Isabelle Mauny
Isabelle is co-founder and field CTO of 42Crunch where she advises Global 2500 firms on their API security strategies.
42Crunch and Microsoft have partnered to provide continuous protection for APIs Recently 42Crunch and MIcrosoft announced a partnership to address the number one security issue challenging organizations today, namely the large and growing attack surface represented by APIs. Application security practitioners have come to realize that application security tooling like SAST/DAST and Web Application Firewalls […]
Isabelle Mauny from 42Crunch takes a high level look at the different problems facing APIs today and gives some recommendations in her article on APIscene.io The idea of this article is to serve as an introduction to API security. We’ll look from a high-level view at all the different problems that are stacking up around […]
Diseñando APIs seguras usando la plataforma 42Crunch con Postman
Join these experts as they discuss the benefits of an integrated, continuous, and proactive approach to API security that combines proactive application security measures with continuous activity monitoring, API-specific threat analysis, and runtime policy enforcement.
Join these experts as they discuss the benefits of an integrated, continuous, and proactive approach to API security that combines proactive application security measures with continuous activity monitoring, API-specific threat analysis, and runtime policy enforcement.
Our June 2021 update just went live, and I am here to tell you the details. Executive Dashboards The most noticeable change in the user interface is the new organization-level executive dashboard. It allows organization administrators to get a quick glance at the corporate use of 42Crunch API Security and the trends across Security Audit, […]
Kin Lane, chief Evangelist with Postman recently joined Isabelle Mauny, Field CTO at 42Crunch for a webinar to demonstrate how enterprises are automating the testing of API security for all their APIs.
Our May 2021 update just went live, and I am here to tell you the details. Updated CI/CD plugins and repository data in the platform 42Crunch provides off-the-shelf plugins for a variety of CI/CD pipelines. These can discover OpenAPI files in the repository, upload them to the 42Crunch platform, perform Security Audit, and succeed or […]
We have just updated our API Security platform, and I want to tell you all about it. 100+ New Security Audit Checks Security Audit checks related to authentication just had a major revamp. Now instead of generic articles on insecure authentication methods, we provide specific information for each case, including: API Key passed as a […]
LOSING MY RELIGION: Successful and unsuccessful approaches to API Security in a global enterprise – A take on Ford Motor Company’s approach to API security and the journey to enforce security compliance while ensuring productivity of thousands of developers managing thousands of APIs. The Cybersecurity Snowball Effect With development Communities and product teams, there are […]
Today we are happy to announce the global availability of the latest version of the 42Crunch API Security Platform. We have updated our community deployment used by thousands of API developers worldwide, our IDE plugins, online tools, and deployments used by our enterprise customers. Below is a summary of the biggest new features and improvements. […]
Join 42Crunch and special guest speaker Darren Shelcusky, Manager of Vehicle & Connectivity Cybersecurity at Ford Motor Company, as he takes us through their approach to API security and journey to enforce security compliance while ensuring productivity of their hundreds of developers managing thousands of APIs.
Spring Boot is a popular framework to build applications and APIs. Leveraging the Springfox project and code annotations, developers can generate OAS files with a high 42Crunch Security Audit score. What is the 42Crunch Security Audit? The 42Crunch Security Audit is one of 3 services from the 42Crunch API Security Platform: it consumes OpenAPI (Swagger) […]
Securing APIs deployed in Kubernetes implies securing the infrastructure, but also the APIs themselves. Having a perfectly setup cluster, with all possible protections in place, is only ONE aspect of the measures you need to take to prevent the vulnerabilities listed in the OWASP API Security Top 10. Other issues such as data leakage, mass assignment or broken authentication must be handled at the application level.
JSON Web tokens (JWTs) are used massively in API-based applications as access tokens or to transport information across services. Unfortunately, JWT standards are quite complex and it’s very easy to get the implementation wrong. As a result, data breaches and API vulnerabilities due to poor JWT implementation, token leakage, and lack of proper validation remain widespread.
By now, you should know that APIs are special and deserve their own OWASP Top 10 list, but do you know how these common attacks happen and why?
Why do we need different solutions for API Threat protection? APIs are becoming a hot target for hackers. Analysts and cyber security specialists agree that the privileged position of APIs as the open doors to the enterprise kingdom make them a favorite to breach. For the past 20 years, Web Application Firewalls (WAFs ) have […]
By now, you should know that APIs are special and deserve their own OWASP Top 10 list, but do you know how these common attacks happen and why?
To consider and apply API security effectively, we need to understand where we are and where we need to go. We need to know the tools we have available and who our allies are. Finally, we need a clear path and priorities on what we can accomplish and how. In this webinar, we’ll lay out a reference architecture to ensure we understand the scope, challenges, and approach to secure your APIs and organization as a whole.
