Can ChatGPT be used to attack your APIs? | API Security Newsletter
2022-12-10 03:38:0 Author: lab.wallarm.com(查看原文) 阅读量:42 收藏

The (winter) solstice is fast approaching, along with the end-of-year holidays – before we know it, it’ll be 2023 already! And with the fall behind us, our hive has been busy putting the finishing touches on many new and improved capabilities – such as weak JWT detection, API Abuse Prevention, API Risk Scoring, and full OWASP API Security Top-10 coverage. Read on for this month’s bit o’ honey.

I’ve been playing around with the new ChatGPT tool. It’s an interesting (and fun) capability – for instance, see this thread from the inestimable Brian Krebs, which demonstrates both the silly (e.g., the data breach notification) and the more scary (e.g., the watering hole attack).

There are obvious implications of AI for both attackers and defenders, and I predict we’ll be hearing a lot more about it even after the novelty wears off – new payload ideas, new & expanded fuzzing ideas, new approaches for known issues searches such as WAF bypasses, and much more.

Just look at how good it is in API security already:

As a pioneer in cyber AI, we know how hard it is to get results like that. If you are interested in our early AI research, take a look at my 2017 NeuralFuzz presentation on AI-fuzzing (PDF) and my 2019 BSidesSF presentation on WallNet, an AI-based false positive tuning approach. 

On a completely different note, just before Thanksgiving we decided to move the API Security Community from a group to a page format. This will allow users to share content while avoiding noisy marketing and sales folks group messages (shame on them!). From now on, all new posts about #apisecurity exploits and updates will be published on the API ThreatStats LinkedIn page. Join us!

Finally, I’ll close with our monthly poll. First, last month we asked about integrating API security into your SOC – it looks like a vast majority of you are doing so:

And we’d love to have you weigh in on the next LinkedIn poll we’re conducting: How mature is your DevSecOps process? Please let us know where you stand on this – connect with me or follow us at Wallarm to register your vote.

Thanks, and have a great December!

– Ivan, CEO & Co-Founder, Wallarm

PS – Congratulations to Wallarm advisor Frank Kim, who recently joined YL Ventures as their new full-time CISO-in-Residence!

Industry news
Notable vulnerabilities

Wallarm customers are protected from known attacks against these vulnerabilities. However, we recommend that you assess your portfolio for exposure to these vulnerabilities, apply updates where possible, and monitor for further incidents.

Wallarm news

Wallarm is excited to announce several additions to the executive leadership team to help guide our strategic growth in the API security market, which according to Forrester is a top-5 priority for 2023 cybersecurity investment.

  • Adi Lavi will lead the Wallarm partner and channel programs as VP of Channels.
  • Tim Ebbers will lead the Wallarm solution engineering team as Field CTO and VP of Solution Engineering.
  • Michael Inbar joins as Chief Financial Officer (CFO) to head up the company’s finance team.
Product News

Some of the new and improved features and capabilities coming in December:

  • Expanded API Discovery Dashboard – Increased visibility into your APIs, such as: have there been any changes in your API structure; how many endpoints do you have? what kind and how much sensitive data are being transferred in your applications? which are the most attacked or the most risky endpoints?
  • API Risk Scoring – Increased visibility into the risk posture of your APIs, based on factors such as vulnerabilities, sensitive data flows, potential for BOLA exploits, and more.
  • Automatic BOLA Protection – Out-of-the-box automated protection against one of the most popular API attack types: Broken Object Level Authorization (BOLA).
  • API Abuse Prevention – New, behavior-based ability to block bad actors from abusing your APIs, such as Account Takeover (ATO), Credential Stuffing, Fake Account Creation, Spamming, Scalping and Content Scraping.
  • Weak JWT Detection – Increased visibility of weak JSON Web Tokens (JWTs) which could allow attackers to gain access to user or even admin rights.

Talk with your customer support engineer or your account manager about enabling these capabilities in your instance.

Did You Know? You can subscribe to our update announcements to keep up-to-date with the latest product news.

Events

Upcoming:

Webinar [2023-Jan-05] — Wallarm Platform Democast: What’s New

Join us for a live, interactive product demo of Wallarm on January 5, where you can learn more about the key components of the platform and recent feature enhancements.

Past:

Webinar [on-demand] — Q3 API ThreatStats Report: DevOps Tools Under Attack

Listen to our discussion of the results of the Wallarm Research team’s extensive analysis of published API vulnerabilities and exploits for Q3-2022.

Webinar [on-demand] — Wallarm + Kong: Better Together 

Listen to this recorded webinar with Andrew Kew from Kong and Tim Ebbers from Wallarm, where they discuss a real-world customer deployment of the joint solution with Jiju Jacob, Director of Engineering at Revenera.


Wow! You read all the way to the bottom of this newsletter?!? Clearly we did something right, so please let us know what you liked (or didn’t) at [email protected]. If we did a really great job and you’re interested in learning more about API Security and Wallarm, we’d love to show you a demo of our platform, or you can trial it yourself.


Where APIs meet apis

And now for something completely different. Since the theme of The APIary newsletter is based on hardworking & industrious bees, we thought we’d share this bee-meme with you. This month’s image comes courtesy of DALL-E, using the prompt: an oil painting by Wassily Kandinsky of a bee in a santa hat. Enjoy!


文章来源: https://lab.wallarm.com/wallarm-api-security-monthly-newsletter-november-2022-something-like-that/
如有侵权请联系:admin#unsafe.sh