Today, Wallarm is introducing API Leak Management, a new feature to proactively protect your secrets and avoid related security breaches.

In recent months, enterprise companies like CircleCI, Slack, and LastPass have seen an escalation in attacks involving leaked API keys and other API secrets. API keys and secrets often leak due to developers' mistakes, missing repository access controls, insecure use of public services, and data disclosure accidents by contractors, partners, and users.

There are three main scenarios for proactive API Leak Management:

• Detect leaks. Wallarm continuously scans public sources for API secrets leaks: public repositories, mobile apps, Pastebin, and many other ways.
• Revoke/block tokens. Once a leak is detected, Wallarm remediates risks related to those leaks by blocking requests with compromised tokens and tracking them across all your API landscapes. 
• Track secret usage. Wallarm tracks when leaked secrets/credentials are used.

Next step

• Read more details in API Leak Management blog post
• Get a complimentary API Leaks Assessment. Get a thorough understanding of your risk exposure due to leaked API keys and other secrets by getting a free API leaks assessment. Register now.

We’ve improved the endpoint risk score feature in the Wallarm API Discovery module. Now you can set the rules for calculating the score for yourself. You can include and exclude risk factors from the calculation, change their weights and change the calculation formula.

The Wallarm security research team has created default calculation rules based on our extensive experience in Cyber Security. You can now modify these calculations based on your specific needs. For example, you can add more weight to the presence of sensitive data or open vulnerabilities.

See our documentation for more details.

To make sure that your Wallarm security service works as you expect, you need to be aware of changes in its settings. In addition to the Activity log, it's a good practice to receive notifications of critical changes made by your team to keep everyone in the loop.

Wallarm can send you notifications about important changes in your settings, such as:

• granting user account administrator rights
• removing an important security rule
• changing a BOLA or Brute Force trigger

Notifications are sent to any service convenient for you, for example, Slack, Splunk or Datadog.

See the Wallarm documentation for more details.

Recently, Team82 introduced the technique for bypassing Web Application Firewalls (WAFs) by using JSON syntax in SQL injections (SQLi). This technique takes advantage of the fact that major SQL databases support JSON functions and operators, but WAFs do not inspect SQLi for JSON syntax.

We have tested this attack technique on the Wallarm solution and confirmed that our deep request inspection capability with support for JSON formats reliably mitigates advanced SQLi that use JSON syntax.

At Wallarm, we take the security of your infrastructure seriously, providing strong protection against modern threats.

Broken Object Level Authorization (BOLA), also known as Insecure Direct Object References (IDOR), is number one in OWASP API Security Top 10 list. Facebook, Verizon, T-Mobile, Microsoft, and Google are among the companies which have been breached via this vulnerability.

When an application includes an BOLA / IDOR vulnerability, it has a strong probability of exposing sensitive information or data to attackers. All the attackers need to do is exchange the ID of their own resource in the API call with an ID of a resource belonging to another user. Thus, every API endpoint that receives an ID of an object and performs any type of action on the object can be an attack target.

In order to protect your application from BOLA, you need to know all endpoints which can be the target of this vulnerability. This is where Wallarm API Discovery comes in. This module analyzes the structure of your application and finds endpoints in which the object ID is passed. Wallarm automatically creates a trigger to protect endpoints which are most likely to be victims of a BOLA attack. The trigger monitors the number of requests to a specified endpoint and creates a BOLA attack event when trigger thresholds are exceeded.

The trigger for protection from BOLA requires Wallarm Node version 4.2 and higher.

See the Wallarm documentation for more details.

Your API inventory may contain thousands of endpoints. Some may handle sensitive data, and others may become targets of attack. In addition, your endpoints may have open vulnerabilities with different threat levels. And of course your API inventory is constantly and rapidly changing - new endpoints are added, existing endpoints are changed or removed. With such large amounts of data to assess, it can be difficult to focus on the endpoints issues that have the most significant impact your security posture. 

To keep your applications safe, the Wallarm API Discovery provides the following data:

Which of your endpoints are attacked the most
The Wallarm API Discovery module displays the number of malicious requests (hits) executed against your endpoints on a per-endpoint basis. You can triage your endpoints by filtering and sorting the list to find those that have been attacked the most.
 
