Spring4shell vulnerability (CVE-2022-22965) enables Remote Code Execution when using the Spring Framework
app security
Subscribe for expert insights to protect your applications.
Thanks! Your subscription has been recorded.
Spring4shell vulnerability (CVE-2022-22965) enables Remote Code Execution when using the Spring Framework
Spring4shell vulnerability (CVE-2022-22965) enables Remote Code Execution when using the Spring Framework
How Do Mass Assignment Vulnerabilities Impact My Business?
By the end of the post, you’ll understand what mass assignment is and how it leads to a vulnerability. We’ll also look at some examples and understand its impact on business.
Observability, AI And Context: Protecting APIs From Today’s (And Tomorrow’s) Attacks
Security and IT teams need to tackle this problem in a structured process that takes into account API application security best practices and procedures that constantly evaluate an organization’s APIs.
Instant Log4j protection. Shield and hunt with Traceable AI
A look at the challenges teams face with mitigating Log4j vulnerabilities (i.e. Log4Shell) and how Traceable AI closes those gaps.
Traceable AI Protects Against the Log4j / Log4Shell Vulnerabilities
The new Log4j vulnerability (Log4Shell) has gotten the Internet up in arms. There are active exploits and scanning for the vulnerability is rampant. The vulnerability is widespread and will take time to resolve everywhere. Here’s how can Traceable AI help.
How to take a layered approach to API security
A popular fairy tale told in IT circles is that the internet is built on a perfectly orchestrated 7-layer stack. A popular extension of this notion is that enterprises can secure their infrastructure using a layered approach to security. Like most fairy tales, there is some truth in these stories.
Traceable AI Software Release – November 2021 Update
December has finally come and Traceable AI has released a whole new suite of software features for our customers, with the continued aim of ensuring the best API Security solution on the market.
Securing your APIs with Traceable AI agentless deployments
We are pleased to announce that Traceable AI has added a new agentless deployment option of traffic mirroring for customers who wish to deploy an API security solution to protect their API-driven applications.
The Perils of Overestimating the Security of Your APIs
In 2019, I hacked 30 bank mobile apps and APIs in coordination with domestic and international financial services and FinTech companies. In 2020-2021, I hacked 30 mobile health (mHealth) apps and FHIR APIs in coordination with healthcare providers, giving me access to thousands of patient records via their APIs due to broken authentication and authorization vulnerabilities. This year, in coordination with federal and state law enforcement agencies, I was able to take remote control of law enforcement vehicles through the automaker’s APIs.
API Management Gateways Don’t Provide Enough Security
Bold security threats are giving rise to a new industry of API-specific security capabilities much more powerful than current management tools.
A Deep Dive On The Most Critical API Vulnerability — BOLA (Broken Object Level Authorization)
In this article, I dig into the details about Broken Object Level Authorization (BOLA) — the most common and most severe API vulnerability today according to the OWASP API Security Project. Insecure Direct Object Reference (IDOR) and BOLA are the same thing. The name was changed from IDOR to BOLA as part of the project.
WAF vs. RASP: A Comparison and Guide to Leveraging Both
The majority of organizations rely heavily on third-party web applications connected through APIs to generate revenue and serve customers. In many cases, these web applications contain security vulnerabilities.
Planning for Modern Application Security Forensics and Exploration
As part of DevSecOps best practices, modern application developers and security teams should borrow techniques from crime scene forensics to investigate and protect against attacks.
Announcing Traceable AI – The First Free API Security Solution
Today marks an exciting milestone for us and for the security industry overall. Today, we are announcing the industry’s first free API security solution.
API Authentication and Authorization the Right Way — Part 3
Teams need to address three core elements to develop an effective yet scalable model for API security.
What is Zero Trust in the Cybersecurity Executive Order
The president of the United States signed an Executive Order on improving the Nation’s Cybersecurity. It covers many things, one of which is zero trust architecture. What does this mean?
Web API Security: Rule-Based and Signature-Based Only Security Isn’t Good Enough
Attackers have learned to defeat traditional ‘moat around the castle’ perimeter defenses. Modern application security tools offer the answer: distributed tracing and AI that understands the app they protect.
The Prescription for Vulnerable Mobile Health Apps: Protect APIs
When a security expert tested several dozen mobile health applications, all had API vulnerabilities that could leak personal information. This should be a warning call.
The Consequences of Poor Authentication and Authorization Practices in APIs
Everything You Need to Know About Authentication and Authorization in Web APIs – Part 2
Top 5 Ways To Protect Against Data Exposure
Attackers are listening to your API chatter, finding vulnerabilities that reveal valuable (and personal) data. Here’s what developers should consider to protect against excessive data exposure.
Everything You Need to Know About Authentication and Authorization in Web APIs – Part 1
Part 1: Technologies used to create web applications have fundamentally changed. Authentication and authorization techniques must change with them.
Does Dynamic Application Security Testing (DAST) Deliver?
DAST tools provide pentesters with a hacker’s-eye-view of system vulnerabilities. What are the advantages and disadvantages of this important security tool?
SecOps: Go Beyond Application Security Testing With Runtime Protection
SecOps keeps production environments safe. Now, “shifting left” approaches are needed to secure production applications and APIs.
Protecting Against the Hidden Threats of New Technologies
New tech transform dev – but with risk
The Evolution to Cloud-Native Applications and APIs
Moving from local monoliths to cloud based microservices
Modern Application Security and Supply Chain Attacks – 3 challenges
API Security and the SolarWinds Breach: a wake up call
Security Observability: Why Tracing?
What if we could reduce the time to detect a cyber attack all the way down to zero?
5 Reasons Why App Sec and Eng Teams Must Work Together
The popularity of cloud-based computing has made API security the next big challenge…
Secure Kubernetes Architecture: 6 Factors Essential to Success
Six factors to get right when planning Kubernetes architecture.
Financial Services Risk Management: Why Application Security
Cybersecurity is a key part of enterprise risk management in financial services
Why Web App Firewalls Aren’t Protecting Your Cloud-Native Apps
How do you know your apps are protected?
3 Threat Vectors Addressed by Zero Trust App Sec
Common internal and external threats and the Zero Trust practices to address them.
Modern Application Security – Good and Bad News part 2
PartII: API Security in Modern Applications
What to Look for in an Enterprise Security Tool
A Practitioner’s View
Modern Application Security – Good and Bad News
Part I: What are Modern Applications