FEDORA-2022-8c76e587f7
Packages in this update:
dokuwiki-20200729a-1.fc35
Update description:
Update to bugfix/security release 2022-07-29a. Includes security fix for CVE-2022-3123.
dokuwiki-20200729a-1.fc35
Update to bugfix/security release 2022-07-29a. Includes security fix for CVE-2022-3123.
python-lxml-4.9.1-1.fc38
Automatic update for python-lxml-4.9.1-1.fc38.
* Wed Sep 14 2022 Charalampos Stratakis <cstratak@redhat.com> – 4.9.1-1
– Update to 4.9.1
– Fix for CVE-2022-2309
– Resolves: rhbz#2107571, rhbz#2110131
dokuwiki-20200729a-1.fc36
Update to bugfix/security release 2022-07-29a. Includes security fix for CVE-2022-3123.
dokuwiki-20220731a-1.fc37
Update to new stable release, v2022-07-31a “Igor”. Includes security fix for CVE-2022-3123.
This blog was written by an independent guest blogger.
APIs have become a vital part of doing business. Organizations increasingly rely on the use of APIs for day-to-day workflows, particularly as cloud applications become something of a mainstay.
A recent report found that the average number of APIs per company increased by 221% in 2021. Not only are APIs impossible to ignore, but the need to invest in API security cannot be overlooked. The trend in usage is closely followed by opportunists seeking ways to exploit vulnerabilities for their gain.
To ensure adequate security, developers and organizations alike need to understand the risks and design their security strategy to mitigate them. Too often, security approaches are redesigned after a breach or hack occurs. By then, the damage has been done. Being proactive will save organizations time, money, and heartache.
As cybercriminals work tirelessly to develop new ways to steal data and harm organizations, the list of threats is seemingly endless. That should not be cause for despair, however. While it can feel overwhelming, IT departments and financial controllers should not let it stunt them into doing nothing.
In this article, we cover the most prominent threats to API security, and ways to employ tactics to protect users, data, and networks.
At a base level, software bugs are an easy point of exploitation for cybercriminals. Application errors will weaken API security, leaving your organization – and your valuable data – vulnerable to attackers.
It’s crucial to have a system in place to regularly check for software updates and patches. Patches function like a software update, plugging potential holes that cyberattackers may use to enter your network or systems.
Ensure you conduct regular vulnerability scans and perform security attacks on your implemented APIs. Of course, identifying these vulnerabilities is only the first step. Organizations must ensure they have a workflow in place to address weaknesses swiftly.
Another key API security risk is at exposed endpoints that relate to object identifiers. These can be seen as a welcome mat for attackers to enter the endpoints, leaving a wide attack area with access to objects and data.
To mitigate this risk, organizations must implement authorization checks at the object level. Checking every function that accesses a data source through input from users will help protect you from criminal activity. Consider using an API gateway, access tokens, object-level authorization checks, and implementing proper authorization credentials to stay protected.
Security misconfigurations are another common threat to API security. This risk is typically enabled through factors such as insecure default configs, misconfigured HTTP headers, unnecessary HTTP methods, or open cloud storage. It is crucial not to rely on default configurations and instead to configure APIs to fit your organization’s specific needs and requirements.
At times, developers leave object properties exposed, leaving it up to organizations to filter data before availing it to end users. While well intentioned, this unfortunately leaves a large amount of data exposed, luring cybercriminals to attack.
Ensure the data exposed through APIs is strictly limited to only the necessary, trusted users. Evaluate access control and ensure you’re deliberate with what is available, and to whom.
The threat of injections arises when a command or query prompts the relay of unverified or suspicious data. This type of attack can cause the execution of unintended commands or tricks the API into providing unauthorized access.
Injections are a major threat to API security and can prey upon third-party applications in the process. It’s crucial that APIs are designed to be impenetrable. Input validation should be designed to reject unwanted requests for access to data.
As the dependence on APIs rises, so too does the risk of attacks from cybercriminals. Organizations must understand the risks and implement security strategies to protect their users and data. Nothing short of constant vigilance will prove reliable for API security. Understanding where threats come from is the best way to proactively act against attackers.
The Center for European Policy Analysis (CEPA) recently published a 38-page study, Russian Cyberwarfare: Unpacking the Kremlin’s Capabilities by two esteemed researchers, Irina Borogan and Andrei Soldatov. The opening premise is that Russia has not demonstrated its cyber warfare adroitness in support of its invasion of Ukraine. Whether the Russians tried, and their efforts failed due to the capabilities of Ukraine’s cyber defenders or because leadership meddling disrupted the execution strategies of the professional cyber warriors, hasn’t yet been revealed. What is evident is that the Ukraine example has called into question the Russian playbook being technologically focused and suggests that the political quotient is much more in play than perhaps previously suggested.
Software supply chain attacks are on the rise, as cited in the Cloud Native Computing Foundation’s (CNCF’s) Catalog of Supply Chain Compromises. Industry leaders such as the Google, Linux Foundation, OpenSSF, and public sector organizations such as NIST have provide guidance on the topic over the past year or so.
The U.S. National Security Agency (NSA) alongside the Cybersecurity and Infrastructure Security Agency (CISA), and the Office of the Director of National Intelligence (ODNI) now join that list with their publication Securing the Software Supply Chain: Recommended Practices Guide for Developers. The announcement of the publication emphasizes the role developers play in creating secure software and states the guide strives to help developers adopt government and industry recommendations on doing so. Subsequent releases from Enduring Security Framework (ESF) will focus on the supplier and the software consumer, given the unique role each plays in the broader software supply chain and its resilience.