Stay on top of your riskiest endpoints
The Wallarm API Discovery module automatically calculates a risk score from 1 (low risk) to 10 (high risk) for each endpoint in your API inventory. The risk score criteria includes: the presence of sensitive data, the number of parameters passed to the endpoint, etc. This score enables you to understand which endpoints are most likely to be an attack target and therefore should be the focus of your security efforts. For example, an endpoint that handles sensitive data and can be the target of a BOLA attack would have a higher risk score than an endpoint that simply passed an JSON object with several parameters.

You can find more detailed information about these features in our documentation.

We are pleased to announce the release of Wallarm node 4.4

Here is a list of the main features which will be available when you upgrade to the latest Wallarm node version:

Checking JSON Web Token strength

JSON Web Token (JWT) is one of the most popular authentication methods. Unfortunately, JWTs may contain many weaknesses which might be missed or forgotten about during development. Any of these will allow attackers access to your application, for example, with administrator rights.

Wallarm node now detects weaknesses in JWTs and records the corresponding vulnerabilities when:

• JWT is not signed
• JWT is signed using a compromised key

Libdetection library enabled by default

Wallarm introduced a fully grammar-based attack detection library libdetection a few years back and since then commited to improve and enhance it. First introduced as a feature for the power-users, it's then became available for everyone.

Starting node 4.4 it's by default enabled for all the customers. This is a major improvement as our core thing of getting the most accurate attack detection, with near-zero false positives. Focus on what matters, don't waste time on the tuning - we back you up.

Supported installation options

• Added support for Ubuntu 22.04 LTS (jammy)
• Dropped support for Debian 10.x (buster) for Wallarm to be installed as the module for either NGINX stable or NGINX Plus

More
Wallarm node 4.4 incorporates dozens of other improvements. A more detailed changelog and instructions on safe upgrade from previous versions are published in the official documentation.

If you have any questions, feel free to contact our support team at support@wallarm.com.

Thousands of companies – from startups to Fortune 500 enterprises – use Kong API Gateway. With blazingly fast performance, it comes with a perfect feature set for everyone who manages microservices, APIs or serverless stacks. APIs need protection against modern attacks, like Injections, BOLA and others from the OWASP API Security Top-10.

Wallarm provides a native integration with Kong Ingress Controller 3.0 for both the Kong Open-Source (CE) and Enterprise (EE) editions. Following the instructions in the documentation, you can protect your APIs with Wallarm in just a few minutes.

You can find more detailed information about this integration in our website and documentation.

Wallarm now offers extended integration with Splunk via a native Splunk application! The Wallarm API Security application for Splunk helps to organize the events logged by Wallarm into the ready-to-use dashboard. 

Wallarm makes it a priority to provide native integrations with specialized tools used by DevOps and SecOps teams. This integration with Splunk furthers that prerogative. 

 Integrating Wallarm and Splunk enables you to:

• Get and analyze data on malicious traffic against your applications and APIs
• Analyze vulnerabilities found in applications
• Receive alerts and events generated by the Wallarm triggers
• Receive alerts about Wallarm service events, such as a new account added to Wallarm personal account, changing integration settings with a third-party service, etc.

With the Wallarm API Security application for Splunk application available from the official Splunk applications library, you can make event analyzing seamless.

You can find more detailed information about the Wallarm API Security application for Splunk in our documentation.

Sometimes you may need to combine Wallarm findings with data from other services (e.g., your application logs) for in-depth analysis and investigation of attacks, incidents, and vulnerabilities. Or you may want to get a list of indicators of compromise (IOCs) from detected attacks and incidents, such as attacker IP addresses, detected malicious payloads, and so on. These IOCs are necessary to conduct in-depth security incident investigations.

For these and other similar scenarios, you can get a CSV formatted report with attack, incident, and vulnerability events. Just perform a search query for the events you need and request a report with them in the CSV format. The generated report will be sent to your email address.

See the Wallarm documentation for more details.