We are thrilled to introduce new enhancements to our API Abuse Prevention capabilities, offering users greater control and precision in managing bot activity.

Users can now assign separate actions and sensitivity levels to specific types of bots. By moving away from the previous one-size-fits-all approach, you gain the flexibility to apply blocking mode against different bot types independently with minimal impact on legitimate traffic. The new Sensitivity levels replace the outdated Tolerance parameter and allow for more precise control of anomaly detection.

Additionally, you can now more effectively manage the scope for behavioral analysis. This includes the option to build behavior profiles across the entire application or within individual domains. This feature is particularly beneficial for users with multiple domains within a single application or without pre-configured applications.

These enhancements enable better identification of automated threats and minimize the risk of false positives, leading to improved security outcomes. API Abuse Prevention is available as part of the Advanced API Security subscription. You can learn more info about Wallarm bot managing capabilities and configuration options in our documentation.

Today we'd like to announce a new version of our filtering node. Node 4.10.6 is designed to support new features, but also includes a number of performance updates. 

The key features include:

• Enhanced OpenAPI data type detection by the API Discovery module
• Improved memory utilisation in long-lived gRPC connections
• Added support for NGINX v1.26.0
• Fixed compatibility issues with the Kong Gateway
• Return proper non-zero exit codes during installation errors, addressing previous issues
• Ability to test regular expressions intended for user-defined attack detectors

Full details are included in our updated documentation. 

 We're excited to introduce our new API specification enforcement feature. This new capability allows users to upload and enforce API specifications with Wallarm.

Negative security models that define what to block with signatures and rules are important, but they operate on the principle of blocking known-bad events. Positive security models do the opposite by defining what’s allowed and blocking everything else. With the addition of API specification enforcement, Wallarm users now have the benefit of both models.
With API specification enforcement, security analysts can upload OpenAPI specifications to detect and block non-compliant API requests. This proactive approach, blocking anything that isn’t explicitly allowed, supports a shift left for API security in production. By connecting developers with production security through defined specifications, it minimizes the risk of costly breaches and downtime.

With the new API specification enforcement feature, Wallarm can detect violations such as:

• Requests sent to endpoints that are not specified in the API specification
• Unknown parameters in requests
• Missing required parameters in requests
• Invalid data types in parameters
• Requesting an endpoint with an incorrect authentication method

Stay secure, mitigate risks, and embrace a proactive security approach with Wallarm End-to-End API Security.

To use API specification enforcement, you must have an Advanced API Security subscription and update your Wallarm node to the latest version (4.10.4 or above). You can find more detailed information about this feature in our documentation.

We’re releasing a major improvement to our Advanced API Security solution: enhanced detection of GraphQL-specific attacks. This new Wallarm capability allows users to configure customized GraphQL security policies, limiting query complexity to prevent undue resource consumption or performance degradation. It also includes measures to limit excessive disclosure of information about the structure of your GraphQL APIs. This update ensures that security teams have complete control over their modern API estate and can swiftly respond to emerging threats.

To use GraphQL security policies, you must update your Wallarm node to the latest version (4.10.4 or above). You can find more detailed information about this feature in our documentation.

At Wallarm, we love customer feedback and based on that feedback we’ve made a few improvements to the details we show for API endpoints in the API Discovery interface. Wallarm’s API Discovery capability provides a complete inventory of your APIs and endpoints, along with security posture assessment and details about the supported parameters and headers seen in requests. We’ve enhanced the details displayed with the following improvements. 

Response Schema (requires node 4.10.2)

In deployments where Wallarm can collect responses, we now parse and display the parameters discovered in responses in addition to those discovered in the requests, giving you greater visibility into how your APIs and endpoints interact. 

Sensitive Data Detection in Responses (requires node 4.10.2)

We’re applying the same logic for identifying parameters that expose sensitive data to the response parameters as we do for the request parameters, expanding your ability to identify where sensitive data is used in your APIs.

Improved Display of Headers

For usability, we previously filtered out some headers from display. We’ve now updated the UI to separate headers and other parameters into collapsible lists so that we can easily display all the headers without compromising usability.

For more information about the details provided in API Discovery, see the documentation. 

We are excited to announce the release of the latest update to Wallarm Node, version 4.10.4, which is now available for installation.

