Issue 6: Steam API leaks keys, and why WAF does not help DevSecOps
An API vulnerability was found in the license generation API of Valve’s Steam gaming service and marketplace. Anyone who had registered at their partner portal for developers could call their /partnercdkeys/assignkeys/ with unexpected parameter values (for example, a random string as a partner name and 0 as the request count) and get thousands of keys in the response that they could use or resell.
Our previous newsletter already covered the “Illustrated TLS” site by Michael Driscoll that provides step-by-step illustrations on how TLS 1.2 works. Now, he has launched a version of the site for TLS 1.3! The new version brings quite a few changes in the protocol, so go check it out.
A DevSecOps piece by KuppingerCole‘s Alexei Balaganski offers the following key takeaways on API security:
- The days of relying only on a web application firewall (WAF) are over, you need solutions specifically for API Security
- Microservices are containers + APIs
- Your security strategy must cover containers, APIs, microservices, and data
A Dark Reading article on API security by Ericka Chick puts APIs as an attack vector center stage:
- API breaches trend is accelerating
- Underprotected APIs [almost] got included in the OWASP Top 10 in 2017
- Estimated 2/3 of organizations are exposing APIs, yet 3/4 pay less attention to API security than to web security
An example of why surveys need to be taken with a pinch of salt: According to a recent survey by Ping Identity, if a company suffers a data breach, 78% of customers will stop interacting with it online and 36% will never use it at all. Can you imagine the actual business impact on sales and revenue to any large company if this was the real consumer behavior? Yet, if you look at the revenue and share valuation numbers of any of this year’s high profile breach cases, such as T-Mobile, Target, or British Airways, you can see that there has been no noticeable impact on these figures, and definitely not on the scale the survey results imply.