We're excited to announce that Wallarm node 4.6 is now available!

The most important thing about this new release is the API Rate Limiting feature. The lack of proper rate limiting has been a significant problem for API security, as attackers can launch high-volume requests that can cause a denial of service (DoS) or overload the system, which hurts legitimate users. Overall, the lack of API Rate Limiting feature can result in a poor user experience, frustration, and potential security risks for both the user and the API infrastructure.

The usual way of limiting the number of requests made to an API is by blocking the IP address. However, this method can sometimes wrongly identify legitimate users as malicious and prevent them from accessing the service. Consider a SaaS application that provides an API to its customers. Each customer has their unique API key to access the service. To ensure that API consumption is fair and prevent misuse, you decide to implement rate limiting. Traditional rate limiting that relies on IP addresses would not work well in this case because multiple customers may be sharing the same IP address. For example, this can happen when customers are behind a corporate firewall or using a VPN.

With our API Rate Limiting, security teams can effectively manage the service's load and prevent false alarms, ensuring the service is always available and secure for real users. This powerful feature gives security teams more control over protection against bad bots and other bad actors. 

Security teams can now set specific parameters and session settings to apply rate limit rules based on any request parameter, including JSON fields, base64 encoded data, cookies, XML fields, and more. 

You can also adjust settings like the rate, burst, delay, and response code to fine-tune the rate limit settings and apply session settings to specific requests. Configuration is done within the Wallarm Console.

It's important to note that with version 4.6, you can only register Wallarm nodes in the Wallarm Cloud using a token. Registering with user credentials is no longer supported. If you used any user credentials to deploy the Wallarm node, you need to generate a token that will be used to register the nodes in the Wallarm Cloud. Instructions for generating a token are provided in the documentation. 

A more detailed changelog and instructions on upgrade are published in the official documentation.

If you have any questions, feel free to contact our support team at support@wallarm.com  

Wallarm is pleased to announce a new native integration of the Wallarm End-to-End API Security solution with Microsoft Azure Sentinel, a powerful combination that delivers advanced security capabilities to safeguard your API. Azure Sentinel is a cloud-based service that collects large volumes of data from various sources, including user data, cloud services, and endpoints to help security teams detect, investigate, and respond to security threats using AI and ML. This integration offers real-time reporting about detected malicious requests, vulnerabilities, changes in security settings and other important events. All of this allows security teams to respond promptly and effectively to potential threats.

The integration of Wallarm with Microsoft Azure Sentinel provides a comprehensive and holistic approach to API security. By having all relevant events in one place, security teams gain deep visibility into their API landscape, enabling analysts to detect, investigate, and respond to threats proactively, reducing the risk of data breaches and other security incidents. 

At Wallarm, we understand the importance of protecting your APIs from potential threats. Our native integration with Microsoft Azure Sentinel provides security teams with a comprehensive view of their API landscape. Take advantage of this powerful combination for best-in-class API security today.

You can find more detailed information on this integration in our documentation.

We are thrilled to announce the release of the new API Discovery Dashboard. With this update, you can now more easily monitor sensitive data, track API changes, and identify risky endpoints.

Key new features of the API Discovery Dashboard to materially reduce your risk exposure include:

• Monitoring Sensitive Data. Get more in-depth insights into what kinds and how much sensitive data are sent in requests to applications and if there are any extra data that shouldn't be there.
• Tracking API Changes. Get better visibility into any unexpected or undocumented changes in your APIs across your entire portfolio.
• Identifying Risk Endpoints. Get a greater understanding of your API attack surface with customizable risk scoring to bring the most risky and most attacked endpoints to your immediate attention.

There are many other capabilities offered by the API Discovery module that can improve your API security. For instance, Security analysts and Security DevOps can receive notifications in Slack, SIEMs, SOARs, etc. about changes that occur in their APIs, so they can stay up-to-date and take action right away.

We are sure that the new API Discovery Dashboard and other important capabilities in the API Discovery module make it easier for you to monitor and secure your APIs.

You can find more information about these capabilities in our documentation.

Wallarm End-to-End API Security has taken another step forward in reducing organizational risk by improving our Server-side Request Forgery (SSRF) mitigation capabilities. With the rise of SSRF attacks, it's essential to stay ahead of potential security breaches and protect valuable assets. Wallarm's advanced features offer peace of mind and protection against these dangerous attack vectors.

SSRF attacks allow attackers to manipulate a server to make arbitrary requests, often to internal resources, resulting in access to sensitive information, execution of malicious code, and overall compromise of the system's security. As part of the OWASP Top 10 2021, SSRF attacks can bypass network security measures, making them difficult to detect and prevent. 

Recently, SSRF attacks have been a growing concern for businesses globally, with over 100,000 businesses being impacted since November 2022. Some well-known organizations that have fallen victim to SSRF include Azure services, Atlassian, and Exchange. One real-world example of an SSRF attack was on Azure services, where vulnerabilities were found that exposed internal endpoints and sensitive data. Another example is the Exchange zero-day vulnerabilities (CVE-2022-41040 and CVE-2022-41082), where SSRF was used to gain unauthorized access to internal systems.

