APIsecurity.io - APISecurity.io Newsletter: Issue 162

The Latest API Security News, Vulnerabilities and Best Practices
Issue: #162
Compromised Google Cloud accounts, GraphQL as API gateway, API security guide and training
This week,we have details of compromised Google Cloud accounts being used to mine cryptocurrency (mainly with weak or no passwords on API connections), there’s an article on how GraphQL can be used as an API gateway (including security controls), a very comprehensive guide to all things relating to API security, and a new API security training course from AppSecEngineer.
     
Vulnerability: Compromised Google Cloud accounts used to mine cryptocurrency
 

The main story this week comes from HackerNews and describes how attackers are able to exploit improperly secured Google Cloud Platform (GCP) tenants. The impact on affected users included compromising their cloud resources, like uploading cryptocurrency mining software, and ransomware and phishing attacks.

Of greatest concern is that the accounts could be compromised due to lack of basic hygiene on the cloud tenants. The most common issue as well as exploit — affecting 48% of the instances — was weak or no password on user accounts and API connections that allowed attacker easy access to the cloud instances. Other exploits included installing third-party software in the cloud instances and leaking credentials through GitHub repositories.

The key takeaway here is that whilst cloud platforms are a great business enabler, their complexity frequently leads to misconfiguration which results in potentially vulnerable deployments. Additionally, many skilled attackers will know what the common misconfigurations are and home in on them, allowing them to easily exploit them in the attacks on systems.

Article: GraphQL as an API gateway
 

An interesting article this week by Tj Blogumas describes a novel approach to using GraphQL as an API gateway.

Blogumas describes a typical design problem encountered in the adoption of a microservices architecture: how to present a single fronted to consumers without exposing the complexity of the backing microservices mesh. Traditionally, this has been the domain of the API gateways, but Blogumas demonstrates how a GraphQL frontend can achieve the same effect.

Of interest here is how you can implement security controls at the GraphQL gateway level rather than in the backing microservice APIs. The key advantage to this approach is that key security controls are centralized in one place — implemented only once at the gateway level, rather than at in individual APIs. This reduces the burden on development teams and reduces the likelihood that such controls get accidentally omitted.

Blogumas provides several examples of the type of security controls that can be implemented, such as:

  • Depth limiting: Reduce the depth of allowed queries to reduce the impact of Denial of Service (DoS) based attacks.
  • Rate limiting: Reduce the rate at which requests can be made to specific API endpoints to mitigate the effect of DoS or brute force attacks.
  • Query cost limitations: Reduce excessively complex queries to mitigate DoS attacks.

An interesting take on API architecture that we will surely hear more about.

     

Webinar

DigitalAds_Webinar_AutomateAPI_42C Colin Webinar 600x335 TW

Automate API Protection with “Security as Code”

Dec 9, 2021 | 8am PDT / 11am EST / 4pm GMT

     
Guide: “Awesome API security” guide
 

We have featured some excellent API security guides in this newsletter (such as the one last week by Inon Shkedy), and this week it is the turn of the “Awesome API security” guide by André Rainho.

This vastly comprehensive guide covers, for example, the following topics:

  • Tools
  • Mind mapping
  • Checklists and cheatsheets
  • Training, walkthroughs, and laboratories
  • Enumeration and scanning
  • Fuzzing and API keys
  • Firewalls
  • Presentations, videos, playlists, and podcasts
  • Design and architecture
  • Specifications

This is bound to prove an invaluable resource for anyone working in or around API security — thanks to André for this great resource!

Training: AppSecEngineer’s 2021 guide to API security
 

Finally for this week, we have news of upcoming API security training courses by the AppSecEngineer team, featured in their review of API security in 2021.

The course includes a deep dive into both offensive and defensive techniques for API developers. On offense, it covers typical vulnerabilities specific to REST APIs and how malicious actors can exploit them. On defense, it focuses on defensive techniques in a hands-on laboratory environment that follows the OWASP API Security Top 10 as a content outline.

It’s always good to see new API security training and — based on previous AppSecEngineer courses — this should prove to be a great success.

 
42Crunch APISec EmailTemplate Colin v2
 
Thanks for reading.

That's it for today. If you have any feedback or stories to share, simply reply to this email.

Please forward the newsletter to your friends and colleagues who might benefit from it.

42Crunch APISec EmailTemplate FooterLogo-24
Powered by 42Crunch Logo

 

 
42Crunch, Inc.   95 Third Street  2nd Floor  San Francisco  CA   94103   United States
You received this email because you are subscribed to API Security News from 42Crunch, Inc..

