API Security Articles

The Latest API Security News, Vulnerabilities & Best Practices

APISecurity.io is a community website for all things related to API security. Our daily news and weekly API Security newsletter cover the latest breaches, vulnerabilities, standards, best practices, regulations, and technology.

API Security Encyclopedia provides details on possible security issues in API contracts and how to remediate them, and our tools help you evaluate how secure the APIs you are working on actually are.

Subscribe to the API Security newsletter

By clicking Subscribe you agree to our Data Policy

From the APISecurity.io Twitter

Data of 530 mln users scraped from Facebook and leaked: https://about.fb.com/news/2021/04/facts-on-news-reports-about-facebook-data/ Attackers used APIs behind Facebook's friend-finder to upload generated "phone books" and get user info. Even hidden 2FA phone numbers scraped. Some details in this thread:

"The State Of Application Security, 2021" report by @sandycarielli et al / @forrester: * app attacks are #1 attack vector
* APIs are a critical exposure point
* API security tools gain traction in SDLC / shift-left
Report: https://www.forrester.com/report/The+State+Of+Application+Security+2021/-/E-RES164041
Summary: https://resources.whitesourcesoftware.com/blog-whitesource/forresters-state-of-application-security-2021-key-takeaways

There's a new free online course from @mz_trojan / @curityio on Building an Identity Architecture for APIs. The course covers various API Integration Patterns for identity systems: token flows, proof-of-possession tokens, scopes, claims, enforcement, etc.
https://curity.io/resources/webinars/course-building-identity-architecture/

API Security weekly newsletter issue #128 is out. Main stories by @secureitmania, Muthu Prakash, @Hacker0x01, @vmware, Egor Dimitrenko, @ptsecurity_uk / @ptsecurity, @DSotnikov
https://apisecurity.io/issue-128-api-flaws-vmware-gitlab-url-parameters-ssrf-webinar-recent-breaches/

"Dissecting the Biggest API Breaches from Q1 2021" - a webinar by @DSotnikov next Thursday, April 15, 8 am PST. We will go through some of the Q1 API vulnerabilities, what went wrong, and the lessons learned / how these could have been prevented.
https://us02web.zoom.us/webinar/register/WN_KkwF6KbXRCWVLWVLn2BrKQ

From the APISecurity.io Twitter

Data of 530 mln users scraped from Facebook and leaked: https://about.fb.com/news/2021/04/facts-on-news-reports-about-facebook-data/ Attackers used APIs behind Facebook's friend-finder to upload generated "phone books" and get user info. Even hidden 2FA phone numbers scraped. Some details in this thread:

"The State Of Application Security, 2021" report by @sandycarielli et al / @forrester: * app attacks are #1 attack vector
* APIs are a critical exposure point
* API security tools gain traction in SDLC / shift-left
Report: https://www.forrester.com/report/The+State+Of+Application+Security+2021/-/E-RES164041
Summary: https://resources.whitesourcesoftware.com/blog-whitesource/forresters-state-of-application-security-2021-key-takeaways

There's a new free online course from @mz_trojan / @curityio on Building an Identity Architecture for APIs. The course covers various API Integration Patterns for identity systems: token flows, proof-of-possession tokens, scopes, claims, enforcement, etc.
https://curity.io/resources/webinars/course-building-identity-architecture/

API Security weekly newsletter issue #128 is out. Main stories by @secureitmania, Muthu Prakash, @Hacker0x01, @vmware, Egor Dimitrenko, @ptsecurity_uk / @ptsecurity, @DSotnikov
https://apisecurity.io/issue-128-api-flaws-vmware-gitlab-url-parameters-ssrf-webinar-recent-breaches/

"Dissecting the Biggest API Breaches from Q1 2021" - a webinar by @DSotnikov next Thursday, April 15, 8 am PST. We will go through some of the Q1 API vulnerabilities, what went wrong, and the lessons learned / how these could have been prevented.
https://us02web.zoom.us/webinar/register/WN_KkwF6KbXRCWVLWVLn2BrKQ