Wallarm has improved our SSRF mitigation capabilities through a detailed analysis of the most widespread vulnerabilities and attacks. The improvements include enhanced validation of user-supplied URLs and attribution of SSRF attacks to specific vulnerabilities. By providing increased security against SSRF attacks, Wallarm helps businesses maintain the trust of their customers and protect against financial, reputational, and regulatory harms.

To take advantage of our improved SSRF mitigation capabilities, upgrade to the latest version of Wallarm Node (version 4.4.3 or higher). For more information, see the Wallarm documentation.

Today, Wallarm is introducing API Leak Management, a new feature to proactively protect your secrets and avoid related security breaches.

In recent months, enterprise companies like CircleCI, Slack, and LastPass have seen an escalation in attacks involving leaked API keys and other API secrets. API keys and secrets often leak due to developers' mistakes, missing repository access controls, insecure use of public services, and data disclosure accidents by contractors, partners, and users.

There are three main scenarios for proactive API Leak Management:

• Detect leaks. Wallarm continuously scans public sources for API secrets leaks: public repositories, mobile apps, Pastebin, and many other ways.
• Revoke/block tokens. Once a leak is detected, Wallarm remediates risks related to those leaks by blocking requests with compromised tokens and tracking them across all your API landscapes. 
• Track secret usage. Wallarm tracks when leaked secrets/credentials are used.

Next step

• Read more details in API Leak Management blog post
• Get a complimentary API Leaks Assessment. Get a thorough understanding of your risk exposure due to leaked API keys and other secrets by getting a free API leaks assessment. Register now.

We’ve improved the endpoint risk score feature in the Wallarm API Discovery module. Now you can set the rules for calculating the score for yourself. You can include and exclude risk factors from the calculation, change their weights and change the calculation formula.

The Wallarm security research team has created default calculation rules based on our extensive experience in Cyber Security. You can now modify these calculations based on your specific needs. For example, you can add more weight to the presence of sensitive data or open vulnerabilities.

See our documentation for more details.

To make sure that your Wallarm security service works as you expect, you need to be aware of changes in its settings. In addition to the Activity log, it's a good practice to receive notifications of critical changes made by your team to keep everyone in the loop.

Wallarm can send you notifications about important changes in your settings, such as:

• granting user account administrator rights
• removing an important security rule
• changing a BOLA or Brute Force trigger

Notifications are sent to any service convenient for you, for example, Slack, Splunk or Datadog.

See the Wallarm documentation for more details.

Recently, Team82 introduced the technique for bypassing Web Application Firewalls (WAFs) by using JSON syntax in SQL injections (SQLi). This technique takes advantage of the fact that major SQL databases support JSON functions and operators, but WAFs do not inspect SQLi for JSON syntax.

We have tested this attack technique on the Wallarm solution and confirmed that our deep request inspection capability with support for JSON formats reliably mitigates advanced SQLi that use JSON syntax.

At Wallarm, we take the security of your infrastructure seriously, providing strong protection against modern threats.

Broken Object Level Authorization (BOLA), also known as Insecure Direct Object References (IDOR), is number one in OWASP API Security Top 10 list. Facebook, Verizon, T-Mobile, Microsoft, and Google are among the companies which have been breached via this vulnerability.

When an application includes an BOLA / IDOR vulnerability, it has a strong probability of exposing sensitive information or data to attackers. All the attackers need to do is exchange the ID of their own resource in the API call with an ID of a resource belonging to another user. Thus, every API endpoint that receives an ID of an object and performs any type of action on the object can be an attack target.

In order to protect your application from BOLA, you need to know all endpoints which can be the target of this vulnerability. This is where Wallarm API Discovery comes in. This module analyzes the structure of your application and finds endpoints in which the object ID is passed. Wallarm automatically creates a trigger to protect endpoints which are most likely to be victims of a BOLA attack. The trigger monitors the number of requests to a specified endpoint and creates a BOLA attack event when trigger thresholds are exceeded.

The trigger for protection from BOLA requires Wallarm Node version 4.2 and higher.

See the Wallarm documentation for more details.

Your API inventory may contain thousands of endpoints. Some may handle sensitive data, and others may become targets of attack. In addition, your endpoints may have open vulnerabilities with different threat levels. And of course your API inventory is constantly and rapidly changing - new endpoints are added, existing endpoints are changed or removed. With such large amounts of data to assess, it can be difficult to focus on the endpoints issues that have the most significant impact your security posture. 

To keep your applications safe, the Wallarm API Discovery provides the following data:

Which of your endpoints are attacked the most
The Wallarm API Discovery module displays the number of malicious requests (hits) executed against your endpoints on a per-endpoint basis. You can triage your endpoints by filtering and sorting the list to find those that have been attacked the most.
 
Stay on top of your riskiest endpoints
The Wallarm API Discovery module automatically calculates a risk score from 1 (low risk) to 10 (high risk) for each endpoint in your API inventory. The risk score criteria includes: the presence of sensitive data, the number of parameters passed to the endpoint, etc. This score enables you to understand which endpoints are most likely to be an attack target and therefore should be the focus of your security efforts. For example, an endpoint that handles sensitive data and can be the target of a BOLA attack would have a higher risk score than an endpoint that simply passed an JSON object with several parameters.

You can find more detailed information about these features in our documentation.