APIsecurity.io - APISecurity.io Newsletter: Issue 159

The Latest API Security News, Vulnerabilities and Best Practices
Issue: #159
Vulnerability in GoCD CI/CD platform, views on full lifecycle API security, articles on API security and sprawl

This week, we have news of a high criticality vulnerability on GoCD, a common open-source CI/CD system, allowing attackers to hijack secrets of downstream supply chains. There is also an excellent article on the journey of Raiffeisen Bank International toward full lifecycle API security, another article on how API security is hindering application delivery, and a report on the continued API sprawl by F5.

Vulnerability: Popular GoCD CI/CD platform vulnerability disclosed
 

This week, SonarSource warned of a highly critical vulnerability in the common open-source CI/CD system, GoCD. The vulnerability could allow attackers to gain access to critical pipeline data, including secrets such as API tokens or credentials for downstream supply chain elements.

The vulnerability was caused by shortcomings in how GoCD build agents (aka workers) authenticated themselves to the GoCD master, which allowed fake agents to be inserted into a pipeline. Once an agent had been enrolled into a pipeline, it then had access to all tokens and secrets within the CI/CD pipeline as well as the ability to execute arbitrary code within the context of the pipeline.

Although organizations typically deploy build agents on internal networks where they are protected from impersonation by rogue agents, there are several hundred instances of GoCD exposed to the internet.

The affected versions of GoCD range from v20.6.0 to v21.2.0, and the vulnerability has been resolved in version v21.3.0, so if you are affected, patch yours as soon as possible.

The key takeaway here is that the CI/CD system is a vital component of supply chain infrastructure and should be protected at a variety of levels. 2022 is likely to become the year of supply chain attacks!

Case study: Raiffeisen Bank International on their journey toward full lifecycle API security
 

SecurityBoulevard featured an excellent case study from Raiffeisen Bank International (RBI) based on an interview with Peter Gerdenitsch, Group CISO at RBI.

Gerdenitsch describes how RBI made a shift toward a product-led agile structure in 2019. This transition included the role of Security Champion within each of the product DevSecOps teams:

Article2b

Security Champions lead in all aspects of product security within their business unit. A key point to the role is that it is a volunteer-driven role. RBI’s experience was that they had no shortage of volunteers and that they got much interest from a variety of disciplines within the organization. As with many popular Security Champion programs, RBI opted to use the martial arts’ belt system, shown below:

Article2a

In terms of API security, the blue belt level included specialized courses just on API security and at the black belt level the focus was on hands-on manual pentest skills.

As regards to APIs, RBI had a large estate — 100 external APIs under Payment Service Directive (PSD) scope, plus a thousand or more internal APIs on top of that. As is typical in large organizations, RBI found that what they lacked was an extensive inventory of their APIs. They addressed this with Real-Time Integration Center of Excellence (RICE), which acted as a central management layer for all RBI’s APIs. Another key approach was to ensure that both the product owner and the IT security teams were involved in securing their APIs.

This case study is a highly recommended read for anyone wanting to scale their API security initiatives, and particularly useful for security and AppSec leaders tasked with the responsibility of incorporating API security into their portfolio of coverage.

Article: API security hindering application delivery
 

DarkReading has featured an article on why API security is hindering application delivery.

According to research from Cloudentity, key findings are that nearly all organizations have experienced delays in releasing new applications or updates due to concerns for the security of their API environment.  Approximately 44% of them say they have experienced API security issues, such as data leakage and exposure of private information.

As possibly expected, the most commonly cited reasons for this predicament include:

  • The high financial costs associated with API security
  • The demands of faster application delivery timelines
  • A lack of awareness regarding API security

The report concludes that API security is likely to received increased focus and attention and — correspondingly — increased budgets in the coming years.

Report: F5 detailing the continued sprawl of APIs
 

Finally this week, a brief piece from in HelpNetSecurity on a recent F5 report detailing the continued sprawl of APIs. According to the report:

“We estimate that the number of public and private APIs today is approaching 200 million, and by 2031 that number could be in the billions”

Article4-1

The reasons for the increased sprawl stated in the report include:

  • A lack of global standards leading to re-implementation of APIs
  • The growth of microservices
  • Increased software released cadences
  • Increased interoperability required within large enterprises
  • Siloed business units duplicating the effort

The increased sprawl leads to increased operation and security challenges, making it something to keep an eye on in terms of API security.


 
ColinD

 

 

Colin Domoney

ApiSecurity.io

 
Thanks for reading.

That's it for today. If you have any feedback or stories to share, simply reply to this email.

Please forward the newsletter to your friends and colleagues who might benefit from it.

