Salt Labs was created in 2021 to help the industry with tackling the increase in API threats. The research division of Salt Security focuses on not only finding API vulnerabilities, but also increasing awareness about API security and offering solutions to help mitigate such risks.
We hosted Michael Isbitski, Technical Evangelist at Salt Security, to learn more about Salt Labs, the changes in API security landscape, their latest report around GraphQL authorization flaws and commentary on NSA’s Kubernetes hardening guide.
We started to talk about security in the cloud-native world only recently. While there is awareness about security in the space, there is still a huge gap between the idea of security and actual implementation. “There’s definitely a lot more awareness around API security issues, but we are actually seeing a lot of the same mistakes, unfortunately,” says Isbitski.
GraphQL vulnerability is a good example of what he sees as a pattern now. “We saw those same things with GraphQL in a recent threat research report,” he says. Those mistakes tie back to authentication and authorization or are related to business logic and exposing too much data. Salt Labs have found that those mistakes are pretty common.
On that, Isbitski adds, “It’s not so much that we’re seeing injection-style attacks. Those are still pervasive, certainly in the application space with cross-site scripting or SQL injection.” Isbitski continues, “A lot of the API attacks much more frequently target the business logic or authentication and authorization mechanisms.”
With the latest NSA announcement, Salt Labs is helping by raising awareness with content and other types of materials. Isbitski explains, “We’ve created sets of best practices. We’ve created evaluation tools.” With Salt Labs, it’s also about continuously educating the public and businesses. To do this, Isbitski indicates that it’s about asking the right questions. What are the nuances? Why did this happen? What were the flaws? Do they map to the OWASP top 10, or was it something more? What are the potential business impacts?
As to the awareness of security practices, Isbitski believes part of the problem is that “there hasn’t been standardization on how componentry is reported. So there’s discussion around what an SBOM (Software Bill of Materials) should contain?” Isbitski continues, “There hasn’t been universal adoption around these things yet. I do think it’s going to come back because of the Cybersecurity Executive Order that the Biden administration put forth.” Of course, SBOMs can often point to problems with dependencies, which Isbitski concludes, “We’re on the right path, but there needs to be an expanded definition of, ‘What is a dependency?’.”
About Salt Labs: Salt Security protects the APIs that form the core of every modern application. Its API Protection Platform is the industry’s first patented solution to prevent the next generation of API attacks, using machine learning and AI to automatically and continuously identify and protect APIs. Deployed in minutes, the Salt Security platform learns the granular behavior of a company’s APIs and requires no agents, no configuration, and no customization to pinpoint and block API attackers.
About Michael Isbitski: Michael Isbitski is a Technical Evangelist at Salt Security, helping to improve awareness and technical understanding in the area of API security. Prior to joining Salt Security, Michael was a Senior Director Analyst at Gartner for Technical Professionals (GTP) within the Security Technology and Infrastructure team. He researched and advised on a range of application security and infrastructure security topics including API security, security testing, secure design, secure SDLC, application protection, container security, Kubernetes security and secure continuous delivery. He has guided hundreds of organizations of all sizes globally in their security initiatives, across sectors and verticals. Additionally, Michael has over 20 years of hands-on practitioner and leadership experience in the fields of application security, vulnerability management, risk assessment, enterprise architecture, and systems engineering.
The summary of the show is written by Jack Wallen