Detectify is on a mission to drive the future of Internet security with automated and crowdsourced web solutions. API security and hacking is a pretty hot topic today and we invite 3 experts to join us for the latest Detectify Hacker School Reboot to present lightning talks on their experience and interests in hacking APIs. Detectify recently announced that we are researching, breaking and securing APIs.
Tom Hudson (TH), Senior Security Researcher at Detectify, joined the Application Security Weekly podcast to talk about the status quo on web scanners and securing modern web applications. We’ve edited the transcript for brevity and taken some highlights from the pod episode below.
API security is one of the most important aspects of cybersecurity. The rise of new technologies like microservices, cloud-native applications, IoT devices, single-page applications, serverless, and mobile has led to increased use of APIs. Any internal application elements are now APIs connecting with one other through a network. A game API lets your applications and web services communicate with one another and share information such as rules, settings, specs, and data.
Detectify is expanding its web app fuzzing engine to scan public-facing APIs for vulnerabilities. Earlier in the year, we released a new fuzzing engine, and it was developed with API scanning in mind. In Fall 2021, we will roll out open beta testing. You can register for Detectify API fuzzer updates and beta testing program.
An application programming interface (API) enables communication and data exchange between two separate software systems. The application (or service) layer sits between the presentation and database layers and lays out the rules of how users can interact with services, data or functions of the application. API testing is a software testing practice that tests the functionality, reliability, performance and security of an API.
While there may still be the occasional team that handles everything themselves, most software products are made up of a variety of services from different vendors. From data storage to customer management, third party data processors are a nearly unavoidable part of any organization.
The Linux/UNIX process model creates a new process by cloning the currently running one using the fork() system call. Subsequently, exec()—or one of its variants—loads a new program image into the newly cloned child process. There are a variety of issues that stem from using this approach in modern systems. There are also various widely used techniques and APIs aiming to alleviate the issues in different ways with different degrees of success and quirks.
