Resources
A full list of Blogs, Webinars, Press Releases, News ...

42Crunch becomes a member of OWASP to Advance API Security 

November 14, 2022, San Francisco, CA -  42Crunch is pleased to announce our corporate membership of the Open Web Application Security Project (OWASP), a worldwide not-for-profit charitable organization focused on improving the security of software. At 42Crunch we have always been inspired by OWASP’s role as an enabler of the  global security professional community. Our membership allows us to support OWASP projects while also allowing us to help shape the...

42Crunch Now Available On Microsoft Azure Marketplace.

Developer-First API Security to Help Enterprises Achieve End-to-End Protection of their Digital Initiatives   42Crunch is at API World in San Jose this week, the annual gathering of the API industry. I find it a wonderful event where end-users, vendors, consultants and analysts meet to explore and learn about the benefits gained from implementing an API-first approach to improve their businesses. APIs have been the bedrock of the digital transformation...

Defending APIs with Jim Manico – Episode 1

WEBINAR November 10, 2022 | 9am PST | 5pm BST Join Jim Manico, CEO of Manicode and Colin Domoney from 42Crunch, as they deliver a 2-part webinar series to help developers better defend APIs. Episode 1: Request Forgery on the Web - CSRF & SSRF In this first episode Jim and Colin will discuss request forgery and how to prevent it. This technical talk is intended for the software developer...

Hacking APIs for Fun & Profit

Webinar October 6, 2022 | 8am PST | 4pm BST To become an effective builder of secure APIs it is important to understand how your API is going to be attacked. By far the best way to learn more about the attack vectors, techniques, and skills is to listen to the real world stories from leading pen testers as they reveal their discovery and exploitation methods. Join Colin Domoney, Developer...

42Crunch Strengthens Shift-Left for API Security with API Scan from Inside IDE

500,000 API Developers secure APIs as they develop from inside their favorite IDEs 19 September, 2022 – San Francisco, API Specifications Conference (ASC) – 42Crunch, the Developer First API Security platform company, announced today at ASC the availability of the platform’s API Scan service inside the leading IDEs for developers. With over 500,000 developers already using 42Crunch, this latest addition to the platform means enterprises can further strengthen their shifting...

Review of the Major API Breaches from H1 2022 – Episode 2

Two-Part Webinar Series May 4th, 2022 | 8am PST | 4pm BST This is a two-part webinar series on the global API breaches from H1 2022 that made the news. The first session described the breaches at a high level (available on demand soon) and the second describes how to defend against them. Episode 2: How to defend against the API security breaches covered in Episode 1 The second part...

Benefits of a Positive Security Model for APIs

WEBINAR August 2, 2022 | 10:00 CDT | 16:00 BST Positive Security is a model that enables access to known trusted resources rather than trying to determine what activity or entities have hostile intent. Applying a positive security model when protecting your APIs can offer direct benefits such as reduction in false negatives, lower reliance on constantly adding characteristics of hostile traffic, and others. It also has indirect benefits for...

REST API Risk Audit – Online Demo

Two-Part Webinar Series May 4th, 2022 | 8am PST | 4pm BST In this session, 42Crunch technical expert, Andy Wright, walks through how to perform a Security Audit and a Conformance Scan of your API Contract. He immediately builds a security report and calculates an audit score for each API he analyzes based on the OpenAPI annotations in the API definition. This audit score reflects the risk associated with exposing...

Empathy for the API Developer

Colin Domoney from 42Crunch, in his recent article on DevOps.com, addresses the disconnect between development and security teams and explains the key challenges facing developers in creating secure API code. Better understanding of the challenges on both sides can help create greater empathy which in turn can help foster greater collaboration. “..Security teams have always been perceived as an impediment to delivery by software teams who feel that security imposes...

Review of the Major API Breaches from H1 2022 – Episode 1

Two-Part Webinar Series May 4th, 2022 | 8am PST | 4pm BST This is a two-part webinar series on the global API breaches from H1 2022 that made the news. The first session described the breaches at a high level (available on demand soon) and the second describes how to defend against them. Episode 1: High profile API security breaches and how the vulnerability occurred As APIs become the preferred...

42Crunch Reaches 450,000 Developers as Shift-Left & Shield-Right Approach For API Security Prevails

JUNE 7, 2022 – National Harbor, Maryland. Today at the Gartner Security & Risk Management Summit, 42Crunch, the Developer-First API Security Platform vendor, announced that it has over 450,000 developers now using its API Security tools. 42Crunch makes it easy for developers to use its OpenAPI security tools from directly inside the market leading Integrated Development Environments (IDE), Visual Studio, Intellij and Eclipse. This shift-left approach benefits enterprises by enabling developers...

An Introduction to API Security

Isabelle Mauny from 42Crunch takes a high level look at the different problems facing APIs today and gives some recommendations in her article on APIscene.io The idea of this article is to serve as an introduction to API security. We’ll look from a high-level view at all the different problems that are stacking up around APIs right now and give you some highlights of recommendations. It will be no surprise...

When Shift-Left is more than a marketing campaign

Earlier this month I had the chance to join my new colleagues from 42Crunch at our all-hands in Ireland and I couldn’t be more excited that there’s something special that we’re building here. Setting aside that Cork and Kinsale are some of the prettiest places I’ve ever visited, I was able to see how passionate the 42Crunch team is about an approach that’s new to me as someone who’s been...

