API Security Training

Defending APIs with Jim Manico – Episode 1

October 24, 2022

Episode 1: Request Forgery on the Web – CSRF & SSRF

November 10, 2022 | 9am PST | 5pm BST

Join Jim Manico, CEO of Manicode and Colin Domoney from 42Crunch, as they deliver a 2-part webinar series to help developers better defend APIs.

An Introduction to API Security

May 27, 2022

Isabelle Mauny from 42Crunch takes a high level look at the different problems facing APIs today and gives some recommendations in her article on APIscene.io The idea of this article is to serve as an introduction to API security. We’ll look from a high-level view at all the different problems that are stacking up around […]

Lessons learned from the Spring4Shell vulnerability

April 1, 2022

Recently we published an article on the log4shell vulnerability targeting log4j, in which we explained how APIs can be protected against injection attacks with a positive security model, and how 42Crunch easily enables such a model. Now, it’s time for the Spring4Shell (CVE-2022-22965) vulnerability, targeting the Spring framework, commonly used to build APIs. What can […]

How Developers Can Become API Security Champions

February 15, 2022

Question: Everyone is talking about DevSecOps, why are we not able to fix the security issues? Despite the obvious challenges, Colin believes that the industry has made progress as compared to ten years ago when very insecure code was prevalent. Today’s code is definitely more secure and security is improving — thankfully most developers are […]

Why Do APIs Merit a Separate OWASP Top 10 Listing?

February 8, 2022

Throughout the 3 part webinar series “API Security Landscape Today and the OWASP API Security Top 10 Challenges” we will publish blog posts that highlight some of the main talking points addressed by the speakers.  In this post, Philippe and Colin explore the differences between APIs and web apps that necessitated the creation of a […]

Protecting your APIs against Log4Shell with 42Crunch

January 26, 2022

On December 9th, 2021, the log4shell vulnerability hit the news and it has since been every security team’s worst nightmare: trivially exploitable, huge impact with RCE (Remote Code Execution), on a component widely used across traditional enterprise technological stacks, both in in-house and third-party software. All this combined explains its CVSS rating of 10 – […]

7 Ways to Avoid JWT Security Pitfalls

December 22, 2021

Dec 22nd 2021.  Author: Dr. Philippe de Ryck, Pragmatic Web Security, Like them or hate them, JSON Web Tokens (JWT) are everywhere. OAuth 2.0 and OpenID Connect rely heavily on JWTs. Many applications use JWTs to implement custom security mechanisms. And every language or framework offers plenty of support for JWTs. Unfortunately, JWTs also lie […]

Creating High Quality OAS Definitions with .Net Core

May 3, 2021

This document highlights how code annotations can be used to enhance the quality and the security posture for customers using .Net Core. 42Crunch security recommendations help enterprises discover and remediate vulnerabilities much more quickly (up to 25X more quickly) while saving 90% of manual costs (whether through internal efforts or external pen-testing). Using the Available […]

Creating High Quality OAS Definitions with Springfox – Part 2: Data Validation

April 26, 2021

In the first part of this blog, we had covered the security aspects of Spring Boot Microservices and how to inject them into your code level to generate higher quality OAS (Swagger) files. In this second part, we will cover aspects regarding attributes, operations, and data. Data Validation for Secure APIs You must be aware […]

Strengthening Your API Security Posture – Ford Motor Company

March 31, 2021

LOSING MY RELIGION: Successful and unsuccessful approaches to API Security in a global enterprise – A take on Ford Motor Company’s approach to API security and the journey to enforce security compliance while ensuring productivity of thousands of developers managing thousands of APIs. The Cybersecurity Snowball Effect With development Communities and product teams, there are […]

API Security for Global Enterprises – Successful and unsuccessful approaches to API Security

March 18, 2021

Join 42Crunch and special guest speaker Darren Shelcusky, Manager of Vehicle & Connectivity Cybersecurity at Ford Motor Company, as he takes us through their approach to API security and journey to enforce security compliance while ensuring productivity of their hundreds of developers managing thousands of APIs.

Creating High Quality OAS Definitions with Springfox – Part 1: Security Definitions

March 9, 2021

Spring Boot is a popular framework to build applications and APIs. Leveraging the Springfox project and code annotations, developers can generate OAS files with a high 42Crunch Security Audit score. What is the 42Crunch Security Audit? The 42Crunch Security Audit is one of 3 services from the 42Crunch API Security Platform: it consumes OpenAPI (Swagger) […]

API Security in a Kubernetes World

February 18, 2021

Securing APIs deployed in Kubernetes implies securing the infrastructure, but also the APIs themselves. Having a perfectly setup cluster, with all possible protections in place, is only ONE aspect of the measures you need to take to prevent the vulnerabilities listed in the OWASP API Security Top 10. Other issues such as data leakage, mass assignment or broken authentication must be handled at the application level.

