How to find out if your AI vendor is a security risk https://www.helpnetsecurity.com/2025/04/10/ai-vendor-risk/ #Artificialintelligence #Expertanalysis #VorlonSecurity #cybersecurity #Expertcorner #APIsecurity #Don'tmiss #Hotstuff #dataleak #opinion #News #risk
Staying ahead means staying informed, right? Here's our latest wrap of the day's Cyber News:
https://opalsec.io/daily-news-update-thursday-april-3-2025-australia-melbourne/
If you're short on time, here’s a quick whip-around of the top 3 stories of note:
Hunters Ransomware Rethink: Is the heat getting too much? Hunters International leadership reportedly told affiliates ransomware is now too "risky," planning a shift to pure data theft/extortion under a "World Leaks" banner. While their current status is murky, this potential pivot away from encryption echoes moves by other groups and highlights how defensive pressures are forcing attacker evolution – something we all need to track.
White House OpSec Woes: Remember that recent White House Signal mishap? Well, now the same National Security Adviser is reportedly facing heat for using personal Gmail for sensitive (if unclassified) government discussions, raising serious OpSec and compliance alarms. It's a potent reminder for us all: even seemingly benign comms on personal platforms can create significant risks, and basic security hygiene is non-negotiable, especially when sensitive info is involved.
Verizon API Call Log Leak: Here’s a worrying find: a simple API flaw in Verizon's Call Filter app exposed the incoming call history of potentially all their wireless customers to each other. Technically, it was a textbook case of broken object-level authorization – the API didn't check if the user's token matched the phone number whose logs were requested in a header. This highlights the critical need for robust API authorization checks and the significant privacy impact even call metadata can have.
Have a read of the full newsletter, and sign up to get all the details straight to your inbox each day:
https://opalsec.io/daily-news-update-thursday-april-3-2025-australia-melbourne/#/portal/signup
"API keys are foundational elements for authentication, but relying solely on them is inherently a risky proposal.
Firstly, there’s the reality that API keys are not securely designed — they were never meant to be used as the sole form of authentication, and as such, they aren’t really built for the task. These keys can often be easily stolen, leaked, or, in some cases (especially if generated incrementally), outright guessed. An API key is suitable for tracking usage but is poor for security.
There is also the additional reality that keys in their default state lack some critical functionality. There’s not a lot of verification built-in for identity management, and what does exist offers very little in the way of granular access control.
Ultimately, solely relying on API keys is a mistake common with novice developers but frighteningly common even in advanced products.
Best Practices
Instead of relying heavily on API keys as a sole mechanism, combine those keys with additional approaches such as OAuth 2.0 or mTLS. Implement rigorous expiration and rotation policies to ensure that keys which are made public are only useful for a short amount of time. Consider more advanced approaches, such as IP whitelisting or device fingerprinting, to add another layer of security atop the API key process."
https://nordicapis.com/9-signs-youre-doing-api-security-wrong/
#APIs act as digital portals that allow data to travel between applications. 
However, as sensitive data moves from one application to another, each API becomes a potential access point that threat actors can exploit. 
Securing APIs is critical to any company's data protection program, and knowing the OWASP API security top 10 will help! 
Read on an learn about:
Who OWASP is
The 10 most critical API security risks based on several data points
The OWASP top 10 API security risks
https://graylog.org/post/an-introduction-to-the-owasp-api-security-top-10/ #cybersecurity #infosec #APIsecurity #GraylogLabs
How Contrast ADR Speeds up SOC Incident Response Time| SOC Challenges From Alert Fatigue to Application-Layer Visibility | Contrast Security – Source: securityboulevard.com https://ciso2ciso.com/how-contrast-adr-speeds-up-soc-incident-response-time-soc-challenges-from-alert-fatigue-to-application-layer-visibility-contrast-security-source-securityboulevard-com/ #ApplicationDetectionandResponse(ADR) #SecurityOperationsCenter(SOC) #applicationvulnerabilities #ApplicationLayerSecurity #APIsecurity
Did someone say FREE training? 
Welcome to #Graylog Academy! 
We are excited to give you the tools to gain immediate value, unlock #security analytics, and begin data driven decision-making as you embark upon (or continue) your journey with Graylog. 
Check out the awesome selection of FREE courses you can take, including:
Adding Context and Enriching Your Log Data Events, Alerts, and Notifications Hardening Graylog with TLS Intro to API Security Introduction to Graylog Dashboards Pipelines, Parsing and the Graylog Information Model
Did we mention that many of the courses are 
What are you waiting for! Let's go. 
https://academy.graylog.org/home #APIsecurity #SIEM #logmanagement #cybersecurity #infosec
It was a packed house for the Graylog #BSidesROC Capture The Flag on Saturday! 
Thank you to everyone who joined us for the fun and games. 
You are all amazing and, now, a little (or a lot!) more knowledgable about #Graylog! 
It's a win-win. 
And congrats to our challenge winners! 
Grand prize winner — Tyler Smith
Training voucher winner — Praveen Kumar Penukonda
Runner up — Gabriel Schickling
Cloudflare's HTTPS-Only Initiative: A New Standard in API Security
https://thedefendopsdiaries.com/cloudflares-https-only-initiative-a-new-standard-in-api-security/
HIPAA Security Rule Amendment: Key Public Comments and Next Steps – Source: securityboulevard.com https://ciso2ciso.com/hipaa-security-rule-amendment-key-public-comments-and-next-steps-source-securityboulevard-com/ #rssfeedpostgeneratorecho #SecurityBloggersNetwork #APISecurityAnalysis #CyberSecurityNews #mobileappsecurity #SecurityBoulevard #NewsandInsights #MobileHealth #APIsecurity #healthcare
Unveiling Secrets: The New Tool for Scanning Login Pages
A groundbreaking tool has emerged that scans login pages to uncover hidden secrets like API keys, emails, and URLs. This innovative service promises to enhance security audits and protect sensitive in...
https://news.lavx.hu/article/unveiling-secrets-the-new-tool-for-scanning-login-pages
Threat actors are increasingly using cloud services to identify the data they intend to exfiltrate or ransom. Cloud native development, containers, and microservices allow dev teams to quickly deploy new builds. But, they also lead to a higher potential for misconfiguration. And where there are misconfigurations there are vulnerabilities that leave openings for threat actors. 
So, what can #security teams do about this? 
They can shine a spotlight on what’s in their #API traffic! 
Once you know how #cybercriminals are accessing sensitive data, you can stop them from gaining access to it. 
Critical security steps need to happen before data exfiltration does. Learn more about predicting risk and closing your vulnerability gap, in this article by #Graylog's Seth Goldhammer.
https://securityboulevard.com/2025/03/reading-the-data-breach-tea-leaves-preventing-data-exfiltration-before-it-happens/ #cybersecurity #APIsecurity #infosec
New article: Strengthen your Java app's security with API authentication, CSP, CORS, and HTTP security headers.
Dive into this comprehensive guide for Java developers: API Web Application Security
https://ionutbalosin.com/2025/03/api-web-application-security-for-java-developers
APIs often handle vast amounts of Personally Identifiable Information (#PII), which makes them prime targets for API data exfiltration. 
So, it's no surprise that #API-based attacks with the aim of stealing sensitive data have increased over time. Many orgs also lack visibility into which APIs are handling PII, which leaves them with massive #security blind spots. 
What should orgs do about this? Let's take a closer look at:
The growing risks of PII exposure in API traffic The methods attackers use to exfiltrate data Capabilities to look for in a data exfiltration prevention solution
How the new release of Graylog API Security 3.7 can help
https://graylog.org/post/apis-the-silent-highway-for-sensitive-data/ #APIsecurity #APIs #cybersecurity
Are your API keys secure?
At #FlutteristasConf2025, @valerianagit will break down "The Ultimate Guide to API Key Management in Flutter."
In this session, she will explore common mistakes 
developers make when storing API keys and how to avoid them.
By the end of this talk, you’ll have a strong foundation in API key security, ensuring your Flutter applications stay protected from potential threats. 
RSVP: 
flutteristas.org
Wallarm Releases 2025 API ThreatStats Report, Revealing that APIs are the Predominant Attack Surface
"Wallarm's researchers tracked 439 AI-related CVEs, a staggering 1,025% increase from the prior year. Nearly all (99%) were directly tied to APIs, including injection flaws, misconfigurations, and new memory corruption vulnerabilities stemming from AI's reliance on high-performance binary APIs."
We're going to apidays NYC, woot! Join us at the conference to learn about #API management for surfing the next innovation waves. 
Our VP of Engineering, Rob Dickinson, will be speaking at the event, as well. 
Got questions about #APIsecurity, #SIEM and/or log management? See us in NYC on May 14th and 15th, 2025 to get all of your burning questions answered. 
Or just to hang out and pick up some Graylog swag! 
https://www.apidays.global/new-york/ #apidays #apidaysNewYork #apidaysNY #Graylog #APIs
Introducing SafePasteToAI: Your New Guardian Against API Key Leaks
In an era where data breaches and API key leaks are rampant, the newly launched SafePasteToAI Chrome extension serves as a crucial tool for developers. This lightweight extension scans your clipboard ...
https://news.lavx.hu/article/introducing-safepastetoai-your-new-guardian-against-api-key-leaks
Node.js Security in 2025: Best Practices and Threat Mitigation
https://bloggingaadd.com/nodejs-security-in-2025-best-practices-and-threat-mitigation
Learn the best Node.js security practices for 2025 to protect your applications from evolving threats. Explore key strategies for threat mitigation, data protection, and secure coding.
#NodeJS
#CyberSecurity
#WebSecurity
#SecureCoding
#BackendDevelopment
#APISecurity
#TechTrends2025
#DataProtection
#SoftwareSecurity
#JavaScript
#SecureApps
#ThreatMitigation
China-Linked Silk Typhoon Expands Cyber Attacks to IT Supply Chains
The Silk Typhoon hacking group, linked to China and previously behind Microsoft Exchange zero-day attacks, is now targeting IT supply chains, abusing stolen API keys, remote management tools, and cloud applications to infiltrate corporate networks.
The group is exploiting stolen API keys and credentials from IT service providers, launching zero-day attacks on Ivanti VPN, Palo Alto Networks, and Citrix NetScaler, and shifting from on-prem environments to cloud applications like Microsoft 365, OneDrive, and SharePoint to exfiltrate data.
Organizations must strengthen API security, enforce least privilege access, and monitor cloud environments to mitigate these growing supply chain threats.
Read more: https://thehackernews.com/2025/03/china-linked-silk-typhoon-expands-cyber.html
Close to 12,000 valid secrets that include API keys and passwords have been found in the Common Crawl dataset used for training multiple artificial intelligence models
#APISecurity #AISecurity
Mike Amundsen 
