The inside trace.

Applications on the internet today rely a lot on third-party integrations. And why shouldn’t they, when it helps developers focus more on the core product than tangling with different features? For instance, you could use a simple tool to handle your email marketing campaigns, or you could use a third-party payment provider to handle all the payments on your website.

A look at the challenges teams face with mitigating Log4j vulnerabilities (i.e. Log4Shell) and how Traceable AI closes those gaps.

The new Log4j vulnerability (Log4Shell) has gotten the Internet up in arms. There are active exploits and scanning for the vulnerability is rampant. The vulnerability is widespread and will take time to resolve everywhere. Here’s how can Traceable AI help.

A popular fairy tale told in IT circles is that the internet is built on a perfectly orchestrated 7-layer stack. A popular extension of this notion is that enterprises can secure their infrastructure using a layered approach to security. Like most fairy tales, there is some truth in these stories.

December has finally come and Traceable AI has released a whole new suite of software features for our customers, with the continued aim of ensuring the best API Security solution on the market.

Today’s modern organizations are powered through mission-critical applications deployed in the cloud to drive their businesses. The building blocks of these applications are microservices developed by small teams of developers that enable rapid release cycles to deliver features to market more quickly. The connective tissue that binds these microservices together to work in tandem are APIs.

We are pleased to announce that Traceable AI has added a new agentless deployment option of traffic mirroring for customers who wish to deploy an API security solution to protect their API-driven applications.

In 2019, I hacked 30 bank mobile apps and APIs in coordination with domestic and international financial services and FinTech companies. In 2020-2021, I hacked 30 mobile health (mHealth) apps and FHIR APIs in coordination with healthcare providers, giving me access to thousands of patient records via their APIs due to broken authentication and authorization vulnerabilities. This year, in coordination with federal and state law enforcement agencies, I was able to take remote control of law enforcement vehicles through the automaker’s APIs.

Bold security threats are giving rise to a new industry of API-specific security capabilities much more powerful than current management tools.

In this article, I dig into the details about Broken Object Level Authorization (BOLA) — the most common and most severe API vulnerability today according to the OWASP API Security Project. Insecure Direct Object Reference (IDOR) and BOLA are the same thing. The name was changed from IDOR to BOLA as part of the project.