Sua empresa não tem alternativa: Proteger as APIs da forma correta passa a ser uma obrigação

O grande susto Um amigo comentou comigo um episódio interessante: Telefonaram para ele dizendo que era um canal de nível oito de seu banco, confirmando dados como endereço, nome de mãe e pai, cônjuge, filhos etc, dizendo que existiam transações suspeitas, e que a conta dele havia sido invadida e ele precisava ligar urgentemente para central do banco, e seguir os passos para mudanças de senha e a pessoa do...

Actively Monitor and Defend Your APIs with 42Crunch and the Azure Sentinel Platform

Webinar May 4th, 2022 | 8am PST | 4pm BST In this webinar 42Crunch and CyberProof demonstrate how to proactively integrate API access logs into the Microsoft Azure Sentinel platform and actively defend APIs with the 42runch API Micro-Firewall. APIs are increasingly the number one attack vector for adversaries due to their growing abundance and ease of attack via automated scripts and tools. Most public APIs are under constant attack...

API Security for Global Enterprises – Successful and unsuccessful approaches to API Security

Webinar May 4th, 2022 | 8am PST | 4pm BST Join 42Crunch and special guest speaker Darren Shelcusky, Manager of Vehicle & Connectivity Cybersecurity at Ford Motor Company, as he takes us through their approach to API security and journey to enforce security compliance while ensuring productivity of their hundreds of developers managing thousands of APIs. We're here to help you understand how to prevent an API dumpster fire! Empathize...

Lessons learned from the Spring4Shell vulnerability

Recently we published an article on the log4shell vulnerability targeting log4j, in which we explained how APIs can be protected against injection attacks with a positive security model, and how 42Crunch easily enables such a model. Now, it’s time for the Spring4Shell (CVE-2022-22965) vulnerability, targeting the Spring framework, commonly used to build APIs. What can we learn from this vulnerability? Diving into Spring4Shell The Spring team has published an article...

OWASP API Security TOP 10 Challenges – Episode 3

THREE-PART WEBINAR SERIES May 4th, 2022 | 8am PST | 4pm BST In this 3-part webinar series Dr. Philippe De Ryck, Web Security Expert with Pragmatic Web Security and Colin Domoney of 42Crunch and APISecurity.io, take a deep dive into understanding and addressing the OWASP API Security Top 10 issues. Through detailed practical examples and use cases, they guide developers and security professionals through how to fix and secure their...

OWASP API Security Top 10: Comprendre les menaces qui ciblent les APIs

Webinaire May 4th, 2022 | 8am PST | 4pm BST Enregistrement du webinaire Ce webinaire, dédié à la sécurité des APIs, traite des menaces listées par l'OWASP API Security top 10. Vous assisterez à l'explication détaillée de chaque menace, son exploitation possible, des exemples d'attaques réussies et comment, grâce à la technologie 42crunch il est possible de s'en prémunir. Ces dernières années, de nombreuses entreprises telles que Facebook, Google ou...

How to Extend Protection of your Data from API to Mobile Application

Webinar May 4th, 2022 | 8am PST | 4pm BST This webinar presents the new integration of 42Crunch with comprehensive mobile app protection from Approov. A joint solution that delivers shift-left API protection as well as run-time shielding that extends all the way to your mobile apps and the environments they run in. APIs are a mobile app developers best friend as they help reduce development time and save costs,...

Why Developer-First API Security is Prevailing in Enterprise

Why Developer-First API Security is Prevailing in Enterprise. The DevSecOps movement has led to a distinct “shift-left” in the enterprise where tasks are moved earlier in the development cycle so that developers can directly address production concerns as the code is being written. Companies are realizing greater business benefits from this shift-left approach, with accelerated application delivery times and the dismantling of a siloed approach to the software development lifecycle...

OWASP API Security TOP 10 Challenges – Episode 2

THREE-PART WEBINAR SERIES May 4th, 2022 | 8am PST | 4pm BST In this first episode in the webinar series, Dr Philippe de Ryck and Colin Domoney discuss API security today and the challenges presented by the OWASP API security top 10. Questions from attendees were addressed throughout the webinar. Episode 2: Address the OWASP API Authentication and Authorization Challenges In this second episode in the webinar series, Dr Philippe...

How Developers Can Become API Security Champions

Question: Everyone is talking about DevSecOps, why are we not able to fix the security issues? Despite the obvious challenges, Colin believes that the industry has made progress as compared to ten years ago when very insecure code was prevalent. Today's code is definitely more secure and security is improving — thankfully most developers are at least now aware of what an SQL injection attack is.  Philippe also thinks things...

Why Do APIs Merit a Separate OWASP Top 10 Listing?

Throughout the 3 part webinar series "API Security Landscape Today and the OWASP API Security Top 10 Challenges" we will publish blog posts that highlight some of the main talking points addressed by the speakers.  In this post, Philippe and Colin explore the differences between APIs and web apps that necessitated the creation of a dedicated OWASP API Security Top 10 and how developers can play an active role alongside their...

Protecting your APIs against Log4Shell with 42Crunch

On December 9th, 2021, the log4shell vulnerability hit the news and it has since been every security team's worst nightmare: trivially exploitable, huge impact with RCE (Remote Code Execution), on a component widely used across traditional enterprise technological stacks, both in in-house and third-party software. All this combined explains its CVSS rating of 10 – the highest possible. It is probably one of the worst flaws I have witnessed in...

