Issue 3: TLS 1.3, securing JWT, US banks release a common API standard
The Shopify vulnerability happened (and was fixed) back in May 2018. This week, Arif Khan goes into the details of the vulnerability and the lessons that we can learn from it for microservices and API security in general. In a nutshell, microservices themselves and the underlying cloud platform expand the attack surface. It is no longer just the perimeter so you need API security, ideally on the microservice level, and to lock down the APIs and methods and data to the bare minimum that you really need.
One of the most popular content management systems (CMS) out there, Drupal, just released updates for versions 7.x and 8.x patching 5 vulnerabilities including 2 critical. Vulnerabilities allow remote code execution because some of the APIs did not include proper input string validation.
VestaCP, a popular open-source web hosting control panel, was hacked and used to launch DDoS attacks. Most likely the software was hacked because its installation script contained Base64-encoded (and thus unencrypted) admin credentials and server URL.
Major US banks and fintechs, including Wells Fargo, Bank of America, Charles Schwab, Capital One, Chase, Fidelity, and Experian, formed the Financial Data Exchange group to standardize the APIs for data exchange between banks, aggregators, and applications. They have already published their API at https://financialdataexchange.org/pages/dda.
Chrome 70 released this week includes the final version of the TLS 1.3 standard and the updated Web Authentication API that gives authentication with the TouchID on macOS and the fingerprint sensor on Android.
According to Gartner, by 2022 APIs will become the most common attack vector (access to the full report requires subscription or one-time purchase).
Technology deep dive
Seba Peyrott from Auth0 published a brilliant overview of the most common JWT attacks and the ways to mitigate them.
Fernando Serto from Akamai talks about (among many other fascinating things like protection against bots and distributed password hacking) how the transition from websites to mobile apps makes APIs the primary means of access, so the traditional web app security no longer helps. Instead, we need API-specific authentication, authorization, and analytics.