Akto.io

We're thrilled to announce that Akto is featured in the 2024 Gartner® Market Guide for API Protection! According to Gartner® — "APIs, especially shadow and dormant APIs — are causing data breaches of highest magnitude. Many of these are attributed to access control misconfigurations. " Read the guide → https://lnkd.in/gUqPUAVG

It's great to see regional API Security summits happening across the country. One of them happened last week in Chicago. https://lnkd.in/gWxsBh44 Here are five learnings from the session at the summit by Aaron Bedra, CTO at DRW. 1. Implement API Firewall and block unwanted malicious requests 2. Implement rate limiting 3. Record logs for forensic analysis 4. Implement strong authentication 5. Always, always, always test at every stage of development - "scalable security is automated security." Some takeaways from the CISO Panel - starting point for API security is API Discovery - organizations need to be able to answer the question, “What APIs do I have?” - They need to include third-party APIs in the process. In my experience, of the 8 points mentioned above, the #1 struggle for most organizations is API Discovery and API Security testing automation in the pipeline.

In 2023, 23andMe faced a credential stuffing attack due to weak authentication. This can happen to anyone! Here’s a snippet from the talk 'Top 10 GraphQL Security Checks for Every Developer' at GraphQLConf, where our co-founder and CEO Ankita Gupta shared key insights. 👉 Watch the full recording now: https://lnkd.in/d7bCdhUK

In my conversations, I see a lot of confusion amongst folks about shadow and zombie APIs. Most use these terms interchangeably, but they are different. shadow APIs: — unknown APIs or undocumented APIs — deployed by devs without knowledge of appsec teams — eg: codebase has 300 APIs, openAPI spec has 100 APIs, shadow will be = 200 (300-100) zombie APIs: — simply unused or old APIs — old version of APIs not deprecated — eg: unused or zombie APIs: api/search/v1 ( new or used API : api/search/v2) points to note on zombie and shadow APIs: — zombie and shadow APIs can overlap — both are risks to organizations — shadow APIs pose a risk because they are missed from security reviews or testing as they are undocumented — zombie APIs pose a risk because they often have outdated security measures and are forgotten by security teams

We're thrilled to announce that Akto is a Silver Sponsor for the OWASP Global AppSec SF networking event, hosted by The Purple Book Community. 📅 September 26th, 5:30 - 8:30pm 📍 KPMG Building (55 2nd St, San Francisco) Join us for an exclusive evening of fine dining, engaging discussions, and networking with top cybersecurity professionals. Whether you're passionate about application security, risk management, or have a project to showcase, this is the perfect opportunity to connect and share! 👉 RSVP now: https://lnkd.in/gcdyAW8Y Let’s make this a night to remember! 🌟

17 GitLab vulnerabilities in Sep, including 4 authorization issues, 2 open redirects, and 2 input validation issues — Sep 16: authorization flaw — Sep 16: OAuth open redirect allowing account takeover. — Sep 12: CI_JOB_TOKEN vulnerability allowing attackers to hijack session tokens. — Sep 12: authenticated users can bypass variable overwrite protection via inclusion of a CI/CD template. — Sep 12: attacker can trigger a pipeline as an arbitrary user — Sep 12: sensitive dependency proxy credentials retained in GraphQL logs — Sep 12: improper input validation error — Sep 12: command injection vulnerability due to incomplete input filtering. — Sep 12: server-side request forgery (SSRF) vulnerability — Sep 12: privilege escalation vulnerability where custom roles could escalate privileges improperly due to API authorization issue — Sep 12: denial of Service (DoS) caused by sending a specific POST request, leading to service disruption. — Sep 12: Crafted URL tricking victims into trusting an attacker-controlled application. — Sep 12: Guest user able to access commit information due to API authorization issue — Sep 12: User password exposure from repository mirror configuration — Sep 12: Guest user able to access private project source code — Sep 12: OAuth open redirect under specific conditions allowing account takeover. — Sep 12: DAST scan modification vulnerability, allowing attackers to modify scans and leak sensitive variables without permissions.

🚀 New Feature Alert: Search Bar in Test Configuration Modal - Quickly find and select specific tests - Save time and boost efficiency - Streamline your API security test configuration Discover more - https://lnkd.in/dbdkKyfa

Yesterday, Cybersecurity and Infrastructure Security Agency ( CISA ), along with FBI, released an alert urging Appsec teams to eliminate XSS vulnerabilities. This is CISA's 4th alert since march on eliminating vulnerabilities through the secure-by-design principles: 1. XSS - Sep 17 2. OS Command Injection 3. Directory Traversal 4. SQL Injection Interestingly, every vulnerability in the above list is of the type "Input Validation". I have a super awesome update coming on this topic by Akto.io :)

Modern AppSec teams, this is your moment! 🔥 Join us LIVE on Oct 1 at 10 AM PT for an exclusive demo of Automated API Discovery from the source code itself. Time to shift left like never before. Register now: https://lnkd.in/dYC6Y97E

Here is another recent and interesting access control issue. Over 1000 ServiceNow instances exposed customer knowledge base because of access control issues in API endpoints. what happened? — Service now feature - knowledge base has article IDs that are incremental in the format KBXXXXXXX — A malicious actor can brute force a vulnerable endpoint by incrementing the KB number starting at KB0000001 until they find one that is unintentionally exposed - Exposed information includes PII, internal system details, user credentials, access tokens for live production systems. — Service now improved it's ACL in 2023 after an exposure report but didn't apply it to the knowledge base feature. — The KB articles were misconfigured to allow guest users or any user access to read and access sensitive information https://lnkd.in/gAXCww2x In my opinion, access control issues with multiple roles and permissions are the hardest to solve because of their complexity and wide scope. Imagine 1000+ API endpoints in an app with 10+ roles and permissions or custom roles; it would be impossible to know if even one of the API endpoints had misconfigured access control. On top of it, new API endpoints and continuous release cycles make it even harder to check for access control issues before production release continuously. The problem is massive and faced by almost every organization I speak with. We at Akto.io are solving this problem in an automated way at scale.