OWASP API Security TOP 10 Challenges – Episode 1

THREE-PART WEBINAR SERIES May 4th, 2022 | 8am PST | 4pm BST In this 3-part webinar series Dr. Philippe De Ryck, Web Security Expert with Pragmatic Web Security and Colin Domoney of 42Crunch and APISecurity.io, take a deep dive into understanding and addressing the OWASP API Security Top 10 issues. Through detailed practical examples and use cases, they guide developers and security professionals through how to fix and secure their...

7 Ways to Avoid JWT Security Pitfalls

Dec 22nd 2021.  Author: Dr. Philippe de Ryck, Pragmatic Web Security, Like them or hate them, JSON Web Tokens (JWT) are everywhere. OAuth 2.0 and OpenID Connect rely heavily on JWTs. Many applications use JWTs to implement custom security mechanisms. And every language or framework offers plenty of support for JWTs. Unfortunately, JWTs also lie at the heart of numerous API security failures. Handling JWTs securely is often challenging and...

Automate your API security with Security as Code

 Webinar Traditionally developers like to focus on the data and functionality of their APIs while the security team is concerned with the enforcement of API security controls and policies. This siloed approach has led to inefficiencies and bottlenecks in the DevSecOps' cycle that are delaying the release of APIs and creating cost over runs. In this webinar we look at how organizations can overcome this challenge by adopting a "security...

Protección efectiva de sus APIs y Microservicios

Webinar May 4th, 2022 | 8am PST | 4pm BST Tus APIs están en riesgo, punto! Muchas organizaciones tienen la epifanía de que tener los componentes tradicionales como WAF y las capacidades tradicionales de los API Gateways son suficientes para que estén protegidas, pero no lo están. En ese seminario web, presentaremos la plataforma 42Crunch, que puede funcionar en conjunto con sus herramientas existentes, en su pipeline DevSecOps. Para qué...

Diseñando API seguras usando la plataforma 42Crunch con Postman

Webinar May 4th, 2022 | 8am PST | 4pm BST Diseñando APIs seguras usando la plataforma 42Crunch con Postman En este webinar bajo demanda se detallará cómo combinar lo mejor de 42Crunch y Postman para: Realizar tareas de desarrollo, simulación y prueba de APIs Aprovechar los recursos de 42Crunch para ejecutar de maneras sencilla la auditoría de seguridad desde postman UI Automatizar las herramientas de 42Crunch en CI/CD en tiempo...

Why Continuous API Security is key to protecting your Digital Business

Webinar May 4th, 2022 | 8am PST | 4pm BST Join these experts as they discuss the benefits of an integrated, continuous, and proactive approach to API security that combines proactive application security measures with continuous activity monitoring, API-specific threat analysis, and runtime policy enforcement. Alexei Balaganski explains how the security and compliance risks that APIs are exposed to are shaping the future of API security solutions and provides an...

Why Continuous API Security is key to protecting your Digital Business – Show Webinar

Webinar May 4th, 2022 | 8am PST | 4pm BST Join these experts as they discuss the benefits of an integrated, continuous, and proactive approach to API security that combines proactive application security measures with continuous activity monitoring, API-specific threat analysis, and runtime policy enforcement. Alexei Balaganski explains how the security and compliance risks that APIs are exposed to are shaping the future of API security solutions and provides an...

42Crunch and Cisco Collaborate to Drive API Security Forward and to Increase Cloud Protection

October 11, San Francisco, CA – Today at KubeCon, 42Crunch, the Developer-First API security platform company, announced their collaboration with Cisco to provide the developer community with APIClarity, a new API discovery and security tool enabling enterprises to fortify their cloud protection. APIs are increasingly a favorite target for hackers seeking to compromise cloud environments with malware such as cryptojacking and ransomware. 42Crunch and Cisco are addressing these threats by...

42Crunch Accelerates API Security with Two Key Executive Appointments

42Crunch Accelerates API Security with Two Key Executive Appointments Industry Veterans Stephen Gomann and Hugh Carroll Tapped to Support API Leader’s Rapid Growth San Francisco, CA – October 5, 2021 – 42Crunch, the Developer-First API Security platform vendor, today announced two key senior additions to its growing global team. Stephen Gomann has been appointed as Chief Revenue Officer (CRO) to lead the company's sales organization, overseeing global sales and business...

Application Security Tools Are Not up to the Job of API Security

The last two decades have seen a proliferation of software (according to GitHub there has been a 35% increase in code repositories in 2020 alone) into every aspect of our lives in the form of web or mobile applications. Adversaries have increasingly attacked these applications, and defenders have adopted various testing tools and technologies to protect them. Today most enterprises have in place an Application Security (AppSec) program to manage...

42Crunch Named as a Leader in KuppingerCole Leadership Compass Report for API Management and Security Solutions

Ranked as a Leader in Overall Leadership, Product Leadership, and Innovation Leadership Categories   San Francisco, CA  – August 31, 2021 – 42Crunch, the Developer-First API Security platform vendor, announced it has been named as a leader in KuppingerCole’s Leadership Compass report for API Management and Security including, overall leadership, product leadership and innovation leadership. The report also awarded 42Crunch’s solution “Strong Positive” and “Positive” ratings across the areas of...