Update your email preferences to choose the types of emails you receive or Unsubscribe from all future emails  
 
 

Older messages

APISecurity.io Newsletter: Issue 161

Thursday, November 25, 2021

Hi, this week, we have details of a vulnerability in the AI platform Wipro Holmes Orchestrator, allowing the download of arbitrary files. 42Crunch APISec EmailTemplate Header v3 The Latest API Security

APISecurity.io Newsletter: Issue 160

Thursday, November 18, 2021

Hi, this week, we have a vulnerability in the AWS API gateway that allows a potential cache-poisoning attack, disclosed at a recent conference APIsecurity.io The Latest API Security News,

APISecurity.io Newsletter: Issue 159

Thursday, November 11, 2021

Hi, this week, we have news of a high criticality vulnerability on GoCD, a common open-source CI/CD system. APIsecurity.io The Latest API Security News, Vulnerabilities and Best Practices Issue: #159

APISecurity.io Newsletter: Issue 158

Thursday, November 4, 2021

Hi, this week, we have news on a breach affecting 400 000 users of a popular German school app, and another vulnerability in a popular WordPress plugin. APIsecurity.io The Latest API Security News,

APISecurity.io Newsletter: Issue 157

Thursday, October 28, 2021

Hi, this week, we have details of a potential vulnerability in existing Prometheus installations, a tool to map their API attack surface APIsecurity.io The Latest API Security News, Vulnerabilities and

You Might Also Like

Charted | Global Economic Confidence in 2025, by Country 🌎

Wednesday, December 25, 2024

While emerging markets in Asia have the strongest confidence in the global economy looking ahead, European countries are most pessimistic. View Online | Subscribe | Download Our App FEATURED STORY

Top Tech Deals 🎅 Sony Headphones, iPhone Cases, 4K Projector, and More!

Wednesday, December 25, 2024

The season of giving is upon us. How-To Geek Logo December 25, 2024 Top Tech Deals: Sony Headphones, iPhone Cases, 4K Projector, and More! The season of giving is upon us. Happy Holidays! If you're

Why the Race to AGI is Humanitys Defining Moment

Wednesday, December 25, 2024

Top Tech Content sent at Noon! Boost Your Article on HackerNoon for $159.99! Read this email in your browser How are you, @newsletterest1? 🪐 What's happening in tech today, December 25, 2024? The

Iran's Charming Kitten Deploys BellaCPP: A New C++ Variant of BellaCiao Malware

Wednesday, December 25, 2024

THN Daily Updates Newsletter cover The Data Science Handbook, 2nd Edition ($60.00 Value) FREE for a Limited Time Practical, accessible guide to becoming a data scientist, updated to include the latest

Software Testing Weekly - Issue 251

Wednesday, December 25, 2024

GitHub Copilot is free! 🤖 View on the Web Archives ISSUE 251 December 25th 2024 COMMENT Welcome to the 251st issue! In case you missed it — GitHub Copilot is free! The free version works with Visual

Daily Coding Problem: Problem #1647 [Medium]

Tuesday, December 24, 2024

Daily Coding Problem Good morning! Here's your coding interview problem for today. This problem was asked by Square. In front of you is a row of N coins, with values v 1 , v 1 , ..., v n . You are

Sentiment Analysis, Topological Sort, Web Security, and More

Tuesday, December 24, 2024

Exploring Modern Sentiment Analysis Approaches in Python #661 – DECEMBER 24, 2024 VIEW IN BROWSER The PyCoder's Weekly Logo Exploring Modern Sentiment Analysis Approaches in Python What are the

🤫 Do Not Disturb Mode Is My Secret to Sanity — 8 Gadgets I Want To See Nintendo Make

Tuesday, December 24, 2024

Also: The Best Christmas Movies to Watch on Netflix, and More! How-To Geek Logo December 24, 2024 Did You Know Their association with the Christmas season might make you think poinsettias hail from a

😱 AzureEdge.net DNS Retiring Jan. 2025, 🚀 Microsoft Phi-4 AI Outperforms, 🔒 Microsoft Secure Future Initiative

Tuesday, December 24, 2024

Blog | Advertise | View Online Your trusted source for Cloud, AI and DevOps guidance with industry expert Chris Pietschmann! Phi-4: Microsoft's New Small Language Model Outperforms Giants in AI

Mapped | The Top Health Insurance Companies by State 🏥

Tuesday, December 24, 2024

In 13 US states, a single company dominates the health insurance market, holding at least half of the total market share. View Online | Subscribe | Download Our App Presented by: Global X ETFs Power