Salt Security API Protection Platform Now Available in the Microsoft Azure Marketplace

Salt Security, the API security company, has announced that it has achieved Microsoft Azure IP Co-sell Ready status, which means that the Salt Security API Protection Platform can be sold and marketed by Microsoft sellers globally. By earning this status, Salt said it can provide its customers with a more streamlined deployment and management process for taking advantage of the productive and trusted Azure cloud platform. In addition, the Salt Security API Protection Platform will gain greater visibility both within the Microsoft Azure Marketplace and among Microsoft sales teams and partners worldwide. 

 

According to the Q3 2022 State of API Security Report, malicious API traffic grew 117% over the past year, now accounting for 2.1% of all API traffic. Customers tap the Salt platform to discover their APIs, protect them during runtime, and improve their API security posture. The Salt Security API Protection Platform correlates user behaviour over time to pinpoint and stop attackers, using its rich context about all API usage to identify the reconnaissance activities of bad actors. The platform consolidates all pertinent information into a single attacker timeline generating a single alert, which allows incident response teams to quickly take action.

 

“Salt empowers organisations to drive digital transformation and business innovation initiatives with the confidence that their critical data and services are protected with the industry-leading API security platform,” said Gilad Barzilay, head of business development at Salt Security. “Microsoft Azure IP Co-sell Ready status further validates our integration with the Azure cloud platform and strengthens our commitment to our joint customers.”

 

The Microsoft IP Co-Sell Program enables Microsoft and partners to provide comprehensive solutions in a collaborative selling model to drive joint sales, revenue, and mutual customer success. 

 

“Through Microsoft Azure Marketplace, customers around the world can easily find, buy, and deploy partner solutions they can trust, all certified and optimised to run on Azure,” said Jake Zborowski, general manager, Microsoft Azure Platform at Microsoft Corp. “We’re happy to welcome Salt Security to the growing Azure Marketplace ecosystem.”

 

Salt Security applies cloud-scale big data, with the industry’s most time-tested AI and ML algorithms, to provide the insights needed for API security. Through its patented API Context Engine (ACE) architecture, the platform can identify the early indicators of an attack, stop attackers from advancing, and turn attackers into penetration testers, leading to valuable feedback for development teams to eliminate API vulnerabilities.

The post Salt Security API Protection Platform Now Available in the Microsoft Azure Marketplace appeared first on IT Security Guru.

Salt Security Strengthens Executive Leadership Team as Demand for API Security Accelerates

Salt Security, the API security company, has announced additions to its leadership team to support growth in employees and customers worldwide. Salt has established two new executive leadership roles, naming Renee Hollinger as Chief People Officer and Amelia Forrest Kaye as Vice President of Customer Success. Both Hollinger and Kaye will play pivotal roles in supporting the company’s operations and expanding global customer base.

Over the past 12 months, Salt Security has also expanded its customer base by more than 300%. New Salt customers include Zoom Communications, Aon, New American Funding, Moneris, Riskified, Open Line NL, and many others. To support this growth, Salt has increased its customer success team six fold, including international representation in EuropeAfrica, and Latin America.

“Both Renee and Amelia are accomplished leaders within the technology and security industries with deep expertise shepherding human resource functions and growing customer success teams, respectively,” said Michael Nicosia, COO and co-founder, Salt Security. “As API security risks continue to rise, having their experience shaping our initiatives will ensure that Salt continues our leadership role in this market we’ve pioneered. Their contributions will be instrumental in how we take care of our own people and our customers as we grow worldwide.”

Hollinger joins Salt with more than 20 years’ experience in human resources, having held leadership positions at well-known global brands such as The Gap, Urban Outfitters, Warner Brothers and Levi Strauss. Hollinger also served as Executive Vice President, Global Human Resources, at ironSource, a leading business platform for the app economy. Most recently, Hollinger was Chief Human Resource Officer at Reltio, a software management provider, where she played a key role in expanding the company’s global employee footprint.

