APIsecurity.io - APISecurity.io Newsletter: Issue 164

The Latest API Security News, Vulnerabilities and Best Practices
Issue: #164
Log4Shell vulnerability, API sprawl an increasing threat, API security design best practices, Zero Trust for APIs

This week, we have news on the Log4Shell vulnerability affecting applications and infrastructure using the ubiquitous Log4j library. In addition, there’s an article on how API sprawl is becoming a threat to the digital economy, a guide on API security design best practices, and views on the benefits of zero trust approach for API security.

     
Vulnerability: Log4Shell vulnerability poses a critical threat to applications
 

The major news this week is the critical vulnerability in the ubiquitous Log4j Java logging library. A combination of factors — including the ease of exploit (several example exploits were posted within hours of disclosure), the prevalence of the library, and the impact of the vulnerability (including complete server takeover)  — has led to the vulnerability being classified a maximum score of ten on the CVSS scale. The vulnerability has been assigned the identifier CVE-2021-44228.

The affected versions of Log4j are 2.0-beta9 up to and including 2.14.1. A new version 2.15.0 that addresses the issue has been released and is expected to appear on downstream servers within days. If it is not possible to upgrade the library version immediately, remediation is possible through system properties or remove the affected class from the package library. The Veracode remediation guidance provides full details on remediation and mitigation for this vulnerability, as well as advice on identifying affected applications by using software composition analysis (SCA) techniques

Article: API sprawl becoming a threat to the digital economy
 

F5 has written an article “Continual API Sprawl: Challenges and Opportunities in an API Driven Economy”. The article investigates the sprawl of APIs and the potential impact this has on the digital economy which is so heavily dependent on them.

F5 suggests that many estimates in the growth of APIs tend to be conservative  — according to F5’s aggressive calculations, we will be approaching 1.7 billion active APIs by 2030. This high growth will inevitably lead to sprawl, resulting in APIs that may not be designed, tested, or managed adequately, and that are deployed in many dispersed environments. This will clearly pose a challenge to those responsible for securing such APIs.

Article2-Dec-16-2021-07-38-29-52-AM

The article cites several factors driving this sprawl:

  • Sheer growth: As APIs continue to grow, it will become increasingly challenging to manage and govern them.
  • Lack of standards: A lack of common standards frequently leads to duplication of effort in creating APIs and difficulties in integration between them.
  • New development approaches: The adoption of microservices is further accelerating the growth of APIs, in this case internal APIs in the so-called east—west direction.
  • Continuous software development: The ability to easily deploy an API can lead to duplication of API instances, leading to maintenance challenges.
  • Various computing evolutions: The drive toward a cloud operating model has led to APIs being deployed in highly divergent regions leading again to maintenance challenges.

This sprawl is posing various challenges. For instance, operating or managing APIs do not necessarily scale well, making it difficult to discover or document APIs. The ubiquitous use of the OpenAPI Specification (OAS) is seen as a natural counter to this challenge. Secondly, the rapid evolution of APIs can lead to challenges in API integration, manifesting in broken client applications. This can be addressed by using a rigorous approach toward API versioning.

From a security perspective, the challenges of API sprawl are the most concerning — in 2020 alone, 91% of enterprises experienced an API security incident. The sprawl in APIs will lead development teams to take shortcuts in how they develop APIs, including anti-patterns like re-using authentication and authorization tokens and keys, and poor server-side API implementations.

Some useful mitigation tactics against the sprawl include, for example:

  • Treat the API as a product.
  • Improve developer experience.
  • Use spec-driven development.
  • Ensure that API documentation and code libraries are up to date.
  • Use consistent endpoint naming.
  • Set clear guidelines for API versioning and deprecation.
  • Go beyond API keys with OAuth and OpenID Connect.
Article: API security design best practices
 

For readers with a focus on the implementation of API backend, we have a thorough article by Yuri Kopylovski on various considerations related to security best practices.

The guide covers topics like, for example:

  • API traffic flow
  • Timeouts
  • Error handling
  • Logging strategies
  • Platform-specific considerations

It concludes with some anti-patterns specific to session management and API gateway implementations to watch out for in terms of API security.

Article: The benefits of zero trust for API security
 

We have previously featured perspectives on zero trust in respect of API security, and this week we have David Bisson’s views on the benefits of zero trust for API security.

The key takeaways from the perspective of API security include the following:

  • Infosec teams can leverage zero trust to scale their API governance, ensuring a balance between compliance and enabling new API development.
  • Assuming that traditional network boundaries have been eliminated and not relying on network perimeters as a security control are crucial.
  • The key principle is to deny everything by default and authenticate every resource.
     
42Crunch APISec EmailTemplate Colin v2
Thanks for reading.

That's it for today. If you have any feedback or stories to share, simply reply to this email.

Please forward the newsletter to your friends and colleagues who might benefit from it.

