confirmed. According to the post, before the attacker could crack the WordPress password, they found the origin IP and bypassed the HTTP basic auth.

Pentesting can serve specific and important purposes for businesses. However, Not all pentesters are equal.

One big area of spending includes the art of putting cybersecurity defenses under pressure, commonly known as security testing. MarketsandMarkets forecasts the global penetration testing (pentesting) market size is expected to grow at a Compound Annual Growth Rate (CAGR) of 13.7% from 2022 to 2027. However, the costs and limitations involved in carrying out a penetration test are already hindering the market growth, and consequently, many cybersecurity professionals are making moves to find an alternative solution.

API (security) related videos

APIs are everywhere. Any business with a mobile app, modern web apps (SPAs), using the cloud, doing a digital transformation, integrating with business partners, running microservices or using kubernetes has APIs. There’s a good foundation of AppSec knowledge out there - thanks in part to OWASP but API Security isn’t exactly the same as AppSec. Additional complexity is part of the landscape with multiple competing API technologies like REST, gRPC and GraphQL plus stakeholders spread across multiple parts of the business. How do you make sense of the API Security landscape? This talk will cover the three fundamental areas to consider, the various chess pieces and the many ways those pieces can be put on your API chessboard. The goal is for you to leave knowing how to map out your API Security landscape and reach a state of solid API Security.

In the last decade, APIs have become fundamental to our teams, partners, and customers. While we’d like to believe it all happened as a carefully executed plan, let’s be honest: There's as much luck as foresight in the mix. Luckily, success drives success so we’ve seen things explode in great ways. Unfortunately, that very success has cost us too.

One more thing...

One of the historically lesser known players in the global chip industry is ASML based out of the Netherlands, this documentary provides a look behind the scenes in the wonderful world of one of the most important suppliers to the semiconductor industry.

The Dutch province of Brabant hosts one of the world's leading drivers of technological innovation. ASML manufactures machines that can produce computer chips on a microscopic scale. Just as geopolitical tensions put pressure on the global chip supply, VPRO Backlight gains exclusive access to the high-tech company and its mysterious clean rooms.

Disclaimer: The author of this newsletter is employed by Noname Security, but this is not an official Nonane Security publication, the newsletter is meant to provide independent API Security News. I encourage you to reach out with comments and/or suggestions for the newsletter via https://twitter.com/filipv (DM’s are open).