Table of Content

1. The Security Challenges of an Expanding API Ecosystem
2. The Vulnerability of APIs
3. The Attractiveness of APIs to Cybercriminals
4. Limited Visibility and Rising API Attacks
5. Recent Attacks Focus on APIs
6. Inadequacy of Traditional Security Approaches
7. The Current State of API Security
8. The Way Forward: Building a Robust API Security Strategy
9. Conclusion

In the dynamic world of digital transformation, APIs (Application Programming Interfaces) have evolved from technical tools into strategic assets essential for businesses to scale and thrive. Recent research reveals a staggering 97% of enterprise leaders recognize the criticality of successful API strategies in driving organizational growth and revenue. This shift has led to an exponential increase in API utilization, with businesses relying on hundreds, often thousands, of APIs to bolster their products, provide technology solutions, and leverage diverse data sources.

The Security Challenges of an Expanding API Ecosystem

The rapid proliferation of APIs, however, has brought significant risks. In 2021, Gartner’s forecast that APIs would become a primary target for cyber attacks proved accurate, as evidenced by the surge in notable breaches. The explosion in API usage has consequently unleashed a myriad of cybersecurity challenges.

The Vulnerability of APIs

API security faces inherent complexities, making them challenging to safeguard. The API ecosystem’s rapid evolution outpaces the advancement of traditional network and application security tools. Many APIs are developed on novel platforms and architectures, often spanning multiple cloud environments, rendering standard security measures like web application firewalls and API gateways insufficient.

The Attractiveness of APIs to Cybercriminals

Cybercriminals are drawn to APIs due to the relatively weaker security measures compared to more traditional, secure architectures. APIs, being integral to many businesses, are lucrative targets for attacks that can lead to substantial financial and reputational damage, especially if they involve sensitive data.

Limited Visibility and Rising API Attacks

A crucial issue for businesses is the limited visibility into their API inventory. This obscurity can result in unmanaged, “invisible” APIs within a company’s digital ecosystem, complicating efforts to fully understand the attack surface and protect sensitive data. Reflecting these vulnerabilities, Salt Security reported a staggering 400% increase in API attacks in the months leading up to December 2022.

Recent Attacks Focus on APIs

There have been several notable API attacks recently. A few examples include:

• T-Mobile Data Breach – September 2023: T-Mobile, a major US mobile carrier, experienced a significant data breach due to security lapses. This breach involved two separate incidents and highlighted the vulnerability of telecom API infrastructures.

• Reddit (BlackCat Ransomware) – February 2023: The ALPHV ransomware group, also known as BlackCat, claimed responsibility for a cyberattack on Reddit. The attack, initiated through a successful phishing campaign, resulted in the theft of 80GB of data, including internal documents, source code, and employee and advertiser information.

• API Vulnerabilities Exposing Records: According to a report by API security company FireTail, more than half a billion records have been exposed via vulnerable APIs in 2023. This underscores the increasing risk associated with API breaches.

Inadequacy of Traditional Security Approaches

Authenticating users is no longer a sufficient security measure for APIs. Data shows that 78% of attacks were conducted by seemingly legitimate users who bypassed authentication controls. Salt Security’s report found that 94% of respondents encountered issues with their production APIs, including vulnerabilities and authentication problems.

The Current State of API Security

Despite growing awareness, API security often isn’t a top priority. Security teams face challenges like outdated or zombie APIs, documentation gaps, data exfiltration, and account takeovers. Most API security strategies are in their infancy, with a mere 12% of organizations adopting advanced security measures. Alarmingly, 30% have no API security strategy, even while running APIs in production.

The Way Forward: Building a Robust API Security Strategy

To safeguard their operations effectively, businesses must develop an all-encompassing API security strategy. This comprehensive approach is vital for mitigating the evolving risks associated with the expanding use of APIs in today’s digital landscape. The key components of a thorough API security strategy include: 

Comprehensive Documentation

Maintaining comprehensive and up-to-date documentation is foundational to a secure API strategy. This involves documenting not only the technical aspects of APIs but also their functionalities, data flows, and potential security considerations. 