“I am excited to join Salt at such a pivotal time in the API security industry,” said Hollinger. “Salt Security provides the most proven and robust API security solution available. I was drawn to the company’s culture of trust and integrity, and I look forward to fostering an environment where all our employees can thrive and succeed as we rise to meet growing demand for our market-leading technology.”

As an experienced global customer success leader with over 15 years’ experience in customer and client success, Kaye joins Salt from Tanium, a provider of converged endpoint management, where she led the company’s customer engagement function. Prior to Tanium, she held management positions at Deloitte and Reflektive.

“I am privileged to join a company that recognises that phenomenal customer service has become a critical business differentiator,” said Kaye. “As our customer base continues to grow, I look forward to working with this talented customer success team to deliver ongoing value and exceed customer expectations in every step of the API security journey.”

The announcement follows a slew of recent strategic initiatives at Salt Security. Most recently, CrowdStrike, a leader in cloud-delivered protection of endpoints, cloud workloads, identity and data, publicly announced its strategic investment in Salt Security via its investment arm, Falcon Fund. Salt has also recently expanded its channel program, making the Salt platform more broadly available to companies around the globe through an increasing network of distributors, channel partners, consultancies, and integrators.

 

The post Salt Security Strengthens Executive Leadership Team as Demand for API Security Accelerates appeared first on IT Security Guru.

CrowdStrike ups the ante with investment in API security leader, Salt Security

CrowdStrike (Nasdaq: CRWD), the cloud-delivered protection of endpoints, cloud workloads, identity and data organisation, has announced that its strategic investment arm, Falcon Fund, has invested in Salt Security, the leader in Application Programming Interface (API) security. In addition to the investment, Salt Security and CrowdStrike are partnering to bring together leading technology to apply API discovery and runtime protection on applications, and enable security testing to harden APIs before release.

“With the proliferation and use of SaaS applications, APIs are becoming a key target for adversaries,” said Michael Sentonas, chief technology officer at CrowdStrike. “Salt Security has emerged as the clear leader in solving this major blindspot for organisations, which is why we have chosen to invest in this innovative team and technology.”

CrowdStrike says it is committed to building an ecosystem of next-generation security leaders and enabling seamless integrations with the solutions that customers need to protect themselves in a rapidly evolving threat landscape. CrowdStrike’s Falcon Fund has been active with investments in established and emerging leaders across adjacent markets including Dig Security (data detection and response), JumpCloud (open directory) and Talon Security (secure enterprise browser).

“APIs connect the critical data and services that drive today’s digital innovation,” said Roey Eliyahu, CEO and co-founder at Salt Security. “API usage is rapidly growing, and API attack traffic is growing year-over-year. Existing defences are not effective in detecting and stopping API attacks, leaving organisations vulnerable to today’s low-and-slow API attacks. Just as CrowdStrike revolutionised endpoint protection, Salt is pioneering a context-based approach to finding and stopping bad actors abusing APIs. We are honoured to welcome CrowdStrike as a strategic partner and help provide their customers with best-in-class API security.”

IT Security Guru recently sat down with Michelle McLean from Salt Security to discuss the significance of API security and what sets Salt apart; you can read that interview here.

The post CrowdStrike ups the ante with investment in API security leader, Salt Security appeared first on IT Security Guru.

API Security for the Modern Enterprise

In today’s cloud-based enterprise, APIs are a critical part of every business. They’re used extensively to foster more rapid application development, and without proper security measures, sensitive data can easily get into the wrong hands.

 

As modern organizations become more dependent on APIs to achieve their goals, their API security strategy must be up-to-date and in line with recent developments in technology.

 

API Security is an important aspect of the API lifecycle which makes sure that the API and its data are protected from various threats. This includes protecting it from unauthorized access, denial of service, data leakage, and other security breaches. It’s more than just protecting data from being stolen or misused; it also helps protect against potential vulnerabilities that could cause reputational damage.

