Pull to refresh

Information Security *

Data protection

Show first
  • New
  • Top
Rating limit
  • All
  • ≥0
  • ≥10
  • ≥25
  • ≥50
  • ≥100

API security design best practices for enterprise and public cloud

Information Security *API *

Application Programming Interfaces or API’s are responsible for majority of system integration and functional components of modern computing landscape in both consumer and enterprise environments.

Properly constructed secure API’s provide significant benefits during initial build, integration with other systems and during entire application