Questions Answered: How to Best Leverage JWTs or API Security

December 11, 2020

You had questions, and we’ve got answers! Thank you for all the questions submitted on our webinar: “How to Best Leverage JWTs or API Security” We were unable to get to your questions, so below are all the answers to the questions that were asked! If you’d like more information please feel free to contact […]

How to Best Leverage JWTs for API Security

December 10, 2020

JSON Web tokens (JWTs) are used massively in API-based applications as access tokens or to transport information across services. Unfortunately, JWT standards are quite complex and it’s very easy to get the implementation wrong. As a result, data breaches and API vulnerabilities due to poor JWT implementation, token leakage, and lack of proper validation remain widespread.

Questions Answered: OpenAPI for API Security

July 23, 2020

You had questions, and we’ve got answers! Thank you for all the questions submitted on our webinar: “OpenAPI for API Security – Why guess when you know?!” Below is the replay and all the answers to the questions that were asked. If you’d like more information please feel free to contact us.   Webinar: OpenAPI for […]

API Security Platform Overview

June 30, 2020

Tutorials Welcome to our tutorials on 42Crunch Platform. Start with a quick overview of how to get started, and the general dashboard layout. The subsequent tutorials go deeper into each and every function of the platform. Login and Dashboard To log into the platform, go to https://platform.42crunch.com/login A successful login takes you to your dashboard […]

Questions Answered: Let’s shift API security left – sure, but how?

June 29, 2020

You had questions, and we’ve got answers! Thank you for all the questions submitted on our webinar: “Let’s shift API security left – sure, but how?” Below is the replay and all the answers to the questions that were asked. If you’d like more information please feel free to contact us.   [xyz-ihs snippet=”Webinar-Lets-Shift-API-Security-Left”]   Don’t […]

42Crunch approach vs. Traditional WAF approach: using positive security by default

June 20, 2020

When talking to prospects or presenting our solution at conferences, we inevitably get asked the same question: what’s the difference between your solution and a Web Application Firewall (WAF)? The core difference is that we know what we are protecting, WAFs don’t. WAFs were built to protect web applications and there is no standard way […]

OpenAPI (Swagger) specification Security Audit on the 42Crunch Platform

June 8, 2020

Tutorials Now that you have had an overview of the platform, let’s get started by importing an API for security audit. Importing APIs To import an OpenAPI (formerly Swagger) definition, click Import API (1) to upload your JSON file. These files contain all the basic information and documentation on how your API functions. As mentioned in the […]

BitBucket Pipelines API Security Audit Extension

June 8, 2020

Tutorials In this quick tutorial you’ll learn how to add static security testing to your REST APIs in Bitbucket with the 42Crunch REST API Static Security Extension. Prerequisite: Make sure you have a 42Crunch API Security Platform account. You can register here: https://platform.42crunch.com/register Create API Token for the pipe You must add an API token […]

OpenAPI (Swagger) specification Audit Report explained

June 7, 2020

Tutorials In our previous tutorial, we have created an API collection, and imported and audited an OpenAPI (Swagger) definition file. Now we are going to drill into the report and walk you through how to get the most out of it. Viewing Checks API Contract Security Audit is a static analysis of your OpenAPI (Swagger) […]

Questions Answered: 42Crunch Security Audit for WSO2 API Manager 3.1

June 1, 2020

You had questions, and we’ve got answers! Thank you for all the questions submitted on our “42Crunch Security Audit for WSO2 API Manager 3.1” webinar. Below is the replay and all the answers to the questions that were asked. If you’d like more information please feel free to contact us.   [xyz-ihs snippet=”WSO2-Webinar”]     […]

Fixing API Security Issues identified in the Audit Report

May 31, 2020

Tutorials In our previous tutorial, we took a look at the audit report from API Contract Security Audit. This one proceeds onto fixing the issues found in the audit and see how we can iteratively work on our OpenAPI / Swagger definition. Navigating Issues The best place to start are the high priority issues, they […]

API Security Testing with API Scan

May 30, 2020

Tutorials We are going to show you how to perform a conformance scan on our platform. You can also perform an API Scan in VS code IDE  (platform registration is required). You can register for free.  API Scan is a dynamic runtime testing tool that simulates real traffic to your API to ensure conformance with […]

API Protect Micro API Firewall

May 29, 2020

Tutorials In previous tutorials, we have covered static analysis with the API security audit, dynamic testing with conformance scan – now it’s time to discuss protection. Protection Overview The Protection function is real-time protection of live APIs. You put our API firewall in the line of traffic. It’s an extremely efficient piece of software that […]

API Protect Micro API Firewall Reports and Troubleshooting

May 28, 2020

Tutorials You’ve seen how 42Crunch can protect your APIs and microservices – now let’s review reporting. Viewing Transaction Logs At any time, you can click on transaction logs to view all failed transactions found by the conformance scan and review the full list. Look up a Specific Error So one thing that I want to […]

OpenAPI Swagger Extension VS Code

May 1, 2020

Tutorials Our previous tutorial used the build-in Security Editor in 42Crunch Platform to fix audit issues in the OpenAPI (formerly Swagger) definition. In this one, we do the same thing but in Microsoft Visual Studio Code (VS Code) using the 42Crunch OpenAPI extension. Extension Overview Below is an example of the 42Crunch OpenAPI (Swagger) extension […]

