API Security Training
Learn how to perform API Security testing in GitHub Actions using 42crunch API Audit & Scan testing tools.
Tutorial on how to run the 42Crunch API security Scan from the OpenAPI (Swagger) Editor extension in VS Code and how to navigate the results.
Technical talk from 42crunch and Manicode on request forgery (CSRF and SSRF) to help software developers build secure web applications and API’s.
Isabelle Mauny from 42Crunch takes a high level look at the different problems facing APIs today and gives some recommendations in her article on APIscene.io The idea of this article is to serve as an introduction to API security. We’ll look from a high-level view at all the different problems that are stacking up around […]
Recently we published an article on the log4shell vulnerability targeting log4j, in which we explained how APIs can be protected against injection attacks with a positive security model, and how 42Crunch easily enables such a model. Now, it’s time for the Spring4Shell (CVE-2022-22965) vulnerability, targeting the Spring framework, commonly used to build APIs. What can […]
Question: Everyone is talking about DevSecOps, why are we not able to fix the security issues? Despite the obvious challenges, Colin believes that the industry has made progress as compared to ten years ago when very insecure code was prevalent. Today’s code is definitely more secure and security is improving — thankfully most developers are […]
Throughout the 3 part webinar series “API Security Landscape Today and the OWASP API Security Top 10 Challenges” we will publish blog posts that highlight some of the main talking points addressed by the speakers. In this post, Philippe and Colin explore the differences between APIs and web apps that necessitated the creation of a […]
On December 9th, 2021, the log4shell vulnerability hit the news and it has since been every security team’s worst nightmare: trivially exploitable, huge impact with RCE (Remote Code Execution), on a component widely used across traditional enterprise technological stacks, both in in-house and third-party software. All this combined explains its CVSS rating of 10 – […]
Dec 22nd 2021. Author: Dr. Philippe de Ryck, Pragmatic Web Security, Like them or hate them, JSON Web Tokens (JWT) are everywhere. OAuth 2.0 and OpenID Connect rely heavily on JWTs. Many applications use JWTs to implement custom security mechanisms. And every language or framework offers plenty of support for JWTs. Unfortunately, JWTs also lie […]
This document highlights how code annotations can be used to enhance the quality and the security posture for customers using .Net Core. 42Crunch security recommendations help enterprises discover and remediate vulnerabilities much more quickly (up to 25X more quickly) while saving 90% of manual costs (whether through internal efforts or external pen-testing). Using the Available […]
In the first part of this blog, we had covered the security aspects of Spring Boot Microservices and how to inject them into your code level to generate higher quality OAS (Swagger) files. In this second part, we will cover aspects regarding attributes, operations, and data. Data Validation for Secure APIs You must be aware […]
LOSING MY RELIGION: Successful and unsuccessful approaches to API Security in a global enterprise – A take on Ford Motor Company’s approach to API security and the journey to enforce security compliance while ensuring productivity of thousands of developers managing thousands of APIs. The Cybersecurity Snowball Effect With development Communities and product teams, there are […]
Join 42Crunch and special guest speaker Darren Shelcusky, Manager of Vehicle & Connectivity Cybersecurity at Ford Motor Company, as he takes us through their approach to API security and journey to enforce security compliance while ensuring productivity of their hundreds of developers managing thousands of APIs.
Spring Boot is a popular framework to build applications and APIs. Leveraging the Springfox project and code annotations, developers can generate OAS files with a high 42Crunch Security Audit score. What is the 42Crunch Security Audit? The 42Crunch Security Audit is one of 3 services from the 42Crunch API Security Platform: it consumes OpenAPI (Swagger) […]
Securing APIs deployed in Kubernetes implies securing the infrastructure, but also the APIs themselves. Having a perfectly setup cluster, with all possible protections in place, is only ONE aspect of the measures you need to take to prevent the vulnerabilities listed in the OWASP API Security Top 10. Other issues such as data leakage, mass assignment or broken authentication must be handled at the application level.
You had questions, and we’ve got answers! Thank you for all the questions submitted on our webinar: “How to Best Leverage JWTs or API Security” We were unable to get to your questions, so below are all the answers to the questions that were asked! If you’d like more information please feel free to contact […]
JSON Web tokens (JWTs) are used massively in API-based applications as access tokens or to transport information across services. Unfortunately, JWT standards are quite complex and it’s very easy to get the implementation wrong. As a result, data breaches and API vulnerabilities due to poor JWT implementation, token leakage, and lack of proper validation remain widespread.
You had questions, and we’ve got answers! Thank you for all the questions submitted on our webinar: “OpenAPI for API Security – Why guess when you know?!” Below is the replay and all the answers to the questions that were asked. If you’d like more information please feel free to contact us. Webinar: OpenAPI for […]
Overview of the 42Crunch API Security platform showing the dashboard, main API Security features, basic navigation and API collections.
