The inside trace.

We are pleased to announce that Traceable AI has added a new agentless deployment option of traffic mirroring for customers who wish to deploy an API security solution to protect their API-driven applications.

In 2019, I hacked 30 bank mobile apps and APIs in coordination with domestic and international financial services and FinTech companies. In 2020-2021, I hacked 30 mobile health (mHealth) apps and FHIR APIs in coordination with healthcare providers, giving me access to thousands of patient records via their APIs due to broken authentication and authorization vulnerabilities. This year, in coordination with federal and state law enforcement agencies, I was able to take remote control of law enforcement vehicles through the automaker’s APIs.

Bold security threats are giving rise to a new industry of API-specific security capabilities much more powerful than current management tools.

In this article, I dig into the details about Broken Object Level Authorization (BOLA) — the most common and most severe API vulnerability today according to the OWASP API Security Project. Insecure Direct Object Reference (IDOR) and BOLA are the same thing. The name was changed from IDOR to BOLA as part of the project.

Imagine you are supposed to build a python service using machine learning model (trained offline) to detect if a web request is anomalous or not. The requests are coming at a rate of 1000 per second initially but will gradually increase as your main application reaches more customers.

At Traceable, we’ve been keeping very busy in the last couple of months. During this time, we launched a number of exciting new offerings and key features with the continued aim to help our customers to have the best API Security solution in the industry.

Security is really important. There is nothing like the gut-wrenching feeling of exposing users’ data. However, security isn’t the most exciting part of web development and is often ignored. Using AWS CloudFront and AWS WAF together, you can add some security to your sites with less work and focus on making features for your users.

APIs are the pipes that connect various applications and (micro)services. As data flows through them, security is of utmost importance to prevent data leakage. Also, since APIs are like doors into your application, they’re the obvious entry point for attackers who want to break your system.

The majority of organizations rely heavily on third-party web applications connected through APIs to generate revenue and serve customers. In many cases, these web applications contain security vulnerabilities.

Better security rules increase false positives — which causes more complacency. Better tools for creating the context for more sophisticated rules and automated workflows can help.