As application security (AppSec) professionals, we understand the constant struggle to secure our ever-expanding digital landscapes. APIs often become blind spots, creating sleepless nights and doubts in our attack surface coverage.  But there is a solution— adopting a continuous API discovery process. One that doesn’t involve manually tracking down API endpoints.  Owning Your API Attack Surface Imagine a world where: Security Audits Become a Breeze: No more scrambling to identify in-scope APIs. A comprehensive inventory streamlines security assessments. Developers Get What They ..read more

DENVER, May 6, 2024 -- StackHawk, the company making application security testing part of software delivery, today announced that the company was named winner of ‘Most Innovative API Security’ in the 12th Annual Global Infosec Awards at RSA 2024. These prestigious global awards, by Cyber Defense Magazine, recognize innovators with compelling value propositions for their products in competitive infosecurity industries. Built for modern engineering teams, StackHawk has reimagined API security testing by empowering developers to find and fix security vulnerabilities during their traditional build ..read more

CSRF, or cross-site request forgery, is one of the most notoriously difficult exploits to mitigate in the world of development. Not only are these attacks everywhere on the web, but their potential for damage is quite astounding. This is why it's so important for people to be aware of their presence and to know how to protect their systems.  The purpose of this article is to serve as a starting point for developers in general and Node.js engineers in particular for CSRF protection. We will briefly explain what cross-site request forgery is, list some examples of CSRF attacks that you migh ..read more

At StackHawk, we've helped countless customers find tremendous value in our API security testing capabilities. We are repeatedly chosen for our ability to comprehensively test APIs and seamlessly automate testing within their CI/CD pipelines. However, a recurring theme has emerged: customers are only uncovering a fraction of their total attack surface. Our internal analysis of code repositories reveals that many security teams are not testing and are potentially unaware of a significant portion of their APIs. The fast pace of software development makes it difficult for security to keep up, cre ..read more

Like most modern applications, APIs require extensive authorization controls to safeguard data and functionality. When authorization controls break down, sensitive data and critical functions become exposed, leading to potentially disastrous consequences. When precisely diagnosing authorization-related vulnerabilities, the OWASP API Security Top Ten outlines several variants. One such variant, Broken Function Level Authorization (BFLA), is an API vulnerability to which users can perform actions or use functions they shouldn't have access to. Imagine an attacker gaining unauthorized administrat ..read more

Golang is fast becoming the programming language on which developers build the internet. Only JavaScript and Python are ahead in popularity survey results, which is an undeniable confirmation of this trend. Key to this growing popularity is how simple it is to learn and use Go. Add to this the fact that it's perfectly designed for fast execution of applications in microservice architecture models.  Even as you use one of the top languages on the market, your applications are often at the mercy of hackers. They've basically laced the internet with "minefields"—attacks waiting to activate o ..read more

APIs are everywhere and power almost everything. API usage and traffic continue to grow as applications become more distributed, thanks to the massive amount of SaaS and other web-based services that consume the modern software landscape. APIs offer significant advantages to developers, empowering them to leverage existing functionality, accelerate application development, and unlock new possibilities. However, as applications and API portfolios become increasingly complex, maintaining a comprehensive understanding of all existing APIs becomes a significant challenge. APIs can quickly become o ..read more

With every passing year, the complexity of cyber threats intensifies. With each new threat comes the demand for more sophisticated defenses. This guide is designed to teach you the essential cybersecurity tools that stand as the vanguard against these evolving threats. From network security monitors and web vulnerability scanning to encryption tools, this blog uncovers the critical technologies that cyber security professionals depend on to safeguard our digital realm. You'll learn about the tools and how to strategically select and effectively implement them to enhance your digital defenses ..read more

First of all, what is HTTP strict transport security (HSTS) and why do you need it? HSTS is a specific HTTP response header that tells the browser to load a site over HTTPS. The browser will do so whether the user uses the HTTP or the HTTPS protocol. Even if you have a redirect, it's a good idea to set up HSTS since that initial plain text send from the browser to the HTTP endpoint remains vulnerable. That's because the browser will still send any domain cookies to that endpoint—unless, of course, they're set to secure.  In this post, you can read more about HSTS and how it relates to Rea ..read more

For developers striving to build secure APIs, Insecure Direct Object References (IDOR) stand out as a critical vulnerability to look for. As outlined in the OWASP API Security Top 10, this vulnerability can lead to unauthorized access and manipulation of data, leading to disastrous consequences. Broken Object Level Authorization (BOLA) vulnerabilities arise when applications fail to enforce adequate authorization checks for accessing objects or resources. This flaw enables attackers to exploit user-supplied inputs, like URL parameters, to access or manipulate objects they shouldn't, such as fi ..read more