MerkleFence

APIs, which serve as the backbone of many SaaS applications, facilitate essential communication between different parts of your service. However, they also introduce certain security risks that can be easily overlooked—one of the most concerning is the mass assignment vulnerability. Mass assignment occurs when an API automatically maps user inputs to data models without adequate validation or filtering. This can allow attackers to manipulate fields they shouldn’t have access to, such as changing subscription levels, user roles, or other sensitive data. Read More about this vulnerability here https://lnkd.in/esPw3zJU #saas #cybersecurity #apisecurity #Appsec #informationsecurity

One of the biggest advantages of API-first development is that it speeds up the overall process. Teams can work in parallel on different components, all while sticking to a unified API specification. This leads to faster iterations, quicker feature releases, and the ability to respond swiftly to market changes. On top of that, having well-defined interfaces minimizes the risk of integration issues, leading to a higher quality product overall. That said, the very things that make API-first architecture appealing—like its openness and interconnectedness—also create security challenges. Are you wondering how to secure your API-First architecture without slowing development? Read the full article on MerkleFence website and share your thoughts in the comments. https://lnkd.in/eCZt6v-2 #cybersecurity #informationsecurity #softwareengineering #apisecurity

Imagine a gate secured with a padlock, yet there are no walls around the property it’s meant to protect. If you already understand the analogy, let’s share a laugh together in the comments. But if it’s not clear yet, here’s the explanation: When a session token never expires, it becomes a significant security risk. If an attacker gets hold of this token, they could access the system indefinitely without needing to re-authenticate—much like having a key to a gate with no surrounding walls. Take the case of Slack’s 2015 security breach. Unauthorized individuals gained access to some of the company’s databases, which contained sensitive information. One critical flaw discovered was the use of static session tokens that didn’t expire. Once an attacker obtained a token, they had perpetual access to the victim's account without ever needing to re-authenticate. In response, Slack took several key steps: ➡️ They invalidated old session tokens, forcing all users to re-authenticate. ➡️ They implemented additional security measures like two-factor authentication (2FA) to prevent unauthorized access. ➡️ They improved session management by ensuring tokens would expire after a period of inactivity or under specific conditions. Now ask yourself, do you have gates with no walls? #softwareengineering #cybersecurity #informationsecurity #technology

We are thrilled to welcome David Jackson (CISSP, CRISC) to the MerkleFence board! With 24 years of global experience in cybersecurity, David brings unparalleled expertise and a deep passion for building cybersecurity capabilities. His extensive background in IT Governance, Risk & Compliance (GRC), coupled with his leadership across multiple sectors, including financial services, telecommunications, and healthcare, makes him a perfect fit for our mission to to empower innovators to change the world securely. His proven leadership will be invaluable as we innovate and deliver both application security talent and services to meet the evolving needs of U.S. companies. Please join us in welcoming David to the MerkleFence Team! We are excited about the future and what we will achieve together. #Cybersecurity #Leadership #MerkleFence #BoardAnnouncement #ITGovernance

If you have GraphQL APIs in your environment, then we have a headline...ooops we have an article worth stopping your scroll for! Confidence Staveley recently published a must read article titled, "Lessons on API Vulnerabilities: A Real-Life Case Study of GraphQL Introspection Risks in a Logistics Application". In this article, she reveals how our team was invited to conduct a black box security assessment of a company's application (We are allowed to share this much). However, one single security mistake, gave us access to sensitive data. That single setting was...GraphQL introspection! Testing an iOS app already available to the public, led us to a GraphQL API with introspection enabled in production. Like they say, the rest was history. Leaving introspection enabled for GraphQL APIs in production is like publishing a detailed city blueprint online, complete with access points, security systems, security tunnels, and locations of valuable assets. During the planning and construction phases, this blueprint is essential for city planners and developers. It helps them understand how different parts of the city are connected, facilitates efficient construction, and ensures everything is built according to plan. However, once the city is built and operational, making this blueprint publicly accessible poses a significant security risk. Just as an open blueprint provides potential criminals with the exact locations of security systems, and escape routes, leaving introspection enabled exposes the entire structure of the API.This information can be used by attackers to identify vulnerabilities, plan attacks, and potentially exploit sensitive data, like we did and "sort of" documented in this article. Read all about it here https://lnkd.in/eM-nCMff PS: Share your thoughts and experiences about introspection when you are done reading the article. #cybersecurity #apisecurity #applicationsecurity #softwareengineering #Graphql

You can guess your way through certain things in life. Keeping your applications secure isn't one of them.😂 It's best to know where you stand especially if you are a CTO, Startup Founder, Application Manager or Engineering Lead. So I have created the best free tool to help you figure this out. All you'll have to do is answer 20 deeply thought through questions in my Application Security Posture Scorecard quiz to evaluate your security efforts and receive valuable insights on enhancing your security practices. Check it out here: https://merklefence.com PS: I will really like to read your feedback in the comment section once you're done. #cybersecurity #technology #applicationsecurity #softwareengineering

Phishing emails have been a persistent threat for quite some time. While the incidence of successful phishing attacks has slightly declined due to increased user education, improved defenses, and use of AI and ML in threat detection and prevention, they remain one of the most popular methods of conducting phishing attacks. It is estimated that 91% of all cyber attacks begin with a phishing email. In 2023, credential phishing was the most common type, with a 67% increase in volume compared to 2022. Over the past few days, we have been conducting research and gathering threat intelligence from a phishing email forwarded to us by one of our clients. In this expository post, we aim to uncover as much information as possible about the threat actor. This will be part 1 of our findings. Read More Here 👇 https://lnkd.in/eP62mG6k #informationsecurity #cybersecurity #APISecurity #Merklefence

Fortinet, a global cybersecurity company renowned for its network security appliances and security subscription services, has faced numerous vulnerabilities over the years, often exploited in ransomware attacks and zero-day exploits. Notably, vulnerabilities in FortiOS, FortiProxy, and FortiSwitch have been exploited (CVE-2023-27997 and CVE-2022-40684). The most recent vulnerability discovered affected Fortinet’s Enterprise Management Server (EMS), a critical component in the company’s suite of cybersecurity solutions  that enables administrators to manage endpoints within an enterprise network was found vulnerable to a  critical SQL injection flaw identified as CVE-2023-48788. This vulnerability allowed unauthenticated attackers to execute unauthorized code or commands. Read More 👇 https://lnkd.in/e5JCP9DH #informationsecurity #cybersecurity #Merklefence

Did you know that in January 2024, Cloudflare released its first API security and management report based on aggregated traffic patterns observed by Cloudflare’s global network (including Cloudflare’s web application firewall, DDoS protection, bot management, and API gateway services) between Oct. 1, 2022 and Aug. 31, 2023. Unlike other industry API reports, Cloudflare’s report is not based on user surveys. It was based on real traffic data processed on their network. Check the Comments for link to view full summary. #cybersecurity #informationsecurity #cyber

Cryptographic failures rank on the top of the OWASP list because it affects all three pillars of cybersecurity: Availability, Confidentiality and Integrity of data. When testing if your web application is vulnerable, some of the questions that can guide you are in this blog post: https://lnkd.in/etWbb_wA #webapp #cybersecurity #AppSec