API Security | Breaking Cybersecurity News | The Hacker News

Cybersecurity researchers have discovered a new malicious package on the Python Package Index (PyPI) repository that impersonates a software development kit (SDK) for SentinelOne, a major cybersecurity company, as part of a campaign dubbed  SentinelSneak . The package, named  SentinelOne  and now taken down, is said to have been published between December 8 and 11, 2022, with nearly two dozen versions pushed in quick succession over a period of two days. It claims to offer an easier method to access the  company's APIs , but harbors a malicious backdoor that's engineered to amass sensitive information from development systems, including access credentials, SSH keys, and configuration data. What's more, the threat actor has also been observed releasing two more packages with similar naming variations –  SentinelOne-sdk  and  SentinelOneSDK  – underscoring the  continued threats  lurking in open source repositories. "The SentinelOne imposter package is just the lat

API attacks are on the rise. One of their major targets is eCommerce firms like yours.  APIs are a vital part of how eCommerce businesses are accelerating their growth in the digital world.  ECommerce platforms use APIs at all customer touchpoints, from displaying products to handling shipping. Owing to their increased use, APIs are attractive targets for hackers, as the following numbers expose:  API attack traffic increased by  681% in 2021    77% of retail respondents experienced API security incidents in 2021– according to  Noname security If left unaddressed, API abuse can damage your reputation, harm consumers, and affect the bottom line. Hence  API security  is worthy of consideration for eCommerce stakeholders. Why do eCommerce companies need APIs? API makes it easy for retailers and eCommerce platforms to handle product listings and orders. It transformed the static website into a completely customizable headless store. Retailers use APIs for various functions, inclu

There are several myths and misconceptions about API security. These myths about securing APIs are crushing your business.  Why so? Because these myths are widening your security gaps. This is making it easier for attackers to abuse APIs. And API attacks are costly. Of course, you will have to bear financial losses. But there are other consequences too:  Reputational damage  Customer attrition  Loss of customer trust  Difficulty in acquiring new customers Legal costs  Massive fines and penalties for non-compliance In this article, we will debunk the top 5 myths about  securing APIs   Secure APIs Better: Top 5 API Security Myths Demystified  Myth 1: API Gateways, Existing IAM Tools, and WAFs are Enough to Secure API Reality:   These aren't enough to secure your APIs. They are layers in API security. They need to be part of a larger security solution.  API gateways monitor endpoints. They provide visibility into API usage. They offer some level of access control and rate-l

Security threats are always a concern when it comes to APIs. API security can be compared to driving a car. You must be cautious and review everything closely before releasing it into the world. By failing to do so, you're putting yourself and others at risk. API attacks are more dangerous than other breaches. Facebook had a 50M user account affected by an API breach, and an API data breach on the Hostinger account exposed 14M customer records.  If a hacker gets into your API endpoints, it could spell disaster for your project. Depending on the industries and geographies you're talking about, insecure APIs could get you into hot water. Especially in the EU, if you're serving the banking, you could face massive legal and compliance problems if you're discovered to be using insecure APIs.  To mitigate these risks, you need to be aware of the potential  API vulnerabilities  that cybercriminals can exploit.   6 Commonly Overlooked API Security Risks #1 No API Visibili

July may positively disrupt and adrenalize the old-fashioned Dynamic Application Security Scanning (DAST) market, despite the coming holiday season. The pathbreaking innovation comes from ImmuniWeb, a global application security company, well known for, among other things, its free  Community Edition  that processes over 100,000 daily security scans of web and mobile apps.  Today, ImmuniWeb announced that its new product –  Neuron  – is publicly available. This would be another boring press release by a software vendor, but the folks from ImmuniWeb managed to add a secret sauce that you will unlikely be able to resist tasting. The DAST scanning service is flexibly available as a SaaS, and unsurprisingly contains all fashionable features commonly advertised by competitors on the rapidly growing global market, spanning from native CI/CD integrations to advanced configuration of security scanning, pre-programmed or authenticated testing.  But the groundbreaking feature is Neuron's

With the growth in digital transformation, the API management market is set to grow  by more than 30%   by the year 2025 as more businesses build web APIs and consumers grow to rely on them for everything from mobile apps to customized digital services. As part of strategic business planning, an API helps generate revenue by allowing customers access to the functionality of a website or computer program through custom applications. As more and more businesses are implementing APIs, the risk of API attacks increases. By 2022, Gartner predicted that API (Application Programming Interface) attacks would become the most common attack vector for enterprise web applications. Cybercriminals are targeting APIs more aggressively than ever before, and businesses must take a proactive approach to  API security  to combat this new aggression. API and The Business World With integrating APIs into modern IT environments, businesses are becoming increasingly data-driven. Just as a restaurant

