Author: Guru's

Every organisation is facing a multitude of security challenges. These range from getting the basics right, like ensuring the correct firewall is in place, to higher-level challenges, such as API security and data privacy.

 

One of the greatest challenges facing organizations these days is a comprehensive approach to API security. With an expanding number of APIs in use, and added complexity arising from service oriented architecture (SOA,) the cloud, and containers/Kubernetes, enabling full life-cycle API security is an enormous challenge that’s often made harder by false security perceptions.

 

With the rapid growth of APIs in recent years, there has been a corresponding increase in hacking attempts and other malicious behaviour. Last year recorded a 321% increase in overall API traffic and a 681% increase in fraudulent traffic according to a recent study. These statistics show how vulnerable APIs can be – hence the need for comprehensive API security to protect these vital connectors.

 

To keep your APIs secure from hackers, it’s important to have a complete understanding of how they work and what you can do to protect them. There are many different types of APIs – RESTful APIs, SOAP APIs, GraphQL APIs – each with their own set of vulnerabilities that need to be accounted for when designing your API architecture. They also require runtime protection to defend against bad actors.

 

However, you have many options for increasing your API security.  This article explores popular tools and resources to tackle this growing priority.

 

Tools required for API Security Testing

SoapUI

SoapUI is a free API and popular SOAP and REST functional testing tool. It has a user-friendly graphical interface that’s simple to navigate, and its enterprise-class functionality make it simple to build and run automated functional, regression, and load tests. It maintains multi-environment support, CI/CD pipeline integration, and GUI test builder.

Salt Security

Salt provides security for the APIs at the heart of every modern application across their entire lifecycle. Using a cloud-scale big data engine powered by their AI and ML algorithms, the Salt platform automatically detects APIs and exposes sensitive data, identifies and prevents attackers, tests and scans APIs throughout the build phase, and gives remediation insights learnt in runtime to help dev teams improve their API security posture.

Acunetix

Acunetix is a web vulnerability scanner that can be used to find security issues in web applications and APIs. It can detect SQL injection vulnerabilities, cross-site scripting (XSS) vulnerabilities, insecure direct object references, as well as other common issues such as broken access control. One of the things that makes Acunetix stand out from other tools is its coverage of OWASP’s top 10 web application security risks.

OWASP ZAP

The Open Web Application Security Project (OWASP)  maintains Zed Attack Proxy (ZAP),  a free, open-source penetration testing tool. It is an easy-to-use integrated penetration testing tool for finding vulnerabilities in web applications. ZAP sits between the tester’s browser and the web application, intercepting and inspecting communications transmitted between the two, modifying the contents if necessary, and then forwarding those packets to their intended destination. It can run as a standalone application or as a background process.

Postman

Postman is an API development and usage tool. Postman improves collaboration and simplifies each step of the API lifecycle to build better APIs faster.

 

Postman currently supports more than 20 million users and provides a comprehensive suite of tools for speeding up the API Lifecycle, from design to testing, documentation, mocking, and discovery.

 

Teams may organize, categorise, reuse, and share API requests and examples in Postman collections, allowing for collaboration, automated testing, and request chaining. Postman comes with a wealth of video lessons and comprehensive documentation. It also has a thriving community, with many users sharing APIs, collections, and workspaces to aid others in training and development.

JMeter by Apache

Apache JMeterTM is a free, open-source Java application that was created to test a wide range of apps, servers, protocols and measure performance.

 

Apache JMeter allows request chaining and may be used to test both static and dynamic resources, as well as web dynamic applications. It can be used to simulate a heavy demand on a server, set of servers, network, or item in order to test its strength or examine overall performance under various load scenarios. Apache JMeter and can handle a wide range of applications, servers, and protocols.

Karate

Karate is an open-source test-automation framework that integrates automated API testing, performance testing, and mocking in one package. Although it is written in Java, it does not necessitate sophisticated programming abilities.

Karate also supports service virtualisation, which allows it to create mock servers that may be used to replace web services in integration tests. Karate has the ability to run tests in parallel for enhanced performance and speed and generate HTML results.

Swagger

Swagger, developed by SmartBear Software, is a set of API developer tools for teams and individuals that enables development across the whole API lifecycle, from design and documentation to testing and deployment.