 
42Crunch, Inc.   95 Third Street  2nd Floor  San Francisco  CA   94103   United States
You received this email because you are subscribed to API Security News from 42Crunch, Inc..

Update your email preferences to choose the types of emails you receive or Unsubscribe from all future emails  
 
 

Older messages

APISecurity.io Newsletter: Issue 158

Thursday, November 4, 2021

Hi, this week, we have news on a breach affecting 400 000 users of a popular German school app, and another vulnerability in a popular WordPress plugin. APIsecurity.io The Latest API Security News,

APISecurity.io Newsletter: Issue 157

Thursday, October 28, 2021

Hi, this week, we have details of a potential vulnerability in existing Prometheus installations, a tool to map their API attack surface APIsecurity.io The Latest API Security News, Vulnerabilities and

APISecurity.io Newsletter: Issue 156

Thursday, October 21, 2021

Hi, this week we have a report from Alissa Knight on Fast Healthcare Interoperability and Resources APIs being vulnerable to abuse APIsecurity.io The Latest API Security News, Vulnerabilities and Best

APISecurity.io Newsletter: Issue 155

Thursday, October 14, 2021

Hi, this week, we have a vulnerability in the BrewDog mobile app exposing users' PII, Cisco has announced the arrival of their APIClarity APIsecurity.io The Latest API Security News,

APISecurity.io Newsletter: Issue 154

Thursday, October 7, 2021

Hi, this week, we have a viewpoint on what security officers can do to address API security. There's also a report from IBM. APIsecurity.io The Latest API Security News, Vulnerabilities and Best

You Might Also Like

Charted | Global Economic Confidence in 2025, by Country 🌎

Wednesday, December 25, 2024

While emerging markets in Asia have the strongest confidence in the global economy looking ahead, European countries are most pessimistic. View Online | Subscribe | Download Our App FEATURED STORY

Top Tech Deals 🎅 Sony Headphones, iPhone Cases, 4K Projector, and More!

Wednesday, December 25, 2024

The season of giving is upon us. How-To Geek Logo December 25, 2024 Top Tech Deals: Sony Headphones, iPhone Cases, 4K Projector, and More! The season of giving is upon us. Happy Holidays! If you're

Why the Race to AGI is Humanitys Defining Moment

Wednesday, December 25, 2024

Top Tech Content sent at Noon! Boost Your Article on HackerNoon for $159.99! Read this email in your browser How are you, @newsletterest1? 🪐 What's happening in tech today, December 25, 2024? The

Iran's Charming Kitten Deploys BellaCPP: A New C++ Variant of BellaCiao Malware

Wednesday, December 25, 2024

THN Daily Updates Newsletter cover The Data Science Handbook, 2nd Edition ($60.00 Value) FREE for a Limited Time Practical, accessible guide to becoming a data scientist, updated to include the latest

Software Testing Weekly - Issue 251

Wednesday, December 25, 2024

GitHub Copilot is free! 🤖 View on the Web Archives ISSUE 251 December 25th 2024 COMMENT Welcome to the 251st issue! In case you missed it — GitHub Copilot is free! The free version works with Visual

Daily Coding Problem: Problem #1647 [Medium]

Tuesday, December 24, 2024

Daily Coding Problem Good morning! Here's your coding interview problem for today. This problem was asked by Square. In front of you is a row of N coins, with values v 1 , v 1 , ..., v n . You are

Sentiment Analysis, Topological Sort, Web Security, and More

Tuesday, December 24, 2024

Exploring Modern Sentiment Analysis Approaches in Python #661 – DECEMBER 24, 2024 VIEW IN BROWSER The PyCoder's Weekly Logo Exploring Modern Sentiment Analysis Approaches in Python What are the

🤫 Do Not Disturb Mode Is My Secret to Sanity — 8 Gadgets I Want To See Nintendo Make

Tuesday, December 24, 2024

Also: The Best Christmas Movies to Watch on Netflix, and More! How-To Geek Logo December 24, 2024 Did You Know Their association with the Christmas season might make you think poinsettias hail from a

😱 AzureEdge.net DNS Retiring Jan. 2025, 🚀 Microsoft Phi-4 AI Outperforms, 🔒 Microsoft Secure Future Initiative

Tuesday, December 24, 2024

Blog | Advertise | View Online Your trusted source for Cloud, AI and DevOps guidance with industry expert Chris Pietschmann! Phi-4: Microsoft's New Small Language Model Outperforms Giants in AI

Mapped | The Top Health Insurance Companies by State 🏥

Tuesday, December 24, 2024

In 13 US states, a single company dominates the health insurance market, holding at least half of the total market share. View Online | Subscribe | Download Our App Presented by: Global X ETFs Power