API Security Audit using OpenAPI Swagger Extension VS Code

May 1, 2020

Tutorials Our previous tutorial used the build-in Security Editor in 42Crunch Platform to fix audit issues in the OpenAPI (formerly Swagger) definition. In this one, we do the same thing but in Microsoft Visual Studio Code (VS Code) using the 42Crunch OpenAPI extension. Extension Overview Below is an example of the 42Crunch OpenAPI (Swagger) extension […]

Questions Answered: REST API Security by Design with Azure Pipelines

March 26, 2020

You had questions, and we’ve got answers! Thank you for all the questions submitted on our “REST API Security by Design with Azure Pipelines” webinar. Below are all the answers to the questions that were asked. If you’d like more information please feel free to contact us. REST API Security for Microsoft Azure Pipelines. Watch Webinar REST […]

Questions Answered: Protecting Microservices APIs with 42Crunch API Firewall

February 24, 2020

You had questions, and we’ve got answers! Thank you for all the questions submitted on our “Protecting Microservices APIs with 42Crunch API Firewall” webinar. Below are all the answers to the questions that were asked. If you’d like more information please feel free to contact us.   [xyz-ihs snippet=”Protecting-microservices”]     Can the sidecar be […]

Questions Answered: Are you properly using JWTs?

February 3, 2020

You had questions, and we’ve got answers! Thank you for all the questions submitted on our “Are you properly using JWTs?” webinar. Below are all the answers to the questions that were asked. If you’d like more information please feel free to contact us.   [xyz-ihs snippet=”Jwt-webinar”]     Is it considered safe if the […]

Are You Properly Using JWTs?

January 30, 2020

JSON Web tokens (JWTs) are used massively in API-based applications as access tokens or to transport information across services. Unfortunately, JWT are often mis-used and incorrectly handled. Massive data breaches have occurred in the last 18 months due to token leakage and lack of proper of validation.

Questions Answered: Positive Security for APIs Webinar

December 16, 2019

You had questions, and we’ve got answers! Thank you for all the questions submitted on the Positive Security for APIs: What it is and why you need it! We couldn’t get to all of them so we wanted to follow-up with a full list of all the Q&A – and the slide deck as well! [xyz-ihs […]

OWASP API Security Top 10 Cheat Sheet

December 16, 2019

Download our OWASP API Security Cheat Sheets to print out and hang on your wall! Download Cheat Sheet If you missed our latest presentation, check out the slides here:   Visit the APIsecurity.io encyclopedia to learn more about the OWASP API Security Top 10. Videos for each coming soon! A1 : Broken Object Level Authorization […]

Questions Answered: OWASP API Security Top 10 Webinar

November 22, 2019

You had questions, and we’ve got answers! Thank you for all the questions submitted on the OWASP API Security Top 10 webinar on Nov 21. We couldn’t get to all of them so we wanted to follow-up with a full list of all the Q&A – and the slide deck as well! [xyz-ihs snippet=”OWASP-webinar”]   […]

Deploying DevSecOps for APIs: a tale of shifting left…

October 29, 2019

DevSecOps is a hot topic at the moment, and particularly relevant when dealing with API development. APIs are growing at an exponential rate: not only  are they the backbone of any application, but microservices architecture imply exposing internal APIs for every microservice or group of microservices. The average number of APIs to protect within an […]

Addressing Harbor Registry Vulnerability with 42Crunch

September 24, 2019

Hot from the press! There is a mass assignment vulnerability in the Harbor registry. Mass assignment is entry A6 on the OWASP API Security Top 10 list. A6 is described in the OWASP API Security Top 10 as: An API endpoint is vulnerable if it automatically converts client parameters into internal object properties without considering […]

We Need the Controller Layer Back!

September 16, 2019

A couple days ago, I gave an API security workshop to highlight the OWASP Top 10 issues for APIs and some of the mistakes we keep doing at development time and pay for at runtime. Many of the issues related to data, such as improper data filtering, mass assignment or excessive data exposure, could be […]

Token Management Security Best Practices

November 19, 2018

We recently participated to the DZone mobile apps development guide to highlights some of the key best practices when dealing with API keys and tokens. Below is an excerpt, the full article is available on DZone! Modern applications, both  web-based and native, rely on APIs on the backend to access protected resources. To authorise access […]

API Security FAQ : the top 5 questions we answered at the APIWorld conference!

October 10, 2017

The APIWorld conference came to end last week. This was the first public preview of our platform! We had a blast talking to many attendees and presenting at the event. This also gave us the opportunity to address a few common questions relative to API security and our product. 1. I have seen 3 vendors […]

Start acting on API Security today!

July 25, 2017

APIs are the access doors to your enterprise assets and the backbone of pretty much any application that has been written in recent years. While most companies apply token-based access to APIs with OpenIDConnect and OAuth, there are still many aspects of security which are not properly covered for APIs such as common injection attacks, […]