Katalon Studio

Katalon Studio is a powerful and comprehensive API, web, desktop, and mobile testing automation solution.

Katalon Studio makes deployment simple by combining all frameworks, ALM connectors, and plugins into a single package. It stands out among the top API tools for its ability to combine UI and API/Web services for many systems.

What Practices Are Helpful to Test and Secure APIs?

As noted earlier, API security testing is very important. According to IBM and the Ponemon Institute’s Cost of a Data Breach Report 2021, the global average cost of a data breach climbed by a concerning 10% in 2021, to $4.24 million, up from $3.86 million in 2020.

 

Organisations must adopt these practices to test and secure APIs:

 

  • API security testing should be done as soon as possible. By performing API security testing in the early stages of development, developers can quickly identify vulnerabilities and take corrective actions before going live with their applications.

 

  • API security testing should be done regularly. Regularly scan your APIs for vulnerabilities so that you can continuously monitor the health of your application and make sure it meets compliance standards.

 

  • API security testing should be done before release. It’s easier to find issues during development than after release because once an application goes live, there is too much at stake if any major vulnerabilities are discovered.

 

  • Remember that API security testing alone, however, will not fully protect your APIs. You also need to deploy runtime protection for your APIs, since even with full testing, no one can identify all vulnerabilities in APIs in pre-production.

 

About the Author:  John Iwuozor is a freelance tech writer with proven expertise in the tech niche. This includes Data Science, Artificial Intelligence, Machine Learning, Natural Language Processing (NLP), Computer Vision, Image Recognition, IoT, Programming Languages, SaaS, and Cybersecurity. He is also a regular writer at Bora.

The post API Security: Best Tools and Resources appeared first on IT Security Guru.

SafeBreach, the pioneer in breach and attack simulation (BAS), today announced the launch of their EMEA programme, which will aim to bring their dynamic continuous security validation platform to an EMEA audience. The SafeBreach platform enables security teams to assess the efficacy of their security ecosystem by safely executing attacks across the entire cyber kill chain to validate and optimise security controls, prioritise remediation efforts and mitigate critical gaps before a breach occurs. As a result, organisations gain visibility across siloed security solutions to reveal their actual risk and promote cross-functional mitigation efficiency.

According to Gartner, “when CISOs include BAS as a part of their regular security assessments, they can help their teams identify gaps in their security posture more effectively and prioritise security initiatives more efficiently.” With the dramatic growth of the threat landscape, severely understaffed security teams and the constant march of digital transformation, BAS provides the empirical tool security practitioners need to validate their controls and gain visibility into their performance to reduce risk in this unprecedented environment. However, BAS tools remain critically underused in the EMEA market, leaving many security teams playing catch-up. 

SafeBreach plans to change that with its expansion into EMEA, a move that will not only give organisations in the region access to the pioneering platform, but also to the most robust partner ecosystem on the market. Organisations will be able to leverage the expertise of SafeBreach partners such as Service Now, Microsoft and IBM as they seek to shift their security strategy from defence to offence.

“We’re thrilled to expand our presence in the EMEA market and increase the availability of our widely used continuous security validation platform,” said Guy Bejerano, co-founder and CEO of SafeBreach. “Many organisations have responded to the current geopolitical landscape by buying more security products and hoping that will make them more secure. But hope is not a viable strategy. Right now, enterprises need stability and to ensure they can make the most with what they have. SafeBreach provides a holistic view of an organisation’s security posture, so they can take a data-driven approach to reduce risk using the security technologies they already have in place.”

To support their move into EMEA, SafeBreach has hired Manish Patel as VP of international sales. The appointment leverages Safebreach’s recent Series D funding round, new senior-level hires and strong 2021 performance to further drive customer adoption internationally. Manish will oversee growth in both the EMEA and APAC regions. His responsibilities will include developing SafeBreach’s go-to-market efforts, expanding relationships with enterprise customers and working with a dynamic EMEA team, including Brooke Pietsch, Saul Williams, Robin Stehlik, Yafit Shaoul, Tomer Erez, Stewart Keith Steven and Robert Peter Neal. Manish brings more than 20 years of experience in building and growing businesses. Most recently, he served as sales director, EMEA for Dataminr. Prior to Dataminr, he held leadership positions at Juniper Networks. 

