API Security , Events , Infosecurity Europe 2023
How API Business Logic Flaws Expose Sensitive Data
Salt Security's Stephanie Best on Why API Control Flaws Are on CISOs' RadarAPI security is now a ripe attack vector, but not from injection or brute force attacks, Attackers are using carefully crafted business logic exploits in which they effectively social engineer an API to do something it wasn’t intended to do, according to Stephanie Best, director of product marketing for API security at Salt Security.
See Also: 2024 Report: Mapping Cyber Risks from the Outside
Adversaries are using broken object level authorization, or BOLA, attacks - which uses legitimate authentication but trick the API into giving away someone's information. An attacker might have a cookie stored with someone else's username and then get access to their information. BOLA attacks are hard to spot because the API is doing exactly what it is designed to do. It just wasn't designed to stop that type of attack.
In this video interview with Information Security Media Group at Infosecurity Europe 2023, Best also discussed:
- The top three security control gaps for CISOs: API security, third-party apps and cloud security;
- The significance of No. 6 on the latest OWASP API report, which affects business load and sensitive information;
- Salt Labs' data showing a 400% increase in unique attackers in one year.
Best has over 20 years of experience in enterprise software marketing and over 10 years of experience in security. Her expertise spans cloud and application security, compliance, vulnerability management, threat and fraud detection, penetration testing, managed services, consulting services, and big data and information management. She is skilled in driving revenue growth by penetrating new markets through the development of new use cases, industry solutions and persona relevance.