API Security , Events , Infosecurity Europe 2023

How API Business Logic Flaws Expose Sensitive Data

Salt Security's Stephanie Best on Why API Control Flaws Are on CISOs' Radar
Stephanie Best, director of product marketing for API security, Salt Security

API security is now a ripe attack vector, but not from injection or brute force attacks, Attackers are using carefully crafted business logic exploits in which they effectively social engineer an API to do something it wasn’t intended to do, according to Stephanie Best, director of product marketing for API security at Salt Security.

See Also: User Entity & Behavior Analytics 101: Strategies to Detect Unusual Security Behaviors

Adversaries are using broken object level authorization, or BOLA, attacks - which uses legitimate authentication but trick the API into giving away someone's information. An attacker might have a cookie stored with someone else's username and then get access to their information. BOLA attacks are hard to spot because the API is doing exactly what it is designed to do. It just wasn't designed to stop that type of attack.

In this video interview with Information Security Media Group at Infosecurity Europe 2023, Best also discussed:

  • The top three security control gaps for CISOs: API security, third-party apps and cloud security;
  • The significance of No. 6 on the latest OWASP API report, which affects business load and sensitive information;
  • Salt Labs' data showing a 400% increase in unique attackers in one year.

Best has over 20 years of experience in enterprise software marketing and over 10 years of experience in security. Her expertise spans cloud and application security, compliance, vulnerability management, threat and fraud detection, penetration testing, managed services, consulting services, and big data and information management. She is skilled in driving revenue growth by penetrating new markets through the development of new use cases, industry solutions and persona relevance.


About the Author

Tony Morbin

Tony Morbin

Executive News Editor, EU

Morbin is a veteran cybersecurity and tech journalist, editor, publisher and presenter working exclusively in cybersecurity for the past decade – at ISMG, SC Magazine and IT Sec Guru. He previously covered computing, finance, risk, electronic payments, telecoms, broadband and computing, including at the Financial Times. Morbin spent seven years as an editor in the Middle East and worked on ventures covering Hong Kong and Ukraine.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.