In a Kubernetes cluster, Control Plane controls Nodes, Nodes control Pods, Pods control containers, and containers control applications. But what controls the Control Plane? Kubernetes exposes APIs that let you configure the entire Kubernetes cluster management lifecycle. Thus, securing access to the Kubernetes API is one of the most security-sensitive aspects to consider when considering Kubernetes security.

Stop, look, listen; lock, stock, and barrel; "Friends, Romans, Countrymen..." The 3 Little Pigs; Art has 3 primary colors; photography has the rule of thirds; the bands Rush and The Police; the movie The 3 Amigos. On and on it goes - "Omne trium perfectum" – “Everything that comes in threes is perfect.” While this article doesn’t provide perfection, we’ll focus on the top three API vulnerabilities (according to OWASP).

If you don’t think API security is that important, think again. Last year, 91% of organizations had an API security incident. The proliferation of SOAP and REST APIs makes it easy for organizations to tailor their application ecosystems. But, APIs also hold the keys to all of a company’s data. And as data-centric projects become more in demand, it increases the likelihood of a target API attack campaign.

Getting a complete overview of the growing attack surface is difficult. Regardless of how security is organised in your organisation, knowing what Internet-facing assets are exposed and if those assets are vulnerable across many different teams is no simple task. This is doubly true for security teams with dozens – or even hundreds! – of dev teams. We’ve now made it possible for customers on the Enterprise Plan to create and manage subteams through the Detectify API.

This blog describes the attack path we have uncovered during a recent penetration test of a web application, coupled with a back-end infrastructure assessment. Throughout we introduce different attack techniques and tools that can be used to attack the underlying infrastructure and APIs of a web application.

There is a sight gag that has been used in a number of movies and TV comedies that involves an apartment building lobby. It shows how people who don’t live there, but who want to get in anyway, such as Girl Guides looking to sell cookies to the tenants – simply run their fingers down every call button on the tenant directory, like a pianist performing a glissando, knowing that at least one of the dozens of apartments being buzzed will let them in simply out of reflex or laziness.

Gartner’s introduction of the Security Service Edge (SSE) Magic Quadrant in February of 2022 has been an impetus for organizations to reassess their cloud access security broker (CASB) solutions. CASB is one of the three core components of SSE and the piece of the puzzle that handles cloud security for SaaS and IaaS applications.