Tanya Janca | SheHacksPurple :verified: :verified:<p>🎥 Missed one of my past conference talks? Let’s fix that.</p><p>I’m sharing my favorites—packed with real-world advice, lessons, and a few laughs.</p><p>“Top Ten Security Tips for APIs”<br>📽️ <a href="https://twp.ai/4ioX6N" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">twp.ai/4ioX6N</span><span class="invisible"></span></a></p><p><a href="https://infosec.exchange/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CyberSecurity</span></a> <a href="https://infosec.exchange/tags/SecurityAwareness" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SecurityAwareness</span></a> <a href="https://infosec.exchange/tags/appsec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>appsec</span></a> <a href="https://infosec.exchange/tags/APISecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>APISecurity</span></a></p>
eupolicy.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
This Mastodon server is a friendly and respectful discussion space for people working in areas related to EU policy. When you request to create an account, please tell us something about you.
Administered by:
Server stats:
225active users
eupolicy.social: About · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.4.1
#apisecurity
1 post · 1 participant · 0 posts today
Nicola :official_verified:<p>What would you do if you discovered a <a href="https://infosec.exchange/tags/bug" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>bug</span></a> or <a href="https://infosec.exchange/tags/loophole" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>loophole</span></a> that provided free lifetime service instead of the usual annual or monthly fees? I've been trying to reach out to the company for a year, sending emails and requesting contact with their <a href="https://infosec.exchange/tags/development" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>development</span></a> or <a href="https://infosec.exchange/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>security</span></a> team, but I haven't received a response.</p><p>The <a href="https://infosec.exchange/tags/CEO" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CEO</span></a> is active on <a href="https://infosec.exchange/tags/X" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>X</span></a> and <a href="https://infosec.exchange/tags/Meta" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Meta</span></a>, but I don't have accounts on those platforms but I can't contact him directly anyway since DMs are disabled. Any suggestions?</p><p>The service still works after a year of using it.</p><p><a href="https://infosec.exchange/tags/hacking" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>hacking</span></a> <a href="https://infosec.exchange/tags/api" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>api</span></a> <a href="https://infosec.exchange/tags/apisecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>apisecurity</span></a></p>
OWASP Foundation<p>Join Tanya Janca on November 5 for a 1-day, hands-on training session at OWASP Global AppSec USA 2025 and learn how to design and harden APIs the right way.</p><p>Secure your training spot now: <a href="https://owasp.glueup.com/event/131624/register/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">owasp.glueup.com/event/131624/</span><span class="invisible">register/</span></a></p><p><a href="https://infosec.exchange/tags/GlobalAppSecUS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>GlobalAppSecUS</span></a> <a href="https://infosec.exchange/tags/Cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Cybersecurity</span></a> <a href="https://infosec.exchange/tags/CyberSec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CyberSec</span></a> <a href="https://infosec.exchange/tags/ThreatModeling" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ThreatModeling</span></a> <a href="https://infosec.exchange/tags/DevSecOps" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DevSecOps</span></a> <a href="https://infosec.exchange/tags/AI" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AI</span></a> <a href="https://infosec.exchange/tags/Hacking" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Hacking</span></a> <a href="https://infosec.exchange/tags/WashingtonDC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>WashingtonDC</span></a> <a href="https://infosec.exchange/tags/AppSec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AppSec</span></a> <a href="https://infosec.exchange/tags/APISecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>APISecurity</span></a> <a href="https://infosec.exchange/tags/SecureCode" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SecureCode</span></a> <a href="https://infosec.exchange/tags/API" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>API</span></a></p>
Sam Stepanyan :verified: 🐘<p><a href="https://infosec.exchange/tags/JWT" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>JWT</span></a>: 'Attacking JWT using X509 Certificates': how an attacker could sign the JWT token with their own private key and modify the header value to specify their public key for signature verification:<br><a href="https://infosec.exchange/tags/AppSec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AppSec</span></a><br><a href="https://infosec.exchange/tags/APIsecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>APIsecurity</span></a></p><p><a href="https://trustedsec.com/blog/attacking-jwt-using-x509-certificates" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">trustedsec.com/blog/attacking-</span><span class="invisible">jwt-using-x509-certificates</span></a></p>