API Inventory Visibility

Gaining full visibility into the entirety of the API landscape is crucial. This involves creating and maintaining an exhaustive inventory of all APIs in use across the organization. A comprehensive API inventory enables businesses to assess the scope of their API usage, identify potential vulnerabilities, and implement targeted security measures based on a clear understanding of their digital ecosystem. 

Secure API Design and Development Practices

 Emphasizing security from the inception of API development is fundamental. Secure API design and development practices involve integrating security considerations into the development lifecycle. This includes adhering to secure coding practices, conducting threat modeling exercises, and ensuring that developers are well-versed in API best practices.

Security Testing for Business Logic Vulnerabilities

Traditional security checks may not be sufficient to uncover all potential vulnerabilities in APIs. Testing business logic vulnerabilities involves assessing how the API functions in real-world scenarios, identifying potential misuse, and evaluating the security of the underlying business logic. 

Continuous Monitoring and Logging

Implementing persistent monitoring for APIs in production is vital for detecting and responding to security incidents in real time. Continuous monitoring involves actively observing API activities, logging relevant events, and employing automated tools to analyze patterns and anomalies. 

API Gateways for Mediation

API gateways serve as a crucial line of defense in enhancing visibility and security. These gateways act as intermediaries between API consumers and providers, allowing organizations to implement centralized security policies, enforce authentication and authorization mechanisms, and monitor traffic. 

Identifying API Drift

Tracking and logging changes in API behavior is essential for maintaining a secure and predictable API environment. API drift, which refers to unauthorized or unexpected changes in API functionalities, can introduce vulnerabilities. Establishing mechanisms to identify and log API drift enables organizations to ensure the integrity of their digital services. 

Runtime Protection Deployment

Implementing runtime protection mechanisms is critical for guarding against live threats during the operational phase. This involves deploying security measures that actively monitor API transactions in real time, detect abnormal behavior, and intervene to mitigate potential threats. 

Conclusion

As APIs become more ingrained in business operations, it’s imperative for companies to adopt and enforce a comprehensive API security strategy. This is more than a risk mitigation tactic; it’s a shift in the security paradigm to align with the evolving digital landscape. By prioritizing API security, businesses can substantially diminish the threat potential, ensuring their APIs are not just operational but secure pillars in their digital strategy. 

As the digital world continues to evolve, so too must our approaches to safeguarding its foundational elements, like APIs, to ensure a secure, robust, and reliable technological ecosystem. Embracing a proactive and comprehensive API security approach is not just a necessity; it’s a strategic imperative for businesses navigating the intricacies of the modern digital landscape. Only through vigilant protection and strategic planning can organizations truly harness the full potential of APIs while mitigating the ever-present risks associated with their expanding usage.

Table of Content

1. The Maturing Landscape of AppSec
2. A Shortage of AppSec Professionals
3. Prioritization: A Persistent Challenge
4. The Evolution of Security Practices
5. Investment in Security Amid Economic Downturn
6. The Role of SBOM in Supply Chain Security
7. Cloud Adoption and Its Implications for AppSec
8. The Human Element in AppSec
9. Day-to-Day Challenges for AppSec Teams
10. Conclusion

As the digital landscape continues to evolve, application security (AppSec) remains a critical focus for organizations worldwide. As 2023 ends, let’s review the new 2023 State of Application Security Report  from the Purple Book Community provides a comprehensive look into the current trends, challenges, and advancements in this field. This blog post delves into the key findings of this report, offering insights into how companies are navigating the complex world of AppSec.

The Maturing Landscape of AppSec

The report begins by acknowledging the gradual maturation of AppSec practices. However, it’s clear that many organizations still face significant hurdles. A staggering 53% of teams report unmanaged risks in their application portfolios, indicating a substantial gap in effective security coverage. This finding underscores the need for more robust and comprehensive security strategies.

A Shortage of AppSec Professionals

The report sheds light on a significant challenge in the realm of AppSec – the acute shortage of AppSec engineers. While nearly half (48%) of the respondents report their security team supports up to 50 developers, a concerning 42% have a minuscule team of just one to five AppSec engineers. Alarmingly, 24% of organizations admit to having no dedicated AppSec engineers at all.