“Until now, CISOs struggled to confidently answer how secure their organisations were to the ever-increasing number of cyber attacks and vulnerabilities,” said Patel. “Safebreach solves that problem, giving enterprises greater visibility into how their security controls are performing against these new emerging threats.”

To learn more about SafeBreach’s EMEA launch and BAS platform, visit them at this year’s Infosecurity Europe (June 21st to 23rd) on stand Q25 or visit https://www.safebreach.com/

The post SafeBreach Expands Global Reach with Launch in EMEA appeared first on IT Security Guru.

By Dan Conrad, Security team lead at One Identity  

It is not a secret that passwords are not a particularly secure method of protection, furthermore in a world where multifactor authentication is becoming the norm, talking about password hygiene seems a little dated but still, according to the Verizon 2021 Data Breach Investigations Report, credentials are the route to data breaches in 61% of incidents.  

 

In an ideal world, and increasingly in reality, any system or application that contains critical information such as banking information, healthcare, or corporate enterprise intellectual property are protected with multifactor.  For those systems that are not, such as smaller non-critical businesses, or personal online accounts, good password hygiene is still very important. 

 

A few years back, I received an opportunity to comment on an Instagram customer account breach where the attacker had gained access to some usernames and passwords. My first thought was…. “This is pointless.”  Why do we care if a portion of the Instagram population has their usernames and passwords compromised?  What could possibly happen?  Then it occurred to me that most people reuse passwords.  So, the same username or email address may be tied to a personal banking account or even a corporate/work system with intellectual property, VPN access, or even an Active Directory credential.   

 

Therefore, it’s important to remember these password basics to ensure your personal and corporate data secured: 

 

Tip #1:  Never reuse passwords, or derivatives of the same password.   

 

The concept of frequently changing passwords is fading. Many systems no longer require frequent changes, due to passwords becoming less and less frequently used. However, just because these systems have stopped mandating password changes, this does not mean that you have carte blanche when it comes to password use.   

 

While cycling passwords or single-use passwords is very valuable with highly privileged accounts, the value of constantly cycling a standard user password is much less if a complex password is used initially. 

 

Tip #2:  Use complex passwords with at least eight characters.  

 

I personally use a password manager that will store and inject passwords.  There are many good ones on the market but be sure to protect this personal password vault with multifactor authentication.  With this system, I can set it to create passwords for up to 99 characters.  Remember that you may have to physically type one of these passwords at some point so selecting 99 characters, which is highly secure from password crackers, may be terribly inconvenient.  I’ve learned this from experience.  

 

It’s important to strike the appropriate balance when it comes to passwords; they need to be secure but making them so secure that they render the account in question virtually inaccessible should not be the aim of any password manager.  

 

Tip #3:  Given the option – use a strong password and multifactor authentication.   

 

Multi-factor authentication is a massively important tool in double-stamping the security of your passwords. However, they are not a silver bullet. Don’t expect multifactor to protect your account when you use “Password1” as your password.  If the initial password is weak, this will simply encourage attackers. The account will be subjected to more attacks, so you have made the decision to leave the first security door unlocked. The best advice I can give is to use an 8+ character password AND multifactor authentication.  

 

From the perspective of protecting the corporate enterprise and users with authentication, passwords and proper selection/use are a key element.  Users can look at their authentication/credentials as the keys to the building.  You wouldn’t share the key with anyone, and you should be very concerned about someone taking your keys, whether with malicious intent or not.   

 

We all need to do better. Sadly, the days of reading your username and password over the phone are not quite behind us yet. Even sending them across supposedly encrypted services like WhatsApp isn’t advisable.  These practices would undoubtedly be against corporate security policies – and if they are not, they should be.   

 

In conclusion if you want to make sure employees don’t do this sort of thing, use multifactor for ALL of your user authentication needs.  

The post One Identity Guest Blog – The password checklist appeared first on IT Security Guru.

One Identity, a leader in unified identity security, announced yesterday that its One Identity Partner Circle Program had achieved exceptional results during the recently ended fiscal year as evidenced by 80% of global company sales linked to the channel (fiscal year 2022 ended January 31). Other milestones include the addition of more than 600 new partners driven by the recent acquisition of OneLogin and the growth of new partner resources and training classes.