42Crunch APISec EmailTemplate FooterLogo-24
Powered by 42Crunch Logo

 

 
42Crunch, Inc.   95 Third Street  2nd Floor  San Francisco  CA   94103   United States
You received this email because you are subscribed to API Security News from 42Crunch, Inc..

Update your email preferences to choose the types of emails you receive or Unsubscribe from all future emails  
 
 

Older messages

APISecurity.io Newsletter: Issue 163

Thursday, December 9, 2021

Hi, this week, we have an article on seven reasons why API security strategies are failing, details on the recent keynote by Werner Vogels. APISecurity 42C Email Header 900x128px-26 The Latest API

APISecurity.io Newsletter: Issue 162

Thursday, December 2, 2021

Hi, this week, we have details of compromised Google Cloud accounts being used to mine cryptocurrency (with weak or no passwords on APIs) APISecurity 42C Email Header 900x128px-26 The Latest API

APISecurity.io Newsletter: Issue 161

Thursday, November 25, 2021

Hi, this week, we have details of a vulnerability in the AI platform Wipro Holmes Orchestrator, allowing the download of arbitrary files. 42Crunch APISec EmailTemplate Header v3 The Latest API Security

APISecurity.io Newsletter: Issue 160

Thursday, November 18, 2021

Hi, this week, we have a vulnerability in the AWS API gateway that allows a potential cache-poisoning attack, disclosed at a recent conference APIsecurity.io The Latest API Security News,

APISecurity.io Newsletter: Issue 159

Thursday, November 11, 2021

Hi, this week, we have news of a high criticality vulnerability on GoCD, a common open-source CI/CD system. APIsecurity.io The Latest API Security News, Vulnerabilities and Best Practices Issue: #159

You Might Also Like

Charted | Global Economic Confidence in 2025, by Country 🌎

Wednesday, December 25, 2024

While emerging markets in Asia have the strongest confidence in the global economy looking ahead, European countries are most pessimistic. View Online | Subscribe | Download Our App FEATURED STORY

Top Tech Deals 🎅 Sony Headphones, iPhone Cases, 4K Projector, and More!

Wednesday, December 25, 2024

The season of giving is upon us. How-To Geek Logo December 25, 2024 Top Tech Deals: Sony Headphones, iPhone Cases, 4K Projector, and More! The season of giving is upon us. Happy Holidays! If you're

Why the Race to AGI is Humanitys Defining Moment

Wednesday, December 25, 2024

Top Tech Content sent at Noon! Boost Your Article on HackerNoon for $159.99! Read this email in your browser How are you, @newsletterest1? 🪐 What's happening in tech today, December 25, 2024? The

Iran's Charming Kitten Deploys BellaCPP: A New C++ Variant of BellaCiao Malware

Wednesday, December 25, 2024

THN Daily Updates Newsletter cover The Data Science Handbook, 2nd Edition ($60.00 Value) FREE for a Limited Time Practical, accessible guide to becoming a data scientist, updated to include the latest

Software Testing Weekly - Issue 251

Wednesday, December 25, 2024

GitHub Copilot is free! 🤖 View on the Web Archives ISSUE 251 December 25th 2024 COMMENT Welcome to the 251st issue! In case you missed it — GitHub Copilot is free! The free version works with Visual

Daily Coding Problem: Problem #1647 [Medium]

Tuesday, December 24, 2024

Daily Coding Problem Good morning! Here's your coding interview problem for today. This problem was asked by Square. In front of you is a row of N coins, with values v 1 , v 1 , ..., v n . You are

Sentiment Analysis, Topological Sort, Web Security, and More

Tuesday, December 24, 2024

Exploring Modern Sentiment Analysis Approaches in Python #661 – DECEMBER 24, 2024 VIEW IN BROWSER The PyCoder's Weekly Logo Exploring Modern Sentiment Analysis Approaches in Python What are the

🤫 Do Not Disturb Mode Is My Secret to Sanity — 8 Gadgets I Want To See Nintendo Make

Tuesday, December 24, 2024

Also: The Best Christmas Movies to Watch on Netflix, and More! How-To Geek Logo December 24, 2024 Did You Know Their association with the Christmas season might make you think poinsettias hail from a

😱 AzureEdge.net DNS Retiring Jan. 2025, 🚀 Microsoft Phi-4 AI Outperforms, 🔒 Microsoft Secure Future Initiative

Tuesday, December 24, 2024

Blog | Advertise | View Online Your trusted source for Cloud, AI and DevOps guidance with industry expert Chris Pietschmann! Phi-4: Microsoft's New Small Language Model Outperforms Giants in AI

Mapped | The Top Health Insurance Companies by State 🏥

Tuesday, December 24, 2024

In 13 US states, a single company dominates the health insurance market, holding at least half of the total market share. View Online | Subscribe | Download Our App Presented by: Global X ETFs Power