Application programming interfaces, or APIs, have become an integral part of maintaining an online business, and are often indispensable for cross-functionality and user experience.
However, the increased use of APIs has led to a rise in attacks against them. This can in turn cause breaches of company data or even full account takeovers. Improperly-managed APIs are a key attack surface and firms would do well to treat this seriously as threat actors step up their efforts at exploitation.
In this episode, Rory and Jane are joined by Yaniv Balmas, VP of security research at Salt Security, to discuss the risks that come with using APIs and how to mitigate against them.
Highlights
“When you're speaking a different language than the service is expecting to hear, there could be one of many, many, many issues that will follow starting from very simple things like, you know, simple error page or server crash or something like that. And ranging up into, you know, information disclosure, full account takeovers, and stuff like that.”
“As time passes, yeah, more attackers join this API attacking club, and that's why we see this increase. And if you're asking my predictions on the future I don't see that stopping or, you know, start being in lower volumes. Quite the opposite.”
“If it's a third party tool that you're using, then you need to test it to make sure that, you know, it complies with everything and that it stops everything, all the relevant API attacks. And then finally, once you've deployed your solution, that's not enough because this world is constant, it's dynamic. It's constantly changing. There are always new attacks, every day you hear about new techniques and a new attack.”
Read the full transcript here.
Footnotes
- 90% of businesses experienced API security vulnerabilities in 2020
- Research: Luxury cars and emergency services vehicles vulnerable to remote takeover
- Hyundai vulnerability allowed remote hacking of locks, engine
- 4 Things to Know about Your Car and API Security
- The API economy: What your business needs to know
- T-Mobile customers at heightened risk of phishing attacks in wake of data breach
- Twitter API keys found leaked in over 3,200 apps, raising concerns for linked accounts
- Could APIs be your business' secret weapon?
Subscribe
-
Cyber researchers have already identified several big security vulnerabilities on OpenAI’s Atlas browserNews Security researchers have uncovered a Cross-Site Request Forgery (CSRF) attack and a prompt injection technique
-
Amazon is cutting 14,000 roles in a bid to ‘operate like the world's largest startup’News The layoffs at Amazon mark the latest in a string of cuts in recent years
-
Critical Dell Storage Manager flaws could let hackers access sensitive data – patch nowNews A trio of flaws in Dell Storage Manager has prompted a customer alert
-
Getting a grip on digital identityITPro Podcast As AI agent adoption explodes, security leaders will need better identity controls than ever before
-
Let’s talk about digital sovereigntyIn the age of AI and cloud, where data resides is a key consideration
-
Flaw in Lenovo’s customer service AI chatbot could let hackers run malicious code, breach networksNews Hackers abusing the Lenovo flaw could inject malicious code with just a single prompt
-
Can cyber group takedowns last?ITPro Podcast Threat groups can recover from website takeovers or rebrand for new activity – but each successful sting provides researchers with valuable data
-
July rundown: Salt Typhoon and SharePoint scaresITPro Podcast US public sector organizations are under serious threat from the state-backed hacking group
-
Can the UK ban ransomware payments?ITPro Podcast Attempts to cut off ransomware group profits could instead harm businesses
-
We need to talk about operational technologyITPro Podcast Groups like Volt Typhoon are abusing poor hygiene in critical infrastructure to pre-position for attacks