This update includes several performance improvements that enhance your overall experience with our software.
Key updates in this version include:

• Added support for API Specification Enforcement (Coming Soon!)
• Added support for GraphQL API Protection (Coming Soon!)
• Added support for NGINX v1.25.4

Previous updates 4.10.3 and 4.10.2 introduced:

• Internal improvements for higher reliability and security, including better synchronization between the filtering node and Wallarm Cloud, and reducing overall node memory usage.

• Fixed vulnerabilities:

  • CVE-2021-43809
  • CVE-2023-48795

We have also upgraded 4.8.9 performance for Nginx Ingress reducing CPU resources consumption by half.

These changes reflect our ongoing commitment to quality and customer satisfaction.

For detailed information and instructions, please refer to our documentation.

We've updated the Wallam platform to support filtering for 282 additional known vulnerabilities in the Attacks section.

When Wallarm detects an attack, the platform attempts to identify whether the attack is attempting to exploit a known vulnerability (CVE) in a specific software component. The decision is made based on the request structure, malicious payload, parameter names, metadata, and more. The updates released in Q1 2024 included new attribution rules for 282 vulnerabilities (CVEs), the majority of which are notable, recent, or widely exploited vulnerabilities observed among all Wallarm traffic. 

Wallarm users are able to find exploitation attempts of a specific vulnerability by simply typing the CVE identifier in the “CVEs and Exploits” search field in the Attacks section of the Wallarm Console.

Searching for a specific vulnerability allows users to identify attacks on their infrastructure using recently published exploits. It may also be useful for conducting a retrospective analysis during the incident investigation process.

The following example demonstrates searching for exploitation of Auth Bypass in TeamCity (CVE-2024-27198).

As of this update, Wallarm users are currently able to search for 1505 vulnerabilities.

On Friday April 12, Palo Alto disclosed that some versions of PAN-OS are not only vulnerable to remote code execution, but that the vulnerability has been actively exploited to install backdoors on Palo Alto firewalls. A patch is expected to be available on April 14th.The advisory from Palo Alto is here. The CISA advisory is here. Palo Alto has marked this vulnerability as critical and NVD has scored it a 10.0 with CVSSv3. 

Wallarm currently detects attacks against this vulnerability with no additional configuration required. Wallarm will block these attacks as long as the filtering nodes are configured in blocking mode. Wallarm users who have protected their Palo Alto devices with Wallarm nodes can search for these attacks either by filtering for the CVE ID using the “CVEs and Exploits” filter or by filtering for their vulnerable Palo Alto devices and the attack type “RCE.” 

Customers can also search their Palo Alto logs for requests to /api with an XML body containing . 

In March, Wallarm issued a significant update of our detection rules for multiple attack types. The most impactful improvements were aimed at detection of Remote Code Execution, Local File Exclusion, Server Side Template Injections and Command Injection attacks.

In addition, new indicators of Out-of-Band (OOB/OAST) attack techniques were added to the product.

The update also included detection of the critical, widely-exploitable vulnerabilities listed below:

• Server-Side Request Forgery in NextJS
• Auth Bypass in TeamCity (CVE-2024-27198)
• Auth Bypass in TeamCity (CVE-2024-27199)
• Arbitrary File Read Vulnerability Leading to RCE in Jenkins (CVE-2024-23897)
• Authentication Bypass in Fortra GoAnywhere MFT (CVE-2024-0204)
• OS Command Injection in MajorDoMo  (CVE-2023-50917)
• Account Takeover via Password Reset in GitLab (CVE-2023-7028)
• Remote Code Execution in Apache OFBiz (CVE-2023-51467)
• Adobe ColdFusion WDDX Deserialization Gadgets (CVE-2023-44353)
• Adobe ColdFusion Pre-Auth RCE (CVE-2023-29300)
• Remote Code Execution in Juniper(CVE-2023–36845)
• Authentication Bypass in Ivanti ICS (CVE-2023-46805)

We highly recommend that customers validate whether these components are used in their infrastructure and update them to the latest versions.

We’ve updated Wallarm’s user management function with the ability to invite a new user via an invitation link. This new capability allows administrators to produce an invitation link that can be shared with unregistered users so they can sign up for their specific client. 

If provided, the link will populate the user’s email address automatically, and create a user within the client once the new user has submitted their name and password. Additionally, the link can be set with an expiration time and specific user role as well. The invite by link functionality is also available via the Wallarm API for automation use cases.