Marco Ciappelli🎙️✨:verified: :donor:<p>🚀 New Brand Story from <a href="https://infosec.exchange/tags/RSAC2025" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>RSAC2025</span></a>: Runtime Protection at the New Digital Front Line</p><p>At <a href="https://infosec.exchange/tags/RSAC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>RSAC</span></a> Conference 2025, Sean Martin, CISSP sat down with Rupesh Chokshi, Senior Vice President and GM of Application Security at Akamai Technologies, to talk about how AI-driven applications and <a href="https://infosec.exchange/tags/APIs" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>APIs</span></a> are reshaping the security landscape.</p><p>🔐 Why are runtime attacks on APIs and <a href="https://infosec.exchange/tags/AI" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AI</span></a> apps growing—and why is prevention alone no longer enough?</p><p>Find out how Akamai is evolving its Web Application and API Protection (<a href="https://infosec.exchange/tags/WAAP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>WAAP</span></a>) strategies to meet these emerging threats head-on.</p><p>🎙️ Watch, listen, or read the full story here:<br>👉 <a href="https://www.itspmagazine.com/their-stories/the-new-front-line-runtime-protection-for-ai-and-api-driven-attacks-a-brand-story-with-rupesh-chokshi-from-akamai-an-on-location-rsac-conference-2025-brand-story" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">itspmagazine.com/their-stories</span><span class="invisible">/the-new-front-line-runtime-protection-for-ai-and-api-driven-attacks-a-brand-story-with-rupesh-chokshi-from-akamai-an-on-location-rsac-conference-2025-brand-story</span></a></p><p><a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/appsec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>appsec</span></a> <a href="https://infosec.exchange/tags/apisecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>apisecurity</span></a> <a href="https://infosec.exchange/tags/technology" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>technology</span></a> <a href="https://infosec.exchange/tags/infosecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosecurity</span></a></p>
Marco Ciappelli🎙️✨:verified: :donor:<p>🌐 The Digital Terrain Is Shifting — Are Your Apps and APIs Ready?</p><p>As AI adoption accelerates, so do AI-driven attacks.<br>In their new research report, Akamai Technologies uncovers the evolving threats facing web applications and APIs — and how organizations can respond before attackers get ahead.</p><p>State of Apps and API Security 2025: How <a href="https://infosec.exchange/tags/AI" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AI</span></a> Is Shifting the Digital Terrain explores the sharp rise in automated, intelligent threats — and the new defenses emerging to meet them.</p><p>📥 Download the full report here: <a href="https://itspm.ag/akamaixmwd" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">itspm.ag/akamaixmwd</span><span class="invisible"></span></a><br>📌 Research like this helps <a href="https://infosec.exchange/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>security</span></a> professionals, <a href="https://infosec.exchange/tags/leaders" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>leaders</span></a>, and <a href="https://infosec.exchange/tags/developers" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>developers</span></a> stay ahead of the curve — and shape the future of <a href="https://infosec.exchange/tags/digital" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>digital</span></a> defense.</p><p>🎙️ We’re also proud to feature Akamai in our RSAC 2025 coverage — with a Brand Story recorded pre-event and a follow-up conversation happening on location at the conference in San Francisco with Rupesh Chokshi, Sean Martin, CISSP, and Marco Ciappelli.</p><p>Watch the pre-event recording here: <a href="https://youtu.be/DMm6INJ_2Z8" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">youtu.be/DMm6INJ_2Z8</span><span class="invisible"></span></a> </p><p>🙏 A huge thank you to the Akamai team for sponsoring our coverage and sharing their insights with our global audience.</p><p>👇 Check out the report and stay tuned for more from RSAC:</p><p>📥 Download the Report: <a href="https://itspm.ag/akamaixmwd" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">itspm.ag/akamaixmwd</span><span class="invisible"></span></a><br>🌐 Explore our RSAC 2025 Coverage: <a href="https://www.itspmagazine.com/events/rsac-2025" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">itspmagazine.com/events/rsac-2</span><span class="invisible">025</span></a></p><p><a href="https://infosec.exchange/tags/akamai" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>akamai</span></a> <a href="https://infosec.exchange/tags/rsac2025" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>rsac2025</span></a> <a href="https://infosec.exchange/tags/brandstory" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>brandstory</span></a> <a href="https://infosec.exchange/tags/apigateway" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>apigateway</span></a> <a href="https://infosec.exchange/tags/applicationsecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>applicationsecurity</span></a> <a href="https://infosec.exchange/tags/aiinsecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>aiinsecurity</span></a> <a href="https://infosec.exchange/tags/webappsecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>webappsecurity</span></a> <a href="https://infosec.exchange/tags/cybersecurityresearch" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurityresearch</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/devsecops" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>devsecops</span></a> <a href="https://infosec.exchange/tags/digitaldefense" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>digitaldefense</span></a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintelligence</span></a> <a href="https://infosec.exchange/tags/itspmagazine" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>itspmagazine</span></a> <a