The API Security Landscape is a Complex one

API security is quite different from other standard cyber threats due to its constantly changing nature, shortcomings of shift-left tactics, and the challenge of low-and-slow attacks. Per a recent report from Q4 2020 to Q4 2021, the average number of APIs per company increased by 221% in 12 months and that API attack traffic grew by 681% while overall API traffic grew by 321%.

Microservices Architecture has Created a Security Blind Spot

Microservices are small, modular, independent services that can be deployed, scaled, and updated independently. They offer many advantages over traditional monolithic applications: they’re more scalable, agile, and have lower maintenance costs but one negative side effect of microservice architectures is that they create an environment where attackers can easily find targets based on their size.

 

Microservices communicate over APIs. When you have multiple services communicating with each other through APIs, then your entire system becomes exposed when any one service gets hacked.

Internal APIs or Private APIs are not Immune

Internal APIs are just as vulnerable to attacks, data breaches, and fraud as public APIs. An attacker could use an internal API to launch DDoS attacks against companies by sending large volumes of traffic over a short period.

 

An internal API might allow a malicious actor to access data from another company’s API that you are using in your application. Or, if you’re using an external API for authentication, then your authentication token could be stolen by an attacker who has gained access to the server hosting that external service via some other means such as social engineering or brute force attacks on their account credentials (e.g., password guessing).

API Security needs to be a Top Priority for the Modern Enterprise

There’s no getting around it — API security is a shared responsibility. It’s not just about securing your access controls, but also about making sure that you’re keeping up with changes in the industry and staying ahead of any threats that might be coming down the pipeline.

 

Security as an end-to-end process requires comprehensive measures across every aspect of your API strategy—from designing APIs that are secure from day one, through testing and monitoring them throughout their lifecycle (and beyond), all the way through to maintaining audit trails and making sure your users aren’t abusing them.

 

The best way to secure an API is to design it with security in mind from the start. That means understanding what threats might exist, what data needs to be protected, how the API will be used, and how it will interact with other systems. It also means defining policies that define acceptable use of the API, including who can access it and under what circumstances.

 

This means that everyone who works with APIs needs to have an active role in keeping them safe: developers building apps or services on top; administrators managing their infrastructure; system administrators ensuring things run smoothly on both sides; security professionals looking out for threats, both internal and external (like hackers).

 

API Security Tools

Tools like two-factor authentication, rate limiting, and DDoS protection can go a long way in securing APIs. Two-factor authentication helps add a layer of security to your API. Rate limiting limits how many requests per second an app makes against an API while still being able to make requests as needed. DDoS protection protects against attacks where lots of people simultaneously try getting information from servers by flooding them with data packets; these floods overwhelm servers’ resources so much that they crash under pressure and stop responding properly altogether. DDoS protection can also protect against other types of attacks such as SQL injection attacks which involve entering malicious code into databases where it would otherwise cause problems with data integrity issues within those databases.

 

A modern enterprise also needs a security solution that can protect its APIs, data, and other assets from cyberattacks. This can be done by turning to API Security Platforms. API Security Platforms are a complete end-to-end security solution for protecting web APIs from attacks and securing data in transit and at rest. They provide authentication, authorization, encryption, anomaly detection, and protection against DDoS attacks. Although the market for integrated API security solutions is still in its beginning stages, a recent study found almost 70% of respondents ranked an API protection platform as “very important”.

Conclusion

API security is a critical component of the modern enterprise. Even if you’re not using APIs for your core service, there are still many other applications that rely on API-based services. That means there’s a lot at stake when it comes to ensuring that your organization isn’t vulnerable to attacks or fraud. It also means that you have to take some extra steps when securing access to those APIs. There is no one-size-fits-all solution for API security. Companies need to consider their needs and then find the best solution for them.

The post API Security for the Modern Enterprise appeared first on IT Security Guru.

The 4 Most Common OWASP API Security Threats

The Open Web Application Security Project (OWASP) works to improve the security of software worldwide. OWASP’s well-known Top 10 lists increase awareness about the most critical security risks to web applications.

