Issue 277: Hacking WAFs, AI benefits and risks, AI-ready with OpenAPI, Developers exposed

This week, we cover the promise and pitfalls of using AI for API security, along with newly discovered vulnerabilities in Web Application Firewalls and emerging Vibe Coding platforms. We explore strategies for building APIs optimized for AI integration, and highlight a critical vulnerability in a popular API development framework that developers should be aware of. […]

Read More…

Issue 276: API discovery hype, BOLA at McDonalds, Cisco APIs exploited, input validation best practices

This week, we’re sharing two articles focused on input validation best practices, exploring how weak validation can leave APIs exposed. We also take a closer look at some recent claims about API discovery that risk distracting from real security issues, plus a review of recent API security incidents reported at McDonald’s and Cisco. Article: How […]

Read More…

Issue 275: API hackers strike gold, Malicious API drift at CoinMarketCap, Survey reveals major API security gaps

This week, our theme is “how secure is your API security?”. We highlight two recent attacks targeting major financial platforms, along with a new industry survey that exposes significant gaps in API security practices. We also explore technical deep-dives into vulnerabilities such as JWT flaws and host header injection attacks. Plus, we share details on […]

Read More…

Issue 274: Authorization nightmares, API security case studies, 23andMe fined £2.3M, OAuth for Cloud Native APIs

This week, the theme is API authorization gone wrong. Guest contributor Rob Spectre kicks off a new interview series exploring real-world authorization failures. We also dive into case studies with key lessons for API security teams, including a look at the missteps that led to a £2.3M fine for 23andMe, and data exposure from the […]

Read More…

Issue 273: Dangers from AI Hype, Top OWASP Threats in Action, Emerging MCP Risks

This week, we dive into an unusual case of humans spoofing AI. We also examine three real-world API incidents of OWASP API Security Top 10 vulnerabilities. Plus, we share insights from a new industry report on rising API attack trends and explore how GitHub’s MCP vulnerability may signal a new set of authorization challenges to […]

Read More…

Issue 272: Volkswagen API hacked, API flaws in Instagram & Tiktok, ELi attacks, Radware & Cisco API vulnerabilities

This week, we’re sharing five API vulnerability incidents that provide valuable insights into how APIs are commonly hacked and how to prevent these same vulnerabilities in your APIs. These incidents include the exposure of vehicle owner data from Volkswagen’s mobile app, enumeration vulnerabilities in Instagram and Tiktok APIs, an in-depth look at expression language injection […]

Read More…

Issue 271: API breaches surge in APAC, ‘Raw’ dating app exposes users, API credential missteps & API sprawl

This week, we look at a sharp rise in API security incidents across Asia-Pacific, and a critical API vulnerability in the dating app Raw. We also explore two credential-related incidents: one involving leaked OAuth credentials, and another highlighting the risks from long-lived API keys. Finally, a deep dive into the growing problem of API sprawl […]

Read More…

Issue 270: AI double agents, securing API access, OpenAPI-driven MCP, APIs expose 33,000 employees

This week, the theme is AI, with articles on securing APIs against agentic misuse and preventing unintended behaviors. We cover two critical vulnerabilities in AI platforms Langflow and Dify, both caused by API security flaws, and highlight a major data leak due to unauthenticated internal APIs. Finally, we look at an engaging conversation around using […]

Read More…

Issue 263: Trellix & Aviatrix API exploits, API risks in education, API configuration bugs & secure coding practices

This week, we have an interesting article on the dangers of API integrations in the education sector, and we cover recent incidents involving API vulnerabilities in two popular security platforms from Trellix and Aviatrix. We highlight a recent article by NordicAPIs on API misconfiguration vulnerabilities, and we share a useful list of recommended coding practices […]

Read More…

Issue 262: API incidents in Invoice Ninja, McDonald’s & Truecaller apps, Jetbrains survey, Postman data leaks

This week, we examine three recent API security incidents, uncovering valuable lessons to help you protect your APIs. We also highlight key insights from Jetbrains’ comprehensive developer survey, and explore an article on how teams inadvertently leak API keys and tokens through their Postman workspaces and what you can do about it.  Breach: Black-listing fails […]

Read More…

Issue 254: WhatsApp and IBM WebMethods vulnerabilities, 3rd-party API and LLM risks, API access controls

This week, we investigate a recent flaw in WhatsApp’s View Once privacy feature and also critical vulnerabilities reported in the IBM WebMethods integration platform. We highlight a NordicAPIs article on the risks from third-party API and LLMs, and an article on solving the challenges of fine-grained access control for APIs. There’s also an interesting webinar […]

Read More…

Issue 246: Critical flaw in API portal, securing GraphQL, building bulletproof APIs

This week, we have news of a critical flaw with a popular API portal. We also have guides on securing GraphQL APIs and building bulletproof APIs and news of a new deliberately vulnerable API application. We also have an article on why fraud detection and API security must converge. Dana Epp wraps things up with […]

Read More…