42Crunch and Postman See Growth of Shift-Left Adoption for API Security by Enterprise

42Crunch poll reveals that a third of developers are now implementing security testing at the start of the API design lifecycle.  33% of developers implementing security after the coding stage. 34% of developers implement security either before or after production deployment. San Francisco, CA  - June 24, 2021 - 42Crunch, the API Security platform vendor, has announced an integration of its API security services with Postman, the API collaboration platform...

How to test API security throughout the API lifecycle with Postman and 42Crunch

Postman, the API collaboration platform for developers, advocates an API-First approach for companies. Using 42Crunch, API developers and application security teams can now implement API security design and testing as part of their API-First approach in Postman. Kin Lane, chief Evangelist with Postman recently joined Isabelle Mauny, Field CTO at 42Crunch for a webinar to demonstrate how enterprises are automating the testing of API security for all their APIs. Watch...

42Crunch API Security Platform June 2021 Release

Our June 2021 update just went live, and I am here to tell you the details. Executive Dashboards The most noticeable change in the user interface is the new organization-level executive dashboard. It allows organization administrators to get a quick glance at the corporate use of 42Crunch API Security and the trends across Security Audit, Conformance Scan, and Protection: You may choose the time period for the trends and use...

Integrating 42Crunch API Contract Security Testing within Postman

Webinar May 4th, 2022 | 8am PST | 4pm BST Kin Lane, chief Evangelist with Postman recently joined Isabelle Mauny, Field CTO at 42Crunch for a webinar to demonstrate how enterprises are automating the testing of API security for all their APIs. 42Crunch complements Postman by providing additional capabilities to audit OpenAPI definitions, and discovering potential flaws in the security design of the APIs and data flows. Listen to this on-demand...

42Crunch raises $17m in Series A to solve global API security threat

London, UK – 42Crunch, the API security leader, today announces that it has secured $17 million in a Series A investment led by Energy Impact Partners, a leading global investment firm, joined by Adara Ventures. 42Crunch is the creator of the world’s first Application Programming Interface (API) micro-firewall and a pioneer in protecting APIs against attacks listed in the OWASP Top 10 for API Security. As stated in the Gartner...

42Crunch API Security Platform May 2021 Release

Our May 2021 update just went live, and I am here to tell you the details. Updated CI/CD plugins and repository data in the platform 42Crunch provides off-the-shelf plugins for a variety of CI/CD pipelines. These can discover OpenAPI files in the repository, upload them to the 42Crunch platform, perform Security Audit, and succeed or fail depending on the audit results. We have released new major versions of these plugins:...

Creating High Quality OAS Definitions with .Net Core

This document highlights how code annotations can be used to enhance the quality and the security posture for customers using .Net Core. 42Crunch security recommendations help enterprises discover and remediate vulnerabilities much more quickly (up to 25X more quickly) while saving 90% of manual costs (whether through internal efforts or external pen-testing). Using the Available Native Support from .Net In order to produce OAS files when developing with .NET core...

Creating High Quality OAS Definitions with Springfox – Part 2: Data Validation

In the first part of this blog, we had covered the security aspects of Spring Boot Microservices and how to inject them into your code level to generate higher quality OAS (Swagger) files. In this second part, we will cover aspects regarding attributes, operations, and data. Data Validation for Secure APIs You must be aware that according to the way you have declared the parameters, response headers, definitions, and schemas...

42Crunch API Security Platform April 2021 Release

We have just updated our API Security platform, and I want to tell you all about it. 100+ New Security Audit Checks Security Audit checks related to authentication just had a major revamp. Now instead of generic articles on insecure authentication methods, we provide specific information for each case, including: API Key passed as a query parameter API Key passed in a header API Key in a cookie Basic authentication...

Dissecting the Biggest API Breaches from Q1 2021

Webinar May 4th, 2022 | 8am PST | 4pm BST API Security can be hard and confusing, but learning from someone else's mistakes is the best way to learn! In this webinar, we will look at some of the prominent API vulnerabilities of the first 3 months of 2021: In this session we'll discuss: The story behind the attack or vulnerability Potential or actual business impact What went wrong OWASP...

Strengthening Your API Security Posture – Ford Motor Company

LOSING MY RELIGION: Successful and unsuccessful approaches to API Security in a global enterprise - A take on Ford Motor Company's approach to API security and the journey to enforce security compliance while ensuring productivity of thousands of developers managing thousands of APIs. The Cybersecurity Snowball Effect With development Communities and product teams, there are many things that have come together – everything from new developers, the introduction of open...

42Crunch API Security Platform March 2021 Release

Today we are happy to announce the global availability of the latest version of the 42Crunch API Security Platform. We have updated our community deployment used by thousands of API developers worldwide, our IDE plugins, online tools, and deployments used by our enterprise customers. Below is a summary of the biggest new features and improvements. Complex OpenAPI Security Audit 42Crunch Security Audit is the foundation of API security. It is...

Creating High Quality OAS Definitions with Springfox – Part 1: Security Definitions

Spring Boot is a popular framework to build applications and APIs. Leveraging the Springfox project and code annotations, developers can generate OAS files with a high 42Crunch Security Audit score. What is the 42Crunch Security Audit? The 42Crunch Security Audit is one of 3 services from the 42Crunch API Security Platform: it consumes OpenAPI (Swagger) files and analyzes them along two axes: security and data. At the security level, the...