 

As the foundation for today’s app-driven economy, APIs have risen to the very top of those risks. API usage has exploded and has become ubiquitous across both external-facing and internal applications. To understand and mitigate unique API vulnerabilities and the growing threats against them, OWASP published its inaugural OWASP API Security Top 10.

 

The list provides companies with a good starting point for learning about the common weaknesses and security flaws that can exist within APIs. Of these, the most common are:

  1. BOLA (Broken Object Level Authorisation)
  2. Broken User Authentication
  3. Excessive Data Exposure
  4. Security Misconfiguration

 

BOLA

Accounting for about 40% of all API attacks, broken object level authorisation – or BOLA – represents the most prevalent API threat. Attackers can easily exploit API endpoints that are vulnerable to BOLA by manipulating the ID of an object sent within an API request. Because the server component typically does not fully track the client’s state, these vulnerabilities are extremely common in API-based applications.

BOLA authorization flaws can lead to data exfiltration as well as unauthorised viewing, modification, or destruction of data. BOLA can also lead to full account takeover (ATO).

Automatic static or dynamic testing cannot easily detect BOLA authorisation flaws. Traditional security controls, such as WAFs and API gateways, also miss these types of attacks because they cannot understand API context and so cannot baseline normal API behaviour.

 

Broken User Authentication

Broken user authentication allows attackers to use stolen authentication tokens, credential stuffing, and brute-force attacks to gain unauthorised access to applications. Attackers can take over user accounts, gain unauthorised access to another user’s data, and make unauthorised transactions. Authentication mechanisms present an easy target for attackers, particularly if they are fully exposed or public.

Technical factors that can lead to broken authentication in APIs include, among others, weak password complexity, missing account lockout thresholds, excessively long durations for password/certificate rotations, or use of API keys as the only authentication material.

Because traditional security controls lack the ability to track attack traffic over time, they cannot decipher the different forms of advanced attacks that target authentication.

 

Excessive Data Exposure

APIs often send more information than is needed in an API response and leave it up to the client application to filter the data. However, relying on client-side code to filter sensitive data causes problems, as attackers regularly bypass client-side web and mobile application code and call APIs directly.

In the case of excessive data exposure, attackers hope that the API will provide more information than needed – ideally, information that they can use in more complex attacks. For example, an API request for user information might also produce the admin’s user name, multifactor authentication status, and other data that is completely unnecessary to the original request.

Traditional security scanning and runtime detection tools will sometimes alert on this type of vulnerability, but they are unable to differentiate between legitimate data returned from the API and sensitive data that should not be returned.

 

Security Misconfiguration

Many security misconfigurations exist that often negatively impact API security as a whole and can inadvertently introduce vulnerabilities. Security misconfigurations can include insecure default configurations, incomplete configurations, misconfigured HTTP headers, verbose error messages, open cloud storage, and more.

Misconfigurations enable attackers to gain knowledge of the application and API components during their reconnaissance phase. Attackers can also exploit misconfigurations to pivot their attacks against APIs.

 

Defending Against API Attacks Requires Context

By their nature, APIs expose application logic. Hackers do lots of experimentation to try to identify gaps in that business logic that they can exploit.  The reconnaissance needed to propagate attacks like these take a lot of time. A single API attack can take hours, days, or even weeks to unfold.

To defend against them, organizations must analyse large amounts of API traffic and API activity over time. Spotting abuses, such as BOLA, requires continuous monitoring of millions of API calls and users. Large-scale data analysis, in near real time, is essential to establish a baseline of typical API activity and the anomalies that don’t align – this is the kind of context teams need to spot API abuses.

Differentiating between legitimate requests and requests that lack proper authentication or authorization also requires rich context. Organizations need to analyse all API activity to identify attempts to exfiltrate too much data or gain access to unauthorised private data.

Server- or VM-based API security approaches simply don’t have a broad enough data set over time to identify today’s sophisticated API attacks. Only cloud-scale big data combined with AI and ML can collect, store, and quickly analyse hundreds of attributes across millions of users and API calls and correlate them. Cloud-scale big data provides the breadth and depth of context that organisations need to protect their APIs.