href="https://infosec.exchange/tags/rsaconference" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>rsaconference</span></a> <a href="https://infosec.exchange/tags/apisecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>apisecurity</span></a> <a href="https://infosec.exchange/tags/aiattacks" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>aiattacks</span></a> <a href="https://infosec.exchange/tags/securityreport" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>securityreport</span></a> <a href="https://infosec.exchange/tags/cybersecurityinnovation" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurityinnovation</span></a> <a href="https://infosec.exchange/tags/securitystrategy" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>securitystrategy</span></a> <a href="https://infosec.exchange/tags/zerotrust" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>zerotrust</span></a> <a href="https://infosec.exchange/tags/appsec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>appsec</span></a></p>
Miguel Afonso Caetano<p>"API keys are foundational elements for authentication, but relying solely on them is inherently a risky proposal.</p><p>Firstly, there’s the reality that API keys are not securely designed — they were never meant to be used as the sole form of authentication, and as such, they aren’t really built for the task. These keys can often be easily stolen, leaked, or, in some cases (especially if generated incrementally), outright guessed. An API key is suitable for tracking usage but is poor for security.</p><p>There is also the additional reality that keys in their default state lack some critical functionality. There’s not a lot of verification built-in for identity management, and what does exist offers very little in the way of granular access control.</p><p>Ultimately, solely relying on API keys is a mistake common with novice developers but frighteningly common even in advanced products.</p><p>Best Practices<br>Instead of relying heavily on API keys as a sole mechanism, combine those keys with additional approaches such as OAuth 2.0 or mTLS. Implement rigorous expiration and rotation policies to ensure that keys which are made public are only useful for a short amount of time. Consider more advanced approaches, such as IP whitelisting or device fingerprinting, to add another layer of security atop the API key process."</p><p><a href="https://nordicapis.com/9-signs-youre-doing-api-security-wrong/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">nordicapis.com/9-signs-youre-d</span><span class="invisible">oing-api-security-wrong/</span></a></p><p><a href="https://tldr.nettime.org/tags/API" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>API</span></a> <a href="https://tldr.nettime.org/tags/APIs" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>APIs</span></a> <a href="https://tldr.nettime.org/tags/APISecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>APISecurity</span></a> <a href="https://tldr.nettime.org/tags/APIDesign" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>APIDesign</span></a> <a href="https://tldr.nettime.org/tags/WebSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>WebSecurity</span></a> <a href="https://tldr.nettime.org/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CyberSecurity</span></a></p>
Sam Stepanyan :verified: 🐘<p><a href="https://infosec.exchange/tags/Docker" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Docker</span></a> Fixes Critical 5-year Old Authentication Bypass <a href="https://infosec.exchange/tags/Vulnerability" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Vulnerability</span></a> CVE-2024-41110 (CVSS:10.0) allows attacker to login by sending an API request with a Content-Length of 0!<br><a href="https://infosec.exchange/tags/APISecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>APISecurity</span></a><br>👇 <br><a href="https://www.bleepingcomputer.com/news/security/docker-fixes-critical-5-year-old-authentication-bypass-flaw/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">bleepingcomputer.com/news/secu</span><span class="invisible">rity/docker-fixes-critical-5-year-old-authentication-bypass-flaw/</span></a></p>
Sam Stepanyan :verified: 🐘<p><a href="https://infosec.exchange/tags/Twilio" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Twilio</span></a> has confirmed that an unsecured API endpoint allowed <a href="https://infosec.exchange/tags/ShinyHunters" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ShinyHunters</span></a> threat actors to verify and leak the phone numbers of 33 million of Authy MFA users:<br><a href="https://infosec.exchange/tags/APISecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>APISecurity</span></a><br>👇<br><a href="https://www.bleepingcomputer.com/news/security/hackers-abused-api-to-verify-millions-of-authy-mfa-phone-numbers/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">bleepingcomputer.com/news/secu</span><span class="invisible">rity/hackers-abused-api-to-verify-millions-of-authy-mfa-phone-numbers/</span></a></p>
Neil Madden<p>Slides from my talk on Macaroons from <a href="https://infosec.exchange/tags/SecAppDev" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SecAppDev</span></a> are now available (click Download Handouts). It wasn’t recorded, so I’ll maybe do it on twitch or something. <a href="https://secappdev.org/2024/sessions/introduction-to-macaroons/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">secappdev.org/2024/sessions/in</span><span class="invisible">troduction-to-macaroons/</span></a> </p><p><a href="https://infosec.exchange/tags/cryptography" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cryptography</span></a> <a href="https://infosec.exchange/tags/apisecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>apisecurity</span></a></p>
TrendingLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
Create accountLoginDrag & drop to upload