This week, we have details of compromised Google Cloud accounts being used to mine cryptocurrency (mainly with weak or no passwords on API connections), there’s an article on how GraphQL can be used as an API gateway (including security controls), a very comprehensive guide to all things relating to API security, and a new API security training course from AppSecEngineer.
Vulnerability: Compromised Google Cloud Accounts Used to Mine Cryptocurrency
The main story this week comes from HackerNews and describes how attackers are able to exploit improperly secured Google Cloud Platform (GCP) tenants. The impact on affected users included compromising their cloud resources, like uploading cryptocurrency mining software, and ransomware and phishing attacks.
Of greatest concern is that the accounts could be compromised due to a lack of basic hygiene on the cloud tenants. The most common issue as well as exploit — affecting 48% of the instances — was weak or no password on user accounts and API connections that allowed attackers easy access to the cloud instances. Other exploits included installing third-party software in the cloud instances and leaking credentials through GitHub repositories.
The key takeaway here is that whilst cloud platforms are a great business enabler, their complexity frequently leads to misconfiguration which results in potentially vulnerable deployments. Additionally, many skilled attackers will know what the common misconfigurations are and home in on them, allowing them to easily exploit them in the attacks on systems.
Article: GraphQL as an API Gateway
An interesting article this week by Tj Blogumas describes a novel approach to using GraphQL as an API gateway.
Blogumas describes a typical design problem encountered in the adoption of a microservices architecture: how to present a single fronted to consumers without exposing the complexity of the backing microservices mesh. Traditionally, this has been the domain of the API gateways, but Blogumas demonstrates how a GraphQL frontend can achieve the same effect.
Of interest here is how you can implement security controls at the GraphQL gateway level rather than in the backing microservice APIs. The key advantage to this approach is that key security controls are centralized in one place — implemented only once at the gateway level, rather than at in individual APIs. This reduces the burden on development teams and reduces the likelihood that such controls get accidentally omitted.
Blogumas provides several examples of the type of security controls that can be implemented, such as:
- Depth limiting: Reduce the depth of allowed queries to reduce the impact of Denial of Service (DoS) based attacks.
- Rate limiting: Reduce the rate at which requests can be made to specific API endpoints to mitigate the effect of DoS or brute force attacks.
- Query cost limitations: Reduce excessively complex queries to mitigate DoS attacks.
An interesting take on API architecture that we will surely hear more about.
Guide: “Awesome API Security” Guide
We have featured some excellent API security guides in this newsletter (such as the one last week by Inon Shkedy), and this week it is the turn of the "Awesome API Security" guide by André Rainho.
This vastly comprehensive guide covers, for example, the following topics:
- Tools
- Mind mapping
- Checklists and cheatsheets
- Training, walkthroughs, and laboratories
- Enumeration and scanning
- Fuzzing and API keys
- Firewalls
- Presentations, videos, playlists, and podcasts
- Design and architecture
- Specifications
This is bound to prove an invaluable resource for anyone working in or around API security — thanks to André for this great resource!
Training: AppSecEngineer’s 2021 Guide to API Security
Finally, for this week, we have news of upcoming API security training courses by the AppSecEngineer team, featured in their review of API security in 2021.
The course includes a deep dive into both offensive and defensive techniques for API developers. On offense, it covers typical vulnerabilities specific to REST APIs and how malicious actors can exploit them. On defense, it focuses on defensive techniques in a hands-on laboratory environment that follows the OWASP API Security Top 10 as a content outline.
It’s always good to see new API security training and — based on previous AppSecEngineer courses — this should prove to be a great success.
You can subscribe to this newsletter at APIsecurity.io.
文章来源于互联网:API Security Weekly: Issue 162
发布者:小站,转转请注明出处:http://blog.gzcity.top/4280.html
微信扫一扫 
支付宝扫一扫 
评论列表(34条)
I don’t think the title of your article matches the content lol. Just kidding, mainly because I had some doubts after reading the article.
our website [url=https://phantom-wallet.net]phantom wallet[/url]
special info [url=https://keplr-apps.net]keplr Download[/url]
more information [url=https://sites.google.com/mycryptowalletus.com/metamask-walletapp-extension/]MetaMask Download[/url]
my blog [url=https://sites.google.com/mycryptowalletus.com/phantomwalletapp-extension/]phantom Download[/url]
directory [url=https://sites.google.com/mycryptowalletus.com/phantom-walletapp-extension/]phantom wallet[/url]
my website [url=https://sites.google.com/mycryptowalletus.com/metamask-wallet-login/]MetaMask Download[/url]
try these out [url=https://sites.google.com/mycryptowalletus.com/metamask-walletlogin/]Metamask Extension[/url]
additional hints [url=https://phantom-wallet.net]phantom Extension[/url]
news [url=https://keplr-extension.com]keplr wallet[/url]
a fantastic read [url=https://sites.google.com/mycryptowalletus.com/phantomwalletlogin/]phantom Download[/url]
check out here [url=https://Keplr.at]keplr wallet[/url]
Go Here https://jaxx-liberty.com/
[url=https://quarklab.ru]buy crypto drainer[/url] – coin drain, fund drain
на этом сайте [url=https://mango-offlce.com]Mango-Office подключение[/url]
[url=https://quarklab.ru/]Wallet drainer[/url] – best crypto drainer, metamask drainer
подробнее [url=https://lk.mangoo-office.com/]Манго Офис телефония[/url]
содержание [url=https://vk.com/brows_makeup_kotlas]Татуаж бровей Котлас[/url]
[url=https://kgmstrategy.com/]procurement strategy[/url] has helped us align procurement goals with long-term objectives.
We’ve seen significant improvements after integrating [url=https://arroyostrategy.com]supplier evaluation[/url] into our procurement processes.
web link https://my-sollet.com
Why EtherBank Leads the Crypto Revolution
In the competitive world of blockchain, EtherBank has positioned itself as a leader in innovation. With a focus on security and profitability, EtherBank crypto investment offers something for everyone.
The Unique Advantage of EtherTalk Investment
At the heart of EtherBank is EtherTalk investment, a feature designed to enhance your financial strategies. EtherTalk provides live updates, market trends, and personalized recommendations, making it a favorite among crypto enthusiasts.
Security You Can Trust
Every transaction with EtherBank is secured by advanced blockchain protocols, ensuring complete transparency and protection. This makes EtherBank a reliable platform for both novice and expert investors.
Join the thousands who have already discovered the benefits of EtherBank crypto investment. Experience innovation, security, and growth like never before.
see this https://web-sollet.com/
Visit This Link https://web-kaspawallet.com
[url=https://fermacc.org/]ferma bestchange[/url] – ferma cc официальный сайт, ferma cc обмен
[url=https://bbqate.com]bbgate.com[/url] – bb, breaking bad marketplace
[url=http://bs2siite2.at]blacksprut ссылка bs2tor nl[/url] – как зайти на blacksprut, https bs2site at login
find more information https://abacusmarket.me
[url=https://kra020.shop]kraken маркетплейс[/url] – kraken сайт зеркала, http kraken20 at официальный сайт
читать https://zelenka.guru/articles
ссылка на сайт https://lzt.market/
Continue [url=https://sites.google.com/mycryptowalletus.com/phantomwalletapp-extension/]phantom Download[/url]
такой https://forum.hpc.name/thread/49295/kak-sozdat-skiny-php-ds-2-0-i-est-li-programma-dlya-sozdaniya.html
these details [url=https://valorantskinchanger.pro/]skin changer valorant[/url]