How API Business Logic Flaws Expose Sensitive DataSalt Security's Stephanie Best on Why API Control Flaws Are on CISOs' Radar
API security is now a ripe attack vector, but not from injection or brute force attacks, Attackers are using carefully crafted business logic exploits in which they effectively social engineer an API to do something it wasn’t intended to do, according to Stephanie Best, director of product marketing for API security at Salt Security.
Adversaries are using broken object level authorization, or BOLA, attacks - which uses legitimate authentication but trick the API into giving away someone's information. An attacker might have a cookie stored with someone else's username and then get access to their information. BOLA attacks are hard to spot because the API is doing exactly what it is designed to do. It just wasn't designed to stop that type of attack.
In this video interview with Information Security Media Group at Infosecurity Europe 2023, Best also discussed:
- The top three security control gaps for CISOs: API security, third-party apps and cloud security;
- The significance of No. 6 on the latest OWASP API report, which affects business load and sensitive information;
- Salt Labs' data showing a 400% increase in unique attackers in one year.
Best has over 20 years of experience in enterprise software marketing and over 10 years of experience in security. Her expertise spans cloud and application security, compliance, vulnerability management, threat and fraud detection, penetration testing, managed services, consulting services, and big data and information management. She is skilled in driving revenue growth by penetrating new markets through the development of new use cases, industry solutions and persona relevance.