Vulnerable APIs and Bot Attacks: Two Interconnected, Growing Security Threats – David Holmes – ASW #300
Full Audio
View Show IndexSegments
1. Vulnerable APIs and Bot Attacks: Two Interconnected, Growing Security Threats – David Holmes – ASW #300
APIs are essential to modern application architectures, driving rapid development, seamless integration, and improved user experiences. However, their widespread use has made them prime targets for attackers, especially those deploying sophisticated bots. When these bots exploit business logic, they can cause considerable financial and reputational damage. In this discussion, David Holmes offers insights into the latest trends in API and bot attacks and provides strategies to defend against these threats.
Segment Resources:
- The Economic Impact of API and Bot Attacks: https://www.imperva.com/resources/resource-library/reports/the-economic-impact-of-api-and-bot-attacks/
- The True Cost of API Insecurity and Bot Attacks in 2024: https://www.imperva.com/resources/resource-library/webinars/the-true-cost-of-api-insecurity-and-bot-attacks-in-2024/
This segment is sponsored by Imperva. Visit https://www.securityweekly.com/imperva to learn more about them!
Sponsored By
Guest
With over 25 years’ experience in security and product engineering, David Holmes has equipped security leaders with the foresight needed to navigate emerging threats and stay ahead of the threat landscape. As Imperva Application Security CTO, he helps customers protect their applications and APIs amidst the growing complexity of modern application architectures.
Previously, he was Principal Research Analyst at Forrester Research, where he authored numerous papers on network security, application security, SASE, DDoS, cryptography, and Zero Trust. He also developed and sold application security and bot management solutions at Shape Security and F5 Networks.
Hosts
2. Fuzzing for Vulns, GitLab Auth Bypass, JPEG Vulns, Programming Language Ranks – ASW #300
Fuzzing network traffic in OpenWRT, parsing problems lead to GitLab auth bypass, more fuzzing finds vulns in a JPEG parser, and more!
Hosts
- 1. 4 exploits, 1 bug: exploiting CVE-2024-20017 4 different ways | hyprblog
This article has a very familiar opening about a "buffer overflow caused by a copy operation that uses a length value taken directly from attacker-controlled packet data without bounds checking."
It was discovered with a fuzzer, which might not sound as cool as using an AI or LLM, but remains one of the most effective tools for vuln discovery.
- 2. Zero-Click Calendar invite — Critical zero-click vulnerability chain in macOS | by Mikko Kenttälä | Sep, 2024
I can't resist a vuln write-up that talks about path traversal. This article also demonstrates persistence in focus on tracking vulns over long timeframes.
- 3. GitLab Critical Patch Release: 17.3.3, 17.2.7, 17.1.8, 17.0.8, 16.11.10
Authentication endpoints are fruitful areas for research. Not to mention how often we talk about authentication, SSO, and SAML around here.
At the heart of this vuln is a parsing problem with XML. I don't think we'll be able to get rid of XML any time soon, but it's at least better than the mess of ASN.1 that has plagued OpenSSL (and certificates) for ages. What's a good format that balances human readability with mistake-resistant structure for parsing?
- 4. Blog: CVR: The Mines of Kakadûm
I referenced The Silmarillion in last week's episode intro, so I felt obliged to include this article that makes a subtle nod to Khazad-dûm.
It also ties in nicely with this week's theme of file formats, parsing, and fuzzing. You don't have to get into the exploit details to appreciate this article or take away some lessons in parsing, sandboxing, and handling user-generated content.
- 5. [FYI] fwd:cloudsec Europe 2024
The recording is available. Two presentations that stood out to me were:
- Service Agents and the Search for Transitive Access in GCP – starts here
- GCP and AWS identity federation - lessons learned from the field as well as cross-cloud forensics and incident response – starts here
- 6. The RedMonk Programming Language Rankings: June 2024 – tecosystems