The post The 4 Most Common OWASP API Security Threats appeared first on IT Security Guru.

Liferea News Reader 1.13.9 Adds Google Reader API Support

The GTK feed reader Liferea released version 1.13.9 recently with generic Google Reader API support, UI improvements, and bug-fixes.

This is the last release of the 1.13 unstable series of Liferea (Linux Feed Reader). It makes possible to import from FeedHQ, FreshRSS, Basquz, and other feed readers using Google Reader API (exclude Miniflux due to this bug).

So now besides manually adding websites, it now supports adding following sources all together:

  • Planet, BlogRoll, OPML.
  • Google Reader API.
  • Reedah.
  • Tiny Tiny RSS.
  • TheOldReader.
  • Miniflux.

Other changes in this release include:

  • Update to Readability.js 0.41 for better image and table handling.
  • Improve HTML5 extraction
  • Hide unused expander space in item list and drop enclosure icon from item list, which saves horizontal space.
  • Improve performance by different check order in itemset merging
  • Subscribing defaulted to HTML5 feeds even when real feeds do exist.

How to Get Liferea 1.13.9:

For Linux with Flatpak support out-of-the-box, e.g., Linux Mint, Pop! OS and Fedora, you may simply search for and install the software package as Flatpak from system package manager.

For Ubuntu based user prefer the classic .deb package, here’s the unofficial PPA contains the package for Ubuntu 20.04 and Ubuntu 22.04.

1. First, press Ctrl+Alt+T on keyboard to open terminal. When it opens, run the command below to add the PPA:

sudo add-apt-repository ppa:ubuntuhandbook1/apps

2. Next, either update the feed reader from an existing release via “Software Updater” or run command below to install it:

sudo apt install liferea

NOTE: Linux Mint user need to first run sudo apt update to refresh package cache manually.

Uninstall:

For any issue, you may uninstall the PPA repository by running the command below in terminal:

sudo add-apt-repository --remove ppa:ubuntuhandbook1/apps

And remove the Liferea news reader either via your system package manager or by running command below in terminal:

sudo apt remove --autoremove liferea liferea-data

Salt Security Platform Enhancements Make it Easier to Operationalise API Security

Salt Security, the leading API security company, has announced new enhancements to its next-generation Salt Security API Protection Platform, extending abilities in threat detection and pre-production API testing. The latest features include deeper and earlier insights into attacker behaviours and attack patterns, visual depictions of API call sequences, and support for attack simulation ahead of releasing APIs into production. With the new capabilities, Salt enhances its market-leading capabilities in runtime protection, providing organisations a more comprehensive view of API usage and the API attack surface so they can improve their business understanding and accelerate incident response time.

Building upon its existing threat detection and monitoring algorithms, the Salt platform provides organizations with quick, automatic, and continuous visibility into any risks or vulnerabilities within their API ecosystem. Customers can more easily spot and block API attacks before bad actors can reach their objective, and they can also more quickly identify unusual API usage patterns and remediate API vulnerabilities.

New features in the Salt Security API Protection Platform include:

  • Threat hunting capabilities within more detailed attacker timelines – Salt continues to be the only API security company that creates a consolidated attacker timeline. New platform capabilities support threat hunting and better illumination of the sequence of attacker steps, enabling organisations to conduct faster incident analysis and expedite remediation efforts. 
  • Visualization of API Call Sequences – Salt becomes the first API security vendor to offer a visual depiction of the various paths that API calls are following. This visualisation makes clear how users are interacting with APIs, revealing actions that should and should not be allowed, how users or services are entering digital systems, usage that shouldn’t be allowed, API design flaws, and other usage details.  
  • Contextual API security testing – Salt is making robust attack simulation capabilities available across runtime, pre-production, and development cycles. These simulations can help organisations identify business logic flaws early in the lifecycle, and integration with CI/CD systems means developers can address security gaps before releasing APIs.  