This scarcity of specialized personnel severely hampers the teams’ ability to devote adequate time and effort to counteract threats and vulnerabilities effectively. More critically, it impedes the establishment and implementation of proactive security management strategies. AppSec engineers are not just technical experts; they are the vanguards who work alongside developers to establish, deploy, and maintain security measures. Their role is pivotal in identifying, remediating, and preventing vulnerabilities, thus safeguarding the critical data within the application ecosystem.

The imbalance between developers and security professionals is stark, often with the ratio exceeding 100 to 1. This disparity raises serious concerns about the consistent implementation of best security practices. Without a robust team of AppSec engineers, there’s an inherent risk that applications may be deployed without adequate safeguards against threats like unauthorized access and data modification.

The importance of a strong AppSec engineering team cannot be overstated. These professionals play a crucial role in intertwining security with the software development processes. By embedding security practices throughout the application lifecycle, AppSec engineers ensure the fortification of data against both internal and external threats. This integration is essential for securing applications at every stage – from development to deployment.

Prioritization: A Persistent Challenge

One of the most notable challenges highlighted in the report is the difficulty in prioritizing vulnerabilities. The phrase “too many vulnerabilities, not enough prioritization” resonates throughout the report, capturing a common sentiment among security teams. This challenge is further complicated by the fact that 86% of respondents agree that while security tools are interchangeable, it’s the process that’s most important, suggesting a need for better processes and strategies in vulnerability management.

The Evolution of Security Practices

Interestingly, the report reveals a shift towards more sophisticated security practices. For instance, 31% of industry leaders are using an Application Security Maturity Model, and a similar percentage are tracking the usage of security tools across teams. This indicates a move towards more structured and mature security frameworks, which could be key in addressing the prioritization challenges.

Investment in Security Amid Economic Downturn

Despite global economic challenges, over 50% of organizations are increasing their security spend. This is a telling indicator of the growing recognition of the importance of AppSec in safeguarding business interests. The report suggests that as threats become more sophisticated, so too must the defenses against them.

The Role of SBOM in Supply Chain Security

The Software Bill of Materials (SBOM) is highlighted as a crucial tool in understanding and mitigating supply chain risks. The report notes that over 20% of respondents have no SBOM usage, highlighting an area of potential improvement for many organizations. A comprehensive SBOM provides a clear view of an application’s components, which is essential in today’s complex software ecosystems.

Cloud Adoption and Its Implications for AppSec

A significant trend noted in the report is the increasing shift towards cloud deployments, with more than half of the respondents deploying 75% or more of their applications in the cloud. This transition brings its own set of security challenges and emphasizes the need for AppSec strategies that are tailored to cloud environments.

The Human Element in AppSec

The report also touches on the human aspects of AppSec. Challenges such as lack of funding, difficulty in hiring skilled personnel, broader AppSec awareness, and lack of leadership buy-in are cited as major obstacles. These findings highlight the importance of not only technological solutions but also the need for skilled professionals and organizational commitment to AppSec.

Day-to-Day Challenges for AppSec Teams

For teams on the ground, the daily reality involves grappling with an overwhelming number of vulnerabilities and a constant need to prioritize risks effectively. The report suggests that analyzing and triangulating results across various tools to highlight risk priorities remains a daunting task for many.

Conclusion

The 2023 State of Application Security Report sheds light on the complex and evolving nature of AppSec. While there is evidence of maturation and advancement in practices, significant challenges remain. The key takeaways from the report emphasize the need for better prioritization processes, investment in security despite economic challenges, embracing cloud transitions with robust security strategies, and focusing on the human elements of AppSec. As the digital world continues to evolve, so too must our approaches to securing it. This report serves as both a benchmark and a guide for organizations looking to navigate the intricate landscape of application security.

Table of Content

1. Improved authentication flow configuration
2. Run a ‘traceroute’ diagnostic for the repeater via the UI
3. Additional sorting options in the Scans table
4. Performance Improvements

We’ve made a bunch of improvements and released new features for the Bright app and API security scanner. Give them a spin!

Improved authentication flow configuration

We added a ‘Standby’ option to specify a wait time for large pages to load before continuing the authentication flow. – Try it now

Run a ‘traceroute’ diagnostic for the repeater via the UI

You can now easily run a traceroute diagnostic directly from the UI to quickly analyze and discover network issues or firewall blocks. – Check it out

Additional sorting options in the Scans table

We added the ability to sort scans by their High, Medium, or Low count on the Scans table. – Take a look

Performance Improvements

Various improvements to OS injection, XSS injection and other tests. – Create a new scan and try it out!