The following article is based on a  webinar series on enterprise API security by Imvision , featuring expert speakers from IBM, Deloitte, Maersk, and Imvision discussing the importance of centralizing an organization's visibility of its APIs as a way to accelerate remediation efforts and improve the overall security posture. Centralizing security is challenging in today's open ecosystem When approaching API visibility, the first thing we have to recognize is that today's enterprises actively avoid managing all their APIs through one system. According to IBM's Tony Curcio, Director of Integration Engineering, many of his enterprise customers already work with hybrid architectures that leverage classic on-premise infrastructure while adopting SaaS and IaaS across various cloud vendors.  These architectures aim to increase resilience and flexibility, but are well aware that it complicates centralization efforts' to: 'These architectures aim to increase resilie

This article was written by Peter Gerdenitsch, Group CISO at Raiffeisen Bank International, and is based on a presentation given during Imvision's Executive Education Program, a series of events focused on how enterprises are taking charge of the API security lifecycle. Launching the "Security in Agile" program Headquartered in Vienna, Raiffeisen Bank International (RBI) operates across 14 countries in Central and Eastern Europe with around 45,000 employees. Our focus is on providing universal banking solutions to customers, as well as developing digital banking products for the retail and corporate markets. Accordingly, RBI has a substantial R&D division, making for a very large community of IT and engineering professionals all over Europe. Back in 2019, we began shifting to a product-led agile setup for RBI, introducing various security roles contributing and collaborating to achieve our strategic goals. As part of this journey, we established the security champ

After more than 20 years in the making, now it's official: APIs are everywhere. In a 2021 survey,  73% of enterprises reported that they already publish more than 50 APIs , and this number is constantly growing. APIs have crucial roles to play in virtually every industry today, and their importance is increasing steadily, as they move to the forefront of business strategies. This comes as no surprise: APIs seamlessly connect disparate apps and devices, bringing business synergies and efficiencies never witnessed before.  However, APIs have vulnerabilities just like any other component of the software. Adding to that, if they aren't rigorously tested from a security standpoint, they can also introduce a whole new array of attack surfaces and expose you to unprecedented risks. If you wait until production to discover API vulnerabilities, you can incur substantial delays. APIs are attractive to attackers, not just businesses Keep in mind that APIs do more than simply connect

An unprotected database belonging to JustDial , India's largest local search service, is leaking personally identifiable information of its every customer in real-time who accessed the service via its website, mobile app, or even by calling on its fancy "88888 88888" customer care number, The Hacker News has learned and independently verified. Founded over two decades ago, JustDial (JD) is the oldest and leading local search engine in India that allows users to find relevant nearby providers and vendors of various products and services quickly while helping businesses listed in JD to market their offerings. Rajshekhar Rajaharia , an independent security researcher, yesterday contacted The Hacker News and shared details of how an unprotected, publicly accessible API endpoint of JustDial's database can be accessed by anyone to view profile information of over 100 million users associated with their mobile numbers. The leaked data includes JustDial users' na

Google today revealed that Google+ has suffered another massive data breach, forcing the tech giant to shut down its struggling social network four months earlier than its actual scheduled date, i.e., in April 2019 instead of August 2019. Google said it discovered another critical security vulnerability in one of Google+'s People APIs that could have allowed developers to steal private information on 52.5 million users, including their name, email address, occupation, and age. The vulnerable API in question is called "People: get" that has been designed to let developers request basic information associated with a user profile. However, software update in November introduced the bug in the Google+ People API that allowed apps to view users' information even if a user profile was set to not-public. Google engineers discovered the security issue during standard testing procedures and addressed it within a week of the issue being introduced. The company said

The United States Postal Service has patched a critical security vulnerability that exposed the data of more than 60 million customers to anyone who has an account at the USPS.com website. The U.S.P.S. is an independent agency of the American federal government responsible for providing postal service in the United States and is one of the few government agencies explicitly authorized by the United States Constitution. The vulnerability is tied to an authentication weakness in an application programming interface (API) for the USPS "Informed Visibility" program designed to help business customers track mail in real-time. 60 Million USPS Users' Data Exposed According to the cybersecurity researcher, who has not disclosed his identity, the API was programmed to accept any number of "wildcard" search parameters, enabling anyone logged in to usps.com to query the system for account details belonging to any other user. In other words, the attacker could