We’re thrilled to offer customers the power of AI to maximize efficiency, and protecting customer data will always be our top priority. Our AI technology, HawkAI, conducts a non-intrusive analysis of your code repositories, ensuring your source code remains private and secure. HawkAI prioritizes data privacy by adhering to strict principles: No source code, sensitive data, or PII data is shared with third parties. No LLM Training: We don't use your data to train large language models. Code Integrity: HawkAI does not send code contents to 3rd parties. This ensures a powerful and secure ..read more

The Content Security Policy (CSP) is a security standard that helps protect and mitigate content injection attacks such as cross-site scripting (XSS), clickjacking, and more. You can use it to protect your Spring web applications by enabling specific HTTP headers. These headers enable web browsers to prevent attackers from injecting malicious code into the input data of a form, including URL parameters, field values, and other components. Cross-site scripting (XSS) is the most common type of content injection attack. It occurs when a website accepts user data without adequate validation, filte ..read more

A Kotlin web application that is vulnerable to cross-site scripting, or XSS, has weak points through which users can inject JavaScript code. Such weak points exist in web applications that accept user input. For example, you can find these kinds of weak points in online forums that allow users to post comments.  XSS is a common web application security vulnerability. It can lead to some serious issues like the exposure of sensitive user data stored in cookies.  In this post, we'll take a look at some examples of Kotlin XSS attacks. In addition, we'll look at how to prevent XSS attack ..read more

For developers striving to build secure APIs, Broken Function Level Authorization (BFLA) is a crucial vulnerability demanding meticulous attention. BFLA belongs to the OWASP API Security Top 10 list and can pave the way to unauthorized access and manipulation of functionality within your API, compromising the overall integrity of your system. This occurs when applications lack adequate authorization checks focused on specific functions or features. This weakness enables attackers to manipulate calls to endpoints to which they shouldn't have access, potentially escalating access to functions re ..read more

SQL, or in full, Structured Query Language, are sets of instructions (queries) that developers can use to interact with databases. Databases can be SQL or NoSQL, and the latter may or may not support SQL-like queries. Examples of SQL databases include MySQL, Oracle, PostgreSQL, and Microsoft SQL Server.  SQL queries for reading or manipulating data look very similar to plain English. For example, the query SELECT * FROM users means, SQL should fetch data from the users table. The symbol * in the query means select all columns.  SQL is a very powerful tool for developers and database ..read more

Selecting the right API discovery tools plays a huge role in API integration, API management, and many other areas where understanding your entire API portfolio is critical. These tools can help ensure that every API connected to your organization is discovered and cataloged, which is a major part of ensuring that APIs are secure. Without understanding every aspect of your organization's APIs, it's hard to keep them compliant, secure, and well-utilized. This guide will examine how API discovery can streamline many parts of your workflow. We will demystify and compare the top API discovery tool ..read more

As application security (AppSec) professionals, we understand the constant struggle to secure our ever-expanding digital landscapes. APIs often become blind spots, creating sleepless nights and doubts in our attack surface coverage.  But there is a solution— adopting a continuous API discovery process. One that doesn’t involve manually tracking down API endpoints.  Owning Your API Attack Surface Imagine a world where: Security Audits Become a Breeze: No more scrambling to identify in-scope APIs. A comprehensive inventory streamlines security assessments. Developers Get What They ..read more

DENVER, May 6, 2024 -- StackHawk, the company making application security testing part of software delivery, today announced that the company was named winner of ‘Most Innovative API Security’ in the 12th Annual Global Infosec Awards at RSA 2024. These prestigious global awards, by Cyber Defense Magazine, recognize innovators with compelling value propositions for their products in competitive infosecurity industries. Built for modern engineering teams, StackHawk has reimagined API security testing by empowering developers to find and fix security vulnerabilities during their traditional build ..read more

CSRF, or cross-site request forgery, is one of the most notoriously difficult exploits to mitigate in the world of development. Not only are these attacks everywhere on the web, but their potential for damage is quite astounding. This is why it's so important for people to be aware of their presence and to know how to protect their systems.  The purpose of this article is to serve as a starting point for developers in general and Node.js engineers in particular for CSRF protection. We will briefly explain what cross-site request forgery is, list some examples of CSRF attacks that you migh ..read more

At StackHawk, we've helped countless customers find tremendous value in our API security testing capabilities. We are repeatedly chosen for our ability to comprehensively test APIs and seamlessly automate testing within their CI/CD pipelines. However, a recurring theme has emerged: customers are only uncovering a fraction of their total attack surface. Our internal analysis of code repositories reveals that many security teams are not testing and are potentially unaware of a significant portion of their APIs. The fast pace of software development makes it difficult for security to keep up, cre ..read more