For many organizations, the ever-evolving cybersecurity threat landscape has changed priorities and the way they conduct business. Identity security has now become top-of-mind, with 95% of organizations stating that they have challenges managing identities. As business leaders search out ways to protect their assets and combat identity sprawl, One Identity is helping partners through improved training and partner assets.

“Enhanced relationships with our partnerships have yielded increased commitment and rapid channel growth,” said Andrew Clarke, Global Head of Channel and Alliances at One Identity. “Our goal with the program is to really understand our partners’ go-to-market strategy and what they need to increase self-sufficiency. By focusing on first-hand feedback from our partners, we’ve been able to offer new resources and training to increase our channel momentum and help our partners adopt the business development models they need to help customers secure the rapid proliferation of identities.”

The momentum and growth of One Identity’s Partner Circle Program comes on the heels of One Identity’s fifth consecutive year of being recognized with a 5-star rating in CRN’s Partner Program Guide, and Andrew Clarke’s recognition as a 2022 CRN Channel Chief. To learn more about the One Identity Partner Circle program, please visit: https://www.oneidentity.com/partners/.

Combating Identity Sprawl in the Channel  

One Identity also announced new program enhancements to further accelerate channel growth. The One Identity Partner Circle Program is a flexible, multi-tiered program that delivers tools and resources for system integrators, value-added resellers, global alliances and technology alliances, to sell and deploy One Identity’s Unified Identity Security Platform. With a focus on improved partner assets and the overall partner journey via partner business model development, the program has evolved to enable One Identity partners to embrace the wider One Identity portfolio. Program enhancements include:

  • Better orchestration of the partner journey: Based on advisory board feedback and partner survey results, One Identity has introduced new offerings to increase the effectiveness of resources and training based on how partners speak with customers. By leveraging new channels for partner communication – such as News on Demand or One Identity Partner PULSE – One Identity has given partners the relevant news, new product updates and learning opportunities to help them strengthen their pre- and post-sales capabilities.
  • Improved awareness of a cloud-adoption model: With customers’ increasing demand for cloud-based solutions, One Identity introduced new capabilities to align to the needs of service providers – especially the 255 new managed security service providers that joined the program. Through improved training and instruction to provide self-sufficiency on set-up and deployment, partners were able to widen their portfolio to meet customers’ new cloud needs.
  • Expanding Identity and Access Management (IAM) Offerings: The program broadened its IAM capabilities to help partners provide a unified approach to identity security. Following One Identity’s acquisition of OneLogin in October 2021, it offered new accreditations and technical training for OneLogin products, which attracted 155 partners looking to expand their IAM sales capabilities.
  • Recognition of Partner Success: One Identity acknowledged the top-performing partners through Partner of the Year awards including: Accenture/ Avanade (Partner and Service Provider of the Year), Microsoft (Strategic Alliance Partner of the Year), SHI (Solution Provider of the Year), and more.

Leveraging the Program to Grow Strategic Partnerships

The benefits of One Identity’s strengthened offerings can be seen through the expansion of strategic partnerships over the last year, such as the growth of its relationship with Avanade, the leading Microsoft solutions provider. Over the past 21 years, Avanade has had a strong relationship with Quest, One Identity’s parent company. Avanade recently agreed to a multi-year go-to-market agreement with One Identity given the synergies the two entities see among their customers.

“To Avanade, One Identity is more than a partner program; they’re a resource and friend that’s helped us develop a future-first identity management model to help secure our customers and their business,” said Brandon Nolan, Global Digital Identity Lead at Avanade.

 

“At Avanade, protecting the trust of every individual and organization through the power of people and Microsoft is at the heart of everything we do. To deliver on our commitment, it requires market-leading capabilities, deep industry expertise and an end-to-end approach to design and deliver robust security solutions. We look forward to our growing relationship with One Identity to create a secure digital environment for our clients globally,” said Rajiv Sagar, Avanade’s Global Cybersecurity Lead.

A Microsoft expert, Avanade leverages One Identity’s strength in Active Directory and Azure Active Directory-centric identity and digital security to help new and existing customers. The expanded partnership will provide joint engagement and mutual support of sales activities, product training for Avanade’s sales, pre-sales and technical teams and technical services to support its growth of new and existing clients.

 

The post One Identity Builds Upon Partner Program Growth with Focus on Partner Needs, Partner Business Model Development appeared first on IT Security Guru.