API Security in a Kubernetes World

Webinar May 4th, 2022 | 8am PST | 4pm BST Securing APIs deployed in Kubernetes implies securing the infrastructure, but also the APIs themselves. Having a perfectly setup cluster, with all possible protections in place, is only ONE aspect of the measures you need to take to prevent the vulnerabilities listed in the OWASP API Security Top 10. Other issues such as data leakage, mass assignment or broken authentication must...

42Crunch Announces Record Growth and API Security Leadership in 2020

IRVINE, CA, FEBRUARY 10, 2021 — Today, API security leader and creator of the industry’s first API Firewall, 42Crunch, announced record 900% growth in 2020 led by key enterprise accounts, innovative product advancements, and growing community of APIsecurity.io — the number one API security news source. Enterprises digitalization, as well the transition to cloud-native architectures, microservices, and serverless functions has led to the proliferation of APIs. Constantly changing and network-accessible, they...

42Crunch Publishes New OpenAPI Security Audit Plugins for Eclipse, IntelliJ, PyCharm

IRVINE, CA, DECEMBER 15, 2020 — Today, API security leader and creator of the industry’s first API Firewall, 42Crunch, announced the release of new IDE OpenAPI (Swagger) editing plugins for both Eclipse and JetBrains family of IDEs including IntelliJ and PyCharm. 42Crunch’s free OpenAPI security audit plugins simplify REST API development by delivering features such as OpenAPI navigation, code snippets, intellisense, and HTML preview. More importantly, the plugins help developers...

Questions Answered: How to Best Leverage JWTs or API Security

You had questions, and we've got answers! Thank you for all the questions submitted on our webinar: "How to Best Leverage JWTs or API Security" We were unable to get to your questions, so below are all the answers to the questions that were asked! If you'd like more information please feel free to contact us.   On slide 26 is the  HS256 or RSA key used by the attacker...

How to Best Leverage JWTs for API Security

Webinar May 4th, 2022 | 8am PST | 4pm BST JSON Web tokens (JWTs) are used massively in API-based applications as access tokens or to transport information across services. Unfortunately, JWT standards are quite complex and it's very easy to get the implementation wrong. As a result, data breaches and API vulnerabilities due to poor JWT implementation, token leakage, and lack of proper validation remain widespread. This webinar focuses on...

OWASP API Security Top 10 Webinar Series (Part 2)

 Webinar May 4th, 2022 | 8am PST | 4pm BST By now, you should know that APIs are special and deserve their own OWASP Top 10 list, but do you know how these common attacks happen and why? In this practical webinar, we review the OWASP API Security Top 10 issues one-by-one and show you how to protect yourself from them across the entire API lifecycle. For each entry, we...

Why knowing is better than guessing for API Threat Protection

Why do we need different solutions for API Threat protection? APIs are becoming a hot target for hackers. Analysts and cyber security specialists agree that the privileged position of APIs as the open doors to the enterprise kingdom make them a favorite to breach. For the past 20 years, Web Application Firewalls (WAFs ) have dominated the Application Security market. Such products became a must if you wanted to achieve...

OWASP API Security Top 10 Webinar Series (Part 1)

 Webinar May 4th, 2022 | 8am PST | 4pm BST By now, you should know that APIs are special and deserve their own OWASP Top 10 list, but do you know how these common attacks happen and why? In this pragmatic webinar, we review the OWASP API Security Top 10 issues one-by-one and show you how to protect yourself from them across the entire API lifecycle. For each entry, we...

VS Code OpenAPI (Swagger) Editor Surpasses 100k Installs!

Our OpenAPI (Swagger) Editor for VS Code has reached over 100,000 installs! A year ago we released our VS Code OpenAPI (Swagger) Editor with the idea of making developers lives EASIER when it came to editing security in their OpenAPI / Swagger files. This month we surpassed 100k installs and wanted to say THANK YOU!!   [xyz-ihs snippet="VS-Code-Extension-Blog"]     How it works... Developers working on their APIs within 42Crunch’s...

42Crunch Releases OpenAPI Static Security Audit in GitHub Code Scanning

IRVINE, CA, OCTOBER 7, 2020 — Today, the API security leader and creator of the industry’s first API Firewall, 42Crunch, announced the availability of its REST API Static Security Testing with  GitHub code scanning. By adding 42Crunch to code scanning, developers can include REST API OpenAPI / Swagger definitions within static security tests. Most of today’s applications are driven by APIs. The transition to cloud-native architectures, microservices, serverless, single-page, IoT,...

OAuth, OWASP, Gateways and Meshes – Oh my!

Webinar To consider and apply API security effectively, we need to understand where we are and where we need to go. We need to know the tools we have available and who our allies are. Finally, we need a clear path and priorities on what we can accomplish and how. In this webinar, we'll lay out a reference architecture to ensure we understand the scope, challenges, and approach to secure...

Questions Answered: OpenAPI for API Security

You had questions, and we've got answers! Thank you for all the questions submitted on our webinar: "OpenAPI for API Security - Why guess when you know?!" Below is the replay and all the answers to the questions that were asked. If you'd like more information please feel free to contact us.   Webinar: OpenAPI for API Security: Why guess when you know?! Slide Deck: OpenAPI for API Security Slide Deck...

OpenAPI for API Security (Why Guess when you know?)

