The API Security Newsletter - Issue 23
Hi Everyone! Welcome to this 23rd edition of The API Security Newsletter, as always I welcome any feedback via Twitter DM (https://twitter.com/filipv)
Application Security vs. API Security: What is the difference?
As digital transformation takes hold and businesses become increasingly reliant on digital services, it has become more important than ever to secure applications and APIs (Application Programming Interfaces). With that said, application security and API security are two critical components of a comprehensive security strategy. By utilizing these practices, organizations can protect themselves from malicious attacks and security threats, and most importantly, ensure their data remains secure.
Securing web APIs requires a different approach to classic web application security, as standard tests routinely miss the most common vulnerabilities.
This is the view of API security expert Corey J Ball, who warns that methods that aren’t calibrated to web APIs can result in false-negative findings for pen testers.
Financial apps tested from Google Play Store leaked sensitive API data under testing conditions
Ninety-two percent of 650 financial apps hosted on the Google Play App Store contain extractable data such as application programming interface (API) keys. The findings come from Approov’s Mobile Threat Lab, which reverse-engineered the mobile application code of financial service apps and was able to pry "high-value secrets" from them.
Money Lover breach shows the dangers of leaky APIs
A data leakage vulnerability that security researchers recently discovered in a popular financial management application illustrates the danger of using application programming interfaces that are not watertight.
The now-fixed vulnerability in the app's API exposed information about users that fraudsters could exploit in spear-phishing attacks.
APIs in banking: From tech essential to business priority
For banks and financial institutions, APIs are here to stay—and will only grow. Over the past decade, companies had often been hesitant to use APIs due to a lack of clarity on the value they could generate. Now, financial-sector executives are more confident about the benefits of APIs for business automation, scalability, and acceleration.
Security with ChatGPT: What Happens When AI Meets Your API?
AI code-generating systems, such as ChatGPT or Codex, have the opportunity to make development work easier and faster. However, in terms of generating secure code, the jury is out.
So far, with OpenAI’s ChatGPT, the results look good and may even work well. That said, many results aren’t perfect and could incorporate flaws that aren’t evident upon initial review. Whether the coder is an AI system or a human, organizations still need a strong approach to application security that will catch vulnerabilities in code and provide suggestions on how to remediate them.
Assessing Cybersecurity Risk in the C-Suite
In today’s digital age, cybersecurity risks are a major concern for businesses of all sizes. With cyber attacks becoming more sophisticated and frequent, it is important for businesses to assess their cybersecurity risk, prioritize them, and take measures to mitigate them.
When you are an executive, you need to optimize decision-making based on the strategic goals of the organization, while simultaneously ensuring that day-to-day operations run smoothly
One more thing…
In his BlueHat 2023 keynote, Mark Russinovich (CTO and Technical Fellow for Microsoft Azure) shares his thoughts on a wide range of security topics, including: open source, software supply chain security, data protection and confidential computing, AI and security, and the new opportunities and challenges presented by large language models.
Mark Russinovich is Chief Technology Officer and Technical Fellow for Microsoft Azure, Microsoft’s global enterprise-grade cloud platform. A widely recognized expert in distributed systems, operating systems and cybersecurity, Mark earned a Ph.D. in computer engineering from Carnegie Mellon University. He later co-founded Winternals Software, joining Microsoft in 2006 when the company was acquired. Mark is a popular speaker at industry conferences such as Microsoft Ignite, Microsoft Build, and RSA Conference. He has authored several nonfiction and fiction books, including the Microsoft Press Windows Internals book series, Troubleshooting with the Sysinternals Tools, as well as fictional cyber security thrillers Zero Day, Trojan Horse and Rogue Code.
Disclaimer: The author of this newsletter is employed by Noname Security, but this is not an official Nonane Security publication, the newsletter is meant to provide independent API Security News. I encourage you to reach out with comments and/or suggestions for the newsletter via https://twitter.com/filipv (DM’s are open).