In the Salt Security State of API Security Report, Q1 2022, 86% of respondents admitted to lacking the confidence in knowing which APIs expose sensitive data. Identifying and monitoring for API vulnerabilities in real-time is crucial for protecting companies’ vital assets so they can focus on business operations instead of risk.

“Bad actors work tirelessly to refine their tactics and techniques to make threats more difficult to detect. Successfully defending against modern, sophisticated API attacks requires solutions that can swiftly detect illegitimate activity and behavioural abnormalities in real-time,” said Elad Koren, Chief Product Officer, Salt Security. “Our latest platform capabilities deliver critical insights sooner and across the full API lifecycle. With increased context over time, combined with automated threat alerts, organizations can better defend themselves against attacks and fix API vulnerabilities before they can be exploited.”

The post Salt Security Platform Enhancements Make it Easier to Operationalise API Security appeared first on IT Security Guru.

Giving API Security the spotlight

IT Security Guru recently sat down with Michelle McLean, VP of product marketing at Salt Security, to learn more about API security as its own discipline and how it supports cyber resiliency in large enterprises on their digital transformation journeys. 

Michelle started her career working as a technology journalist for almost a decade and has since held marketing leadership roles in a variety of enterprise security and software companies, as well as an advisory role at META Group. She’s recognised that the majority of businesses today, even more so since the pandemic happened, are fuelled by applications and these are built on Application Programming Interfaces (APIs) for the transmission and retrieval of data. This, she says has led attackers to get through more traditional security defences that typically protect applications, like web application firewalls, to attack the APIs themselves. 

“Those kinds of security devices see a single snapshot at a time and they look for known patterns of bad, so they can stop that known pattern of bad. But with APIs, bad actors attack differently,” she said. “They’re trying to figure out your API and they’re trying to look for a business logic gap. Maybe you ask for authentication at the beginning, but then in a later request you don’t ask for authentication, or you don’t ask for authorisation and so threat actor manipulates what they’re doing in the API call and they get data they shouldn’t have access to. Many well-known API attacks in the US such as those on Experian and Peloton were done via the API.” 

Detecting attacks on APIs is therefore far more nuanced and requires deep context and richer information to remediate. This is an area where Salt Security stands out because its architecture is built on cloud-scale big data that provides the whole picture needed to correlate an attacker’s reconnaissance efforts and say, “we have a problem”.  

“Salt is focused on applying really rich information and context across the API life cycle to protect APIs. We do full discovery: what are the APIs that are running? what sensitive data do they expose? We baseline what constitutes “normal” and so bad traffic always stands out even if it’s a tiny, tiny percentage. But you need to find the manipulations, as well as the reconnaissance activity of the bad actors to be able to find it. That’s where Salt really shines- at finding those run-time attacks,” Michelle explained. 

“We store data over days and weeks. API attacks unfold over a really long period of time, so if you only see a finite amount of data, you’re going to miss 95% of the attacks that happen in a given time period,” she continued. “You need to see way more data and have a very rich understanding of the whole picture. By knowing what a bad actor did an hour ago, a day ago, a week ago, along with being able to correlate it in real time is how you find these kinds of attacks.” 

Another focus area in security is “shift-left”, which describes the process of doing things better and more securely from the start in order to shorten the cyber kill chain. For Salt, this means helping customers write better APIs and making them more secure over time, something which is vital to large organisations in financial, retail, pharmaceutical and medical industries that process huge amounts of valuable data through APIs. 

As organisations continue to digitise at scale, Michelle encourages young people to join the cybersecurity industry, noting the well-known shortage of well-trained people.  

“I think it’s one of the most exciting and honestly one of the most inclusive and diverse communities in tech, which I find very promising. However, let’s have reasonable expectations around how we bring more people into the industry; rather than having a very high bar of university degree, and X number of experiences, bring people in and train them. We can absolutely do that.  

“There’s constant innovation. If you think about how bad actors keep evolving with their own creativity and how the industry in turn keeps evolving to keep up and stay ahead – I think the cycle of innovation is very exciting,” Michelle concluded. 

The post Giving API Security the spotlight appeared first on IT Security Guru.