Webinar May 4th, 2022 | 8am PST | 4pm BST According to the State of the APIs report released by Smartbear in 2019, 80% of developers use OpenAPI to describe their APIs (you may still call it Swagger, but you really should call it OpenAPI now!) What if you could put this developer work to good use, leveraging it to protect your APIs from threats, and this as early as...

API Security Platform Overview

Tutorials Welcome to our tutorials on 42Crunch Platform. Start with a quick overview of how to get started, and the general dashboard layout. The subsequent tutorials go deeper into each and every function of the platform. Login and Dashboard To log into the platform, go to https://platform.42crunch.com/login A successful login takes you to your dashboard and the landing page of the platform. From here you can immediately start creating API...

Questions Answered: Let’s shift API security left – sure, but how?

You had questions, and we've got answers! Thank you for all the questions submitted on our webinar: "Let's shift API security left - sure, but how?" Below is the replay and all the answers to the questions that were asked. If you'd like more information please feel free to contact us.   [xyz-ihs snippet="Webinar-Lets-Shift-API-Security-Left"]   Don't the cloud service providers offer API discovery/inventory services? API Discovery is provided by several vendors,...

Let’s shift API Security Left! Sure, but how?

Two-Part Webinar Series May 4th, 2022 | 8am PST | 4pm BST API security flaws are injected at many different levels of the API lifecycle: in requirements, development and deployment. It is proven that detecting and fixing vulnerabilities during production or post-release time is up to 30 times more difficult than earlier in the API lifecycle. Shifting left is promising to enhance API security. But shifting left means security starts...

42Crunch approach vs. Traditional WAF approach: using positive security by default

When talking to prospects or presenting our solution at conferences, we inevitably get asked the same question: what's the difference between your solution and a Web Application Firewall (WAF)? The core difference is that we know what we are protecting, WAFs don't. WAFs were built to protect web applications and there is no standard way to describe what a web application does and how to interact with it (its "interface",...

42Crunch Launches New REST API Static Security Testing Extension for Bitbucket Pipelines

IRVINE, CA, JUNE 16, 2020 — Today, the API security leader and creator of the industry’s first API Firewall, 42Crunch, announced the launch of their new REST API Static Security Testing extension for Atlassian’s code collaboration and CI/CD solution, Bitbucket Pipelines. This extension enables companies to easily enforce secure API design right from their CI/CD pipeline — making it easier than ever to enable a DevSecOps process for API security....

OpenAPI (Swagger) specification Security Audit on the 42Crunch Platform

Tutorials Now that you have had an overview of the platform, let's get started by importing an API for security audit. Importing APIs To import an OpenAPI (formerly Swagger) definition, click Import API (1) to upload your JSON file. These files contain all the basic information and documentation on how your API functions. As mentioned in the platform overview tutorial, (2) APIs are grouped into collections. If you have not yet created a...

BitBucket Pipelines API Security Audit Extension

Tutorials In this quick tutorial you'll learn how to add static security testing to your REST APIs in Bitbucket with the 42Crunch REST API Static Security Extension. Prerequisite: Make sure you have a 42Crunch API Security Platform account. You can register here: https://platform.42crunch.com/register Create API Token for the pipe You must add an API token that the pipe uses to authenticate to Security Audit. Log in to 42Crunch Platform, and...

OpenAPI (Swagger) specification Audit Report explained

Tutorials In our previous tutorial, we have created an API collection, and imported and audited an OpenAPI (Swagger) definition file. Now we are going to drill into the report and walk you through how to get the most out of it. Viewing Checks API Contract Security Audit is a static analysis of your OpenAPI (Swagger) file using OpenAPI Specification. We run 300+ checks on your API definition, and you can...

Questions Answered: 42Crunch Security Audit for WSO2 API Manager 3.1

You had questions, and we've got answers! Thank you for all the questions submitted on our "42Crunch Security Audit for WSO2 API Manager 3.1" webinar. Below is the replay and all the answers to the questions that were asked. If you'd like more information please feel free to contact us.   [xyz-ihs snippet="WSO2-Webinar"]       Is this audit feature available with the community version of WSO2? Yes it is....

Fixing API Security Issues identified in the Audit Report

Tutorials In our previous tutorial, we took a look at the audit report from API Contract Security Audit. This one proceeds onto fixing the issues found in the audit and see how we can iteratively work on our OpenAPI / Swagger definition. Navigating Issues The best place to start are the high priority issues, they are the fastest way to improve the audit score. For example, in the audit report,...

API Security Testing with API Scan

Tutorials Now that we have reviewed and locked down our contract, we are going to perform a conformance scan. Dynamic Testing API Contract Conformance Scan is a dynamic runtime analysis of your API to check that the behavior of the API conforms to the contract it advertises in its OpenAPI (formerly known as Swagger) definition. You can run a scan on an API you have imported to 42Crunch Platform and...

API Protect Micro API Firewall

Tutorials In previous tutorials, we have covered static analysis with the API security audit, dynamic testing with conformance scan - now it's time to discuss protection. Protection Overview The Protection function is real-time protection of live APIs. You put our API firewall in the line of traffic. It's an extremely efficient piece of software that we ship as a docker image. It's been written in C, is highly optimized, less...

API Protect Micro API Firewall Reports and Troubleshooting

Tutorials You've seen how 42Crunch can protect your APIs and microservices - now let's review reporting. Viewing Transaction Logs At any time, you can click on transaction logs to view all failed transactions found by the conformance scan and review the full list. Look up a Specific Error So one thing that I want to show first is how you can troubleshoot and see that specific transactions that get blocked....

42Crunch Security Audit for WSO2 API Manager 3.1

Webinar WSO2 API Manager 3.1 brings a lot of interesting features including the ability to run 42Crunch's audit tool directly from the API Publishing portal. In this webinar, we will: Explain the advantages of introducing security at design time Introduce the 42Crunch audit functionality Explain how 42Crunch and WSO2 API Manager can be used together for better API Security Demo the integration Special Guest Presenters: Sanjeewa Malalgoda, Associate Director -...

Questions Answered: Top API Security Issues Found During POCs

You had questions, and we've got answers! Thank you for all the questions submitted on our "Top API Security Issues Found During POCs" webinar. Below is the replay and all the answers to the questions that were asked. If you'd like more information please feel free to contact us.   [xyz-ihs snippet="POCs-Webinar"]     Is there a way to add specific rules to the allowlist? There are two things you...

Top API Security Issues Found During POCs

Webinar Over the past 6 months, we have discovered many similarities across APIs from companies from very different industries. "This is an eye opener" is the most recurring comment from our prospects. We thought it would be worth sharing our findings in this webinar. Through a mix of slides and demos, we will describe the top 5 issues our security audit reports, what they are and why they matter, including:...

Questions Answered: The Anatomy of Four API Breaches

You had questions, and we've got answers! Thank you for all the questions submitted on our "The Anatomy of Four API Breaches" webinar. Below is the replay and all the answers to the questions that were asked. If you'd like more information please feel free to contact us.   [xyz-ihs snippet="Anatomy-API-Breach"]   Does the implementation of OAuth2 mitigate the risks you mentioned? OAuth2 is one of the tools you need...

OpenAPI Swagger Extension VS Code

Tutorials Our previous tutorial used the build-in Security Editor in 42Crunch Platform to fix audit issues in the OpenAPI (formerly Swagger) definition. In this one, we do the same thing but in Microsoft Visual Studio Code (VS Code) using the 42Crunch OpenAPI extension. Extension Overview Below is an example of the 42Crunch OpenAPI (Swagger) extension for VS Code. If you do not already have it, just go to Extensions and search for...

API Security Audit using OpenAPI Swagger Extension VS Code

Tutorials Our previous tutorial used the build-in Security Editor in 42Crunch Platform to fix audit issues in the OpenAPI (formerly Swagger) definition. In this one, we do the same thing but in Microsoft Visual Studio Code (VS Code) using the 42Crunch OpenAPI extension. Extension Overview Below is an example of the 42Crunch OpenAPI (Swagger) extension for VS Code. If you do not already have it, just go to Extensions and search for...

The Anatomy of API Breaches

Webinar Securing APIs implies securing the infrastructure but also the APIs themselves. Unfortunately, having all possible infrastructure protections in place is only one aspect of the recent OWASP Top10 for API Security. Other issues such as data leakage, mass assignment or broken authentication/authorization must be handled at the application level. In the past year or so, more than 200 breaches have been published on apisecurity.io. Some very well-known names are...

Questions Answered: REST API Security by Design with Azure Pipelines

You had questions, and we've got answers! Thank you for all the questions submitted on our "REST API Security by Design with Azure Pipelines" webinar. Below are all the answers to the questions that were asked. If you'd like more information please feel free to contact us. REST API Security for Microsoft Azure Pipelines. Watch Webinar REST API Security for Microsoft Azure Pipelines Slide Deck Download I know this API Security Audit requires a...

REST API Security for Microsoft Azure Pipelines

Webinars Security is an important topic in software development. Unfortunately, security is usually considered too late in software development, and especially in the API lifecycle. Waiting until software and APIs are in production before addressing security concerns can be a severe risk to your organization. Did you know that vulnerabilities found in production cost up to 30x time and money more to fix? There is a solution: by engaging developers...

42Crunch Launches New REST API Static Security Testing Extension for Azure Pipelines 

Enables Azure DevOps customers to extend their DevSecOps practices to REST APIs IRVINE, CA, MARCH 18, 2020 — Today, the API security leader and creator of REST API DevSecOps tooling and the industry’s first API Firewall, 42Crunch, announced the launch of their new REST API Static Security Testing extension for Microsoft Azure Pipelines. This extension enables companies to easily enforce secure API design right from their CI/CD pipeline.   With REST...

42Crunch Adds Self Registration and Low-cost Tiers to API Security Platform

42Crunch Democratizes API Security by Adding Self Registration, Free and Low-Cost Tiers to Their Comprehensive API Security Platform   SAN FRANCISCO, FEBRUARY 25, 2020 — Today at the RSA Conference, API security leader and creator of the industry’s first API Firewall – 42Crunch – announced the launch of its new self-registration feature for their API Security Platform. Development, security and operations teams now have instant access to a comprehensive set...

Questions Answered: Protecting Microservices APIs with 42Crunch API Firewall

You had questions, and we've got answers! Thank you for all the questions submitted on our "Protecting Microservices APIs with 42Crunch API Firewall" webinar. Below are all the answers to the questions that were asked. If you'd like more information please feel free to contact us.   [xyz-ihs snippet="Protecting-microservices"]     Can the sidecar be tested somehow? Yes, the configuration is tested before it is made available to the API...