According to the State of the APIs report released by Smartbear in 2019, 80% of developers use OpenAPI to describe their APIs (you may still call it Swagger, but you really should call it OpenAPI now!)
API security flaws are injected at many different levels of the API lifecycle: in requirements, development and deployment. It is proven that detecting and fixing vulnerabilities during production or post-release time is up to 30 times more difficult than earlier in the API lifecycle.
When talking to prospects or presenting our solution at conferences, we inevitably get asked the same question: what’s the difference between your solution and a Web Application Firewall (WAF)? The core difference is that we know what we are protecting, WAFs don’t. WAFs were built to protect web applications and there is no standard way […]
WSO2 API Manager 3.1 brings a lot of interesting features including the ability to run 42Crunch’s audit tool directly from the API Publishing portal.
Over the past 6 months, we have discovered many similarities across APIs from companies from very different industries. “This is an eye opener” is the most recurring comment from our prospects. We thought it would be worth sharing our findings in this webinar.
Securing APIs implies securing the infrastructure but also the APIs themselves. Unfortunately, having all possible infrastructure protections in place is only one aspect of the recent OWASP Top10 for API Security. Other issues such as data leakage, mass assignment or broken authentication/authorization must be handled at the application level.
Security is an important topic in software development. Unfortunately, security is usually considered too late in software development, and especially in the API lifecycle. Waiting until software and APIs are in production before addressing security concerns can be a severe risk to your organization. Did you know that vulnerabilities found in production cost up to 30x time and money more to fix?
In loosely coupled architectures, we must put in place application level security, should it be for client traffic (North-South) or intra-microservices traffic (East-West).
Every day, new breaches show us that we still have a long way to go with API security. In order to protect APIs, enterprises need to take a holistic approach, which includes the following: Securing the infrastructure: OS configuration, network configuration as well as containers. Properly configuring application servers: enforce TLS 1.2/1.3, remove weak cipher […]
Many of the issues on the OWASP API Security Top 10 are triggered by the lack of input or output validation.
DevSecOps is a hot topic at the moment, and particularly relevant when dealing with API development. APIs are growing at an exponential rate: not only are they the backbone of any application, but microservices architecture imply exposing internal APIs for every microservice or group of microservices. The average number of APIs to protect within an […]
Hot from the press! There is a mass assignment vulnerability in the Harbor registry. Mass assignment is entry A6 on the OWASP API Security Top 10 list. A6 is described in the OWASP API Security Top 10 as: An API endpoint is vulnerable if it automatically converts client parameters into internal object properties without considering […]
When we started 42Crunch 3 years ago, we were convinced that a new market segment would emerge: API security. And the market is now catching up with our vision! This is exemplified by the recent release of the OWASP Top 10 for API Security threats document, which highlights threats that do not apply to traditional […]
A couple days ago, I gave an API security workshop to highlight the OWASP Top 10 issues for APIs and some of the mistakes we keep doing at development time and pay for at runtime. Many of the issues related to data, such as improper data filtering, mass assignment or excessive data exposure, could be […]
MUNICH, GERMANY. MAY 14, 2019 — Today at the European Identity & Cloud Conference (EIC) 2019, API security leader and creator of the industry’s first API Firewall – 42Crunch – announced the launch of its reseller and implementation partner program, as well as the first two commercial partnerships with Skalena (Brazil) and atSistemas (Spain). The […]
Where is the truth and what’s the fiction ? In this webinar Alexei Balaganski, Lead Analyst at Kuppinger Cole and myself contrasted our experience with customers and prospects and came up with a list of facts and fictions about API security. We both have seen a surge of interest in API security after a challenging […]
We recently participated to the DZone mobile apps development guide to highlights some of the key best practices when dealing with API keys and tokens. Below is an excerpt, the full article is available on DZone! Modern applications, both web-based and native, rely on APIs on the backend to access protected resources. To authorise access […]
The APIWorld conference came to end last week. This was the first public preview of our platform! We had a blast talking to many attendees and presenting at the event. This also gave us the opportunity to address a few common questions relative to API security and our product. 1. I have seen 3 vendors […]
APIs are the access doors to your enterprise assets and the backbone of pretty much any application that has been written in recent years. While most companies apply token-based access to APIs with OpenIDConnect and OAuth, there are still many aspects of security which are not properly covered for APIs such as common injection attacks, […]
Without any doubt, APIs have redefined the enterprise architecture landscape by becoming the building blocks of internal and external enterprise applications. APIs are now the entry point into most architectures, much like servlets and JSPs were in the application server era. APIs give access to a wide range of applications, systems, databases and now things with […]
Ready to Learn More?
Developer-first solution for delivering API security as code.