You had questions, and we’ve got answers! Thank you for all the questions submitted on our webinar: “Let’s shift API security left – sure, but how?” Below is the replay and all the answers to the questions that were asked. If you’d like more information please feel free to contact us. [xyz-ihs snippet=”Webinar-Lets-Shift-API-Security-Left”] Don’t […]
When talking to prospects or presenting our solution at conferences, we inevitably get asked the same question: what’s the difference between your solution and a Web Application Firewall (WAF)? The core difference is that we know what we are protecting, WAFs don’t. WAFs were built to protect web applications and there is no standard way […]
Shows how to import the OpenAPI (Swagger) definition file, run the security audit and view the security report.
Learn how to add API security Audit extension in the BitBucket Pipelines CI/CD and run the API Audit.
Explains the Security Audit Report including the Audit Score, how to navigate the report, the use of filters and how to get remediation advice on each security issue.
You had questions, and we’ve got answers! Thank you for all the questions submitted on our “42Crunch Security Audit for WSO2 API Manager 3.1” webinar. Below is the replay and all the answers to the questions that were asked. If you’d like more information please feel free to contact us. [xyz-ihs snippet=”WSO2-Webinar”] […]
This tutorial illustrates how to fix issues found in the API security audit and shows you how to iteratively update your OpenAPI definition.
An overview of API Scan, how to generate the security report that detects security misconfigurations between your API and the API definition
An overview of API protect – a Micro-Firewall that provides runtime API security protection and policy enforcement and how to set it up.
Learn how to read the API Protect reports, view transaction logs, lookup details on specific errors, enable non blocking mode and use the security dashboard.
In this tutorial we show you how to create a new OpenAPI file in Microsoft Visual Studio Code (VS Code) using the 42Crunch OpenAPI Editor and go through some of the useful features in the editor.
Tutorial on how to run the 42Crunch API security audit from the OpenAPI (Swagger) Editor extension in VS Code and how to navigate the report.
You had questions, and we’ve got answers! Thank you for all the questions submitted on our “REST API Security by Design with Azure Pipelines” webinar. Below are all the answers to the questions that were asked. If you’d like more information please feel free to contact us. REST API Security for Microsoft Azure Pipelines. Watch Webinar REST […]
You had questions, and we’ve got answers! Thank you for all the questions submitted on our “Protecting Microservices APIs with 42Crunch API Firewall” webinar. Below are all the answers to the questions that were asked. If you’d like more information please feel free to contact us. [xyz-ihs snippet=”Protecting-microservices”] Can the sidecar be […]
You had questions, and we’ve got answers! Thank you for all the questions submitted on our “Are you properly using JWTs?” webinar. Below are all the answers to the questions that were asked. If you’d like more information please feel free to contact us. [xyz-ihs snippet=”Jwt-webinar”] Is it considered safe if the […]
JSON Web tokens (JWTs) are used massively in API-based applications as access tokens or to transport information across services. Unfortunately, JWT are often mis-used and incorrectly handled. Massive data breaches have occurred in the last 18 months due to token leakage and lack of proper of validation.
You had questions, and we’ve got answers! Thank you for all the questions submitted on the Positive Security for APIs: What it is and why you need it! We couldn’t get to all of them so we wanted to follow-up with a full list of all the Q&A – and the slide deck as well! [xyz-ihs […]
Download our OWASP API Security Cheat Sheets to print out and hang on your wall! Download Cheat Sheet If you missed our latest presentation, check out the slides here: Learn more about the OWASP API Security Top 10. Try our security audit for free. If you want to see the whole platform in action, […]
You had questions, and we’ve got answers! Thank you for all the questions submitted on the OWASP API Security Top 10 webinar on Nov 2019. We couldn’t get to all of them so we wanted to follow-up with a full list of all the Q&A – and the slide deck as well! How do you […]
DevSecOps is a hot topic at the moment, and particularly relevant when dealing with API development. APIs are growing at an exponential rate: not only are they the backbone of any application, but microservices architecture imply exposing internal APIs for every microservice or group of microservices. The average number of APIs to protect within an […]
Hot from the press! There is a mass assignment vulnerability in the Harbor registry. Mass assignment is entry A6 on the OWASP API Security Top 10 list. A6 is described in the OWASP API Security Top 10 as: An API endpoint is vulnerable if it automatically converts client parameters into internal object properties without considering […]
A couple days ago, I gave an API security workshop to highlight the OWASP Top 10 issues for APIs and some of the mistakes we keep doing at development time and pay for at runtime. Many of the issues related to data, such as improper data filtering, mass assignment or excessive data exposure, could be […]
We recently participated to the DZone mobile apps development guide to highlights some of the key best practices when dealing with API keys and tokens. Below is an excerpt, the full article is available on DZone! Modern applications, both web-based and native, rely on APIs on the backend to access protected resources. To authorise access […]
The APIWorld conference came to end last week. This was the first public preview of our platform! We had a blast talking to many attendees and presenting at the event. This also gave us the opportunity to address a few common questions relative to API security and our product. 1. I have seen 3 vendors […]
APIs are the access doors to your enterprise assets and the backbone of pretty much any application that has been written in recent years. While most companies apply token-based access to APIs with OpenIDConnect and OAuth, there are still many aspects of security which are not properly covered for APIs such as common injection attacks, […]