Questions Answered: Are you properly using JWTs?

You had questions, and we've got answers! Thank you for all the questions submitted on our "Are you properly using JWTs?" webinar. Below are all the answers to the questions that were asked. If you'd like more information please feel free to contact us.   [xyz-ihs snippet="Jwt-webinar"]     Is it considered safe if the JWT token is validated within the Asp.Net Core itself with every request. Like when it’s...

Protecting Microservices APIs with 42Crunch API Firewall

Webinar In loosely coupled architectures, we must put in place application level security, should it be for client traffic (North-South) or intra-microservices traffic (East-West). In this webinar, we show you how the 42Crunch API firewall can be used to put API threat protection in place automatically, as early as design time. We'll use a mix of slides and demos to present: The various elements of security to consider in order...

Are You Properly Using JWTs?

Webinar JSON Web tokens (JWTs) are used massively in API-based applications as access tokens or to transport information across services. Unfortunately, JWT are often mis-used and incorrectly handled. Massive data breaches have occurred in the last 18 months due to token leakage and lack of proper of validation. This session focuses on best practices and real-world examples of JWT usage, where we cover: Typical scenarios where using JWT is a...

42Crunch API Firewall and API Management: why you need both!

Every day, new breaches show us that we still have a long way to go with API security. In order to protect APIs, enterprises need to take a holistic approach, which includes the following: Securing the infrastructure: OS configuration, network configuration as well as containers. Properly configuring application servers: enforce TLS 1.2/1.3, remove weak cipher suites, eventually enforce mutual SSL, use security headers, use secure cookies, use latest versions of...

42crunch and Yenlo Announce Partnership

Amsterdam and Paris, December 18, 2019 – Global integration- and API management specialist Yenlo and specialist in API security 42Crunch, today announced a strategic partnership to secure and enforce API-policies as an added value service to Yenlo’s growing API business across the world. 42Crunch offers an enterprise-grade, full-fledged, end-to-end API security platform. Using the 42Crunch platform, enterprises have a unique set of integrated API security tools that allow discovery, remediation of OpenAPI vulnerabilities,...

Questions Answered: Positive Security for APIs Webinar

You had questions, and we've got answers! Thank you for all the questions submitted on the Positive Security for APIs: What it is and why you need it! We couldn't get to all of them so we wanted to follow-up with a full list of all the Q&A - and the slide deck as well! [xyz-ihs snippet="Positive-Security"]     How does the tool work, does it do a code scan across...

OWASP API Security Top 10 Cheat Sheet

Download our OWASP API Security Cheat Sheets to print out and hang on your wall! Download Cheat Sheet If you missed our latest presentation, check out the slides here:   Visit the APIsecurity.io encyclopedia to learn more about the OWASP API Security Top 10. Videos for each coming soon! A1 : Broken Object Level Authorization A2 : Broken Authentication A3 : Excessive Data Exposure A4 : Lack of Resources &...

Positive API Security Model, and Why You Need It!

Webinar Many of the issues on the OWASP API Security Top 10 are triggered by the lack of input or output validation. To protect APIs from such issues, an API-native, positive security approach is required: we create an allowlist of the characteristics of allowed requests. These characteristics are used to validate input and output data for things like data type, min or max length, permitted characters, or valid values ranges....

Questions Answered: OWASP API Security Top 10 Webinar

You had questions, and we've got answers! Thank you for all the questions submitted on the OWASP API Security Top 10 webinar on Nov 21. We couldn't get to all of them so we wanted to follow-up with a full list of all the Q&A - and the slide deck as well! [xyz-ihs snippet="OWASP-webinar"]   How do you find all the API endpoints in web applications? A few ways that...

OWASP API Security Top 10

Webinar November 21, 2019 In recent years, large reputable companies such as Facebook, Google and Equifax have suffered major data breaches that combined exposed the personal information of hundreds of millions of people worldwide. The common vector linking these breaches - APIs. The scale and magnitude of these breaches are the reason API security has been launched into the forefront of enterprise security concerns - now forcing us to rethink...

Deploying DevSecOps for APIs: a tale of shifting left…

DevSecOps is a hot topic at the moment, and particularly relevant when dealing with API development. APIs are growing at an exponential rate: not only  are they the backbone of any application, but microservices architecture imply exposing internal APIs for every microservice or group of microservices. The average number of APIs to protect within an enterprise is nearing 500. In that context, how do we : Ensure consistency across all...

42Crunch Adds API Security Audit to its Visual Studio Code OpenAPI Extension

SAN JOSE, OCTOBER 9, 2019 — Today at API World, API security leader and creator of the industry’s first API Firewall, 42Crunch, announced the availability of REST API Security Audit functionality in its popular OpenAPI extension for Microsoft Visual Studio Code — making it easier than ever to enable a DevSecOps process for API security. Developers working on their APIs within 42Crunch’s VS Code extension simply have to click the...

Addressing Harbor Registry Vulnerability with 42Crunch

Hot from the press! There is a mass assignment vulnerability in the Harbor registry. Mass assignment is entry A6 on the OWASP API Security Top 10 list. A6 is described in the OWASP API Security Top 10 as: An API endpoint is vulnerable if it automatically converts client parameters into internal object properties without considering the sensitivity and the exposure level of these properties. This could allow an attacker to...

Ready to Learn More?

Developer-first solution for delivering API security as code.