Table of Content

1. Improvements
2. Improvements to authentication flow configuration
3. Improved Repeater execution command for Docker option in the onboarding wizard
4. More options to open scans and projects in a new tab
5. UI improvements
6. General Performance improvements

We’ve made a bunch of improvements and released new features for the Bright app and API security scanner. Give them a spin!

Improvements

View scan history by scan ID

Have you ever wanted to see all the re-runs of a specific scan? Well, you’re in luck! We introduced a History ID to all scans. To view all of the re-runs of a specific scan, you simply need to filter scans by the History ID of the original scan.

Improvements to authentication flow configuration

There are lots of new improvements in running authenticated scans:

• There is now automatic support for Firebase authentication in browser-based form authentication
• We added Repeater connectivity status to the selection of a Repeater in an authentication object configuration
• You can now easily re-order stages for custom API and browser-based authentication flows
• We improved the ‘Maximum number of redirects’ selector to be more intuitive
• We improved the ‘Logout indicators’ section to be more user friendly and clean

Improved Repeater execution command for Docker option in the onboarding wizard

We improved the docker command to remove the container from the list of containers in the docker management console on shutting down of the docker.

More options to open scans and projects in a new tab

We added support for middle-mouse click or Ctrl + left-mouse click to open Scans and Projects in a new tab.

UI improvements

Enjoy the improved UI we introduced to make your experience navigating our app even better!

• More scan filters to make your search for specific scans more effective
• Additional UX improvements to the authentication object setup dialogue to make the configuration clearer and easier to use

General Performance improvements

Various improvements for crawler performance and stability

Table of Content

1. New Features
2. Improvements
3. UI improvements
4. General Performance improvements

A lot is happening with Bright!

We want to share some exciting news! Our name has changed from NeuraLegion to Bright! On top of that, we raised a $20 million funding round! This is not only great news for us, but for you too. This financing will allow us to improve the Bright DAST to secure your apps and APIs, without slowing down your software development processes.

Here are some updates and improvements that will make your experience even better:

New Features

The amazing new API Linter

Our new Schema Linter (Editor) is a smart tool designed to parse, validate and edit an uploaded API schema, making it easy for you to configure high-quality, efficient scans that will ensure the best results. Explore the Linter’s features and capabilities in our step-by-step tutorial.

Improvements

Have you had your scans crash because your app logged you out?
Don’t worry, we have a solution for you.

You can now configure Bright DAST to detect when applications need to re-login, without having to stop your scan and do it manually. It will re-login you into your app, without skipping a beat. This can be easily done with the new Authentication Triggers option “Detect using Request URL pattern”.

Try it in your account now

UI improvements

Enjoy the improved authentication configuration and other UI enhancements we introduced to make your experience better!

• Clear and consequent authentication object setup
• Enhanced visibility and representation of the Scans table settings
• Comprehensive filter setup on the Scans page
• Convenient pagination on the Scans page

General Performance improvements

Various improvements for crawler performance and stability, as well as a significant improvement to SQLI and LDAP testing.

Table of Content

1. New Features
2. Improvements

A lot is happening with Bright! Here are some updates and new features that will make your experience even better.

New Features

Introducing a new scan status: Disrupted

With the news scan status of Disrupted, you can now easily distinguish scans that were stopped due to recoverable issues on the user’s side, for example:

• When the repeater is no longer available during an active scan
• When the target is not responding for X minutes (5 minutes by default)
• When the scan finds no valid entry-points, due to incorrect configuration (missing authentication, no valid responses, etc.)
• When a scheduled scan cannot start due to a configuration issue (file unavailable, repeater unavailable, etc.) The disruption event details are also recorded to Engine Notifications.

View your scans!

Improvements

New Version of Okta Integration

We’ve made improvements to how you manage your team’s access to Bright’s scanner using Okta SSO. The Bright integration app is now available on the Okta marketplace. With this app, you can easily configure SSO integration via both OIDC and SAML protocols. You can also take advantage of the provisioning feature to automatically synchronize users and groups between your Okta application and your Bright organization.

Go to Okta Marketplace!

Project Level API Keys

To provide with more flexibility and control of how your teams access Bright, we added the ability to create and use API keys at the project level.

Check out the docs and learn more!

Brower-Based Authentication Improvements

We improved our form field detection algorithm to be able to look up the target field not only by name but also by labels, placeholders, and even unique HTML object IDs. That will make the process of configuring the authentication form quick and easy! Just write the name of the field as you see it, and our browser will find it in the form automatically. Easy!

Try it out!

Multi-step Browser-based Authentication

We extended the browser-based authentication configurations to support multiple steps, where you can easily specify your application’s unique login sequences.

Try it out!

General UI improvements

Check out our design improvements to the New Scan window to improve your user experience!

Start a new scan

General Performance improvements

Various improvements for Engine performance and stability for handling edge-cases during the discovery stage, and significant improvement to XSS testing

Table of Content

1. Improvements
2. Group administration with an organization-level API key
3. PDF report performance optimizations
4. General UI improvements
5. General performance improvements

This blog post announces the November 2021 Update for Bright.
We added some new features and product enhancements that will make your experience even better.

Improvements

Simplified new scan window

Scans can now be set up faster and easier in the advanced mode. Run a scan now!

Group administration with an organization-level API key

Every group can now be assigned a role, which defines the access scope in fine-grained detail. Check out the docs and learn more.

PDF report performance optimizations

You can now export a PDF report faster, with better page layout. Run a scan now and export report!

General UI improvements

We improved the search, download and copy buttons, the engine notifications view, and introduced some other enhancements to make your experience better.

General performance improvements

Various improvements for engine performance and stability for handling edge-cases during the discovery stage.

Table of Content

1. New Features
2. Get full IP traceroute on a specific target
3. Restrict a Repeater to a specific project(s)
4. Improvements
5. Possibility to change the method on redirect when configuring an Authentication Object
6. Allow using API keys to access role resources
7. Easy access to Authentications
8. General UI improvements

This blog post announces the November 2021 Update for Bright.
We added some new features and product enhancements that will make your experience even better.

New Features

Assigning roles to groups

Every group can now be assigned a role, which defines the access scope in fine-grained detail. Try it out – manage your organization.

Get full IP traceroute on a specific target

Reveal all connectivity bottlenecks in minutes! Get a full IP traceroute on your target application to easily manage whitelisting Bright. See the documentation.

Restrict a Repeater to a specific project(s)

You can now use a repeater only for particular projects, which lets different teams scan only specific local targets. See the documentation.

Improvements

Optimize attack surface with custom headers

You can now optimize the attack surface by selecting specific custom headers to be covered by tests during scanning. These headers will be included in the “smart scan targets” for your scans, allowing you to test your custom headers with all our tests without compromising on scan speed. Run a scan with custom headers

Possibility to change the method on redirect when configuring an Authentication Object

When configuring an authentication object, you can now enable redirects for code 302, where the server expects the following methods to always be GET during redirects, and not the original method that triggered the redirect. Create an Authentication Object.

Allow using API keys to access role resources

From now on you can select the role-related access scopes when creating API keys, as well as manage those roles via our REST API. See documentation.

Easy access to Authentications

Now you can easily reach Authentications from the left menu. See the documentation

General UI improvements

Enjoy our improved breadcrumbs navigation, smart copy button, “found issues” view on the Scans page, and other UI enhancements to make your experience better.

Scan surface discovery and speed improvements

We improved scan speeds by automatically analyzing and excluding irrelevant entry points such as duplicates and static resources.

Table of Content

1. Don’t have a website, but you want to run a security scan with Bright?

This blog post announces the October 2021 Update for Bright.
We added some new features and product enhancements that will make your experience even better.

Don’t have a website, but you want to run a security scan with Bright?

We launched an intentionally vulnerable website ‘Broken Crystals’!
If you always wanted to run a scan on Bright, but didn’t have your target, here it is:

Check out the new documentation that will make your experience even better!

You’ll find comprehensive concept topics and step-by-step guides to help you deploy, configure and use Bright, as well as get assistance if you get stuck. Let’s jump right in!