Tag Archive for: missed

‘Most web API flaws are missed by standard security tests’ – Corey J Ball on securing a neglected attack vector

/in


API security is a ‘great gateway’ into a pen testing career, advises specialist in the field

Most web API flaws are missed by standard security tests - Corey J Ball on securing a neglected attack vector

INTERVIEW Securing web APIs requires a different approach to classic web application security, as standard tests routinely miss the most common vulnerabilities.

This is the view of API security expert Corey J Ball, who warns that methods that aren’t calibrated to web APIs can result in false-negative findings for pen testers.

After learning his craft in web application penetration testing in 2015 via hacking books, HackTheBox, and VulnHub, Ball further honed his skills on computers running Cold Fusion, WordPress, Apache Tomcat, and other enterprise-focused web applications.

Read more of the latest interviews with industry experts

He subsequentially obtained CEH, CISSP, and OSCP certificates before eventually being offered an opportunity to help lead penetration testing services at public accounting firm Moss Adams, where he still works as lead web app pen tester.

Recently focusing more narrowly on web API security – a largely underserved area – Ball has launched a free online course on the topic and published Hacking APIs: Breaking Web Application Programming Interfaces (No Starch Press, 2022).

In an interview with The Daily Swig, Ball explains how the growing use of web APIs requires a change of perspective on how we secure our applications.

Attractive attack vector

The past few years have seen accelerating adoption of web APIs in various sectors. In 2018, Akamai reported that API calls accounted for 83% of web traffic.

“Businesses realized they no longer need to be generalists that have to develop every aspect of their application (maps, payment processing, communication, authentication, etc),” Ball says. “Instead, they can use web APIs to leverage the work that has been done by third parties and focus on specializing.”

API stands for application programming interface, a set of definitions and protocols for building and integrating application software.

Web APIs, which can be accessed with the HTTP protocol, have spawned API services that monetize their technology, infrastructure, functionality, and data. But APIs have attracted the…

Source…

3 insights you might have missed from the VeeamON event

/in


After two years holding online-only events, the recent VeeamON 2022 event saw the launch of the first hybrid VeeamON. While the in-person crowd gathered in Las Vegas to celebrate the lifting of pandemic restrictions with live sessions and corridor chats, close to 40,000 additional attendees took part in a parallel virtual event that included live keynote speeches and content from Las Vegas alongside exclusively online sessions.

It was also the first VeeamON appearance for Veeam Software Corp. Chief Executive Officer Anand Eswaran (pictured), who outlined big goals for the future of the company. Data protection is a crowded market, with Gartner’s Magic Quadrant showing newer entrants, such as Cohesity Inc. and Rubrick Inc., joining Veeam, Dell Technologies Inc., CommVault Systems Inc. and Veritas Technologies LLC, in the leaders’ quadrant. 2021 marked Veeam’s fifth year in the top position.

But, the big news was that IDC Corp. data had Veeam and Dell neck-and-neck for market share. It’s not a position Eswaran plans to stay in for long.

“We see a path to taking share and getting from here, 12% [of market share], to 25% to 40% and being an outsize number one,” Eswaran told theCUBE industry analysts Dave Vellante and David Nicholson in an interview at VeeamON, during an exclusive broadcast on theCUBE, SiliconANGLE Media’s livestreaming studio. (* Disclosure below.)

In case you missed VeeamON, here are theCUBE’s top three takeaways from the event:

1) Cybercriminals target backup first.

There’s an old information technology joke: “We’re the best at backup … but terrible at recovery.” It used to be funny, but with known zero-day exploits being stockpiled by criminals, it is inevitable that companies are going to get hit with a ransomware attack — that is, if they haven’t already been unknowingly infiltrated.

Seventy-six percent of organizations reported an attack in 2021, according to research in the “2022 Top Trends in Data Protection” report published by Veeam. Of the data targeted, only 47% was encrypted and only 64% of that was recoverable.

“Ninety-four percent of the time, one of the first intrusions is to attempt to get rid of…

Source…

Android security: This fake message about a missed delivery leads to data-stealing malware – ZDNet

/in

Android security: This fake message about a missed delivery leads to data-stealing malware  ZDNet
“android security news” – read more

In Case You Missed It: The Return Of Nerd Harder Gear, Plus New Face Masks!

/in

Nerd Harder gear is back, and face masks are available
in the Techdirt Gear store on Threadless »

At the end of last month, we fulfilled two of the most popular requests (one long-standing, and one brand new) for Techdirt gear: we brought back the Nerd Harder line of gear, and introduced a series of face masks featuring some of our most popular designs!

You can find all these offerings in our artist store on Threadless, with multiple products available. Face masks come in two styles (standard and premium) as well as youth sizes, and there are t-shirts, hoodies, sweaters and other apparel — plus a variety of cool accessories and home items including buttons, phone cases (for many iPhone and Galaxy models), mugs, tote bags, and stylish notebooks and journals.

All the profits from gear sales help us keep Techdirt going and continue our reporting through this challenging pandemic situation and beyond, and we’re hugely appreciative of all the support. You can also check out our list of all the different ways to support Techdirt with a wide variety of options for readers to help us out and get something cool or useful in return!

Techdirt.