Critical Flaw Exposed: Understanding CVE-2024-3400 in PAN-OS GlobalProtect Palo Alto Networks recently announced a critical vulnerability (CVE-2024-3400) affecting their PAN-OS software, specifically within the GlobalProtect functionality, with a CVSSv4.0 Base Score of 10. This vulnerability impacts PAN-OS versions 10.2, 11.0, and 11.1 when configured with GlobalProtect. CISA has added this vulnerability to its KEV (Known Exploited Vulnerability) Catalog, indicating evidence of active exploitation. The issue arises from improper input validation, allowing for arbitrary file creation and remote ..read more

API Security: What Every Developer Needs to Know At Traceable, we monitor 500 billion API calls a month from a very diverse customer base across different industries and geographies. These customers have end-users that span 180+ countries. This broad spectrum of traffic provides Traceable with a unique vantage point to observe the evolving landscape of API design and the sophisticated methods used by malicious actors to exploit vulnerabilities. On average, a significant portion of our API traffic—up to 3%—is flagged as security events, ranging from one-shot malicious attacks to anomalous beha ..read more

The post Banking on APIs: API Security for Financial Services appeared first on Traceable API Security ..read more

Traceable API Security Platform Updates – March 2024 March releases include enhancements to security analytics, new detections, and a new WAF integration.  Here are the details on what’s new: Enhancements to Security Analytics Power Investigation into Data Impact of Security Events Last month we released Security Event Analytics to power deeper analytics of security events detected by Traceable. This month we have added additional attributes to security analytics to power investigation and forensics related to data access and potential data exfiltration. Security analytics for traces and ..read more

API Summit 2024: Security Challenges, AI, and What’s Next After a long 20-hour travel journey (and making the mistake to fly into Dublin the Thursday before St Patrick’s Day), I’m back from the Austin API Summit. As expected, I learned a great deal and connected with some of the leaders in not just API security but APIs in general. I listened to some insightful talks and had some fantastic conversations. I also was very kindly accepted to speak too. But before I get into that, I wanted to start with a few of the big-picture thoughts that stuck with me after the summit. For one, developers have ..read more

To Secure Generative AI Applications, Start with Your APIs Product security and information security teams are facing a new challenge: securely integrating generative AI into their applications. API security can help. The conversation around securing generative AI came hot on the heels of the ChatGPT beta launch sixteen months ago. Almost overnight, organizations were assembling tiger teams to define a generative AI strategy for their business. Security leaders were tasked with figuring out how to adopt AI safely and securely while safeguarding company and customer data. Red teams quickly went ..read more

Navigating the Maze: Understanding API Sprawl and Its Implications APIs serve as the building blocks that connect applications and enable data exchange. However, when the growth of APIs outpaces management, control and security, it leads to a phenomenon known as API sprawl. This uncontrolled proliferation of APIs can create a tangled web within an organization’s infrastructure, hindering efficiency, increasing security risks, and jeopardizing compliance efforts. In fact, Traceable’s 2023 State of API Security Report reveals that the majority (48%) of organizations cite API sprawl as their top ..read more

Context-Aware Security as the Key Driver for Enhancing API Security in 2024 As we head into 2024, API security is experiencing a pivotal shift with an increasing focus on context-aware security. This trend marks a transformation from traditional, static security methods to a more dynamic and informed approach. In context-aware security, each API request is not only examined at face value but also within the full context of its operational environment. This involves a detailed analysis of user behavior, the nature of the data being accessed, and the specific circumstances of API usage. This app ..read more

Weekly Cybersecurity Roundup: Week of March 15, 2024 This week’s cybersecurity news paints a worrying picture of the relentless assaults aimed at APIs. From the potential exploitation of AI in healthcare attacks to massive credential leaks and the ongoing need for data breach verification, headlines underscore the urgent need for robust API security measures. We’ll delve into these top stories, discussing the dangers of exposed credentials, the impact of AI on the threat landscape, and how to proactively respond to data breaches. Let’s explore these critical incidents and the strategies you ca ..read more

Data Poisoning: How API Vulnerabilities Compromise LLM Data Integrity Cybersecurity has traditionally focused on protecting data. Sensitive information is a valuable target for hackers who want to steal or exploit it. However, an insidious threat, known as data poisoning, is rapidly emerging in the age of artificial intelligence (AI) and use of LLMs. This type of attack flips the script – instead of outright data theft, data poisoning corrupts the integrity of the data itself. AI and machine learning (ML) models are profoundly dependent on the data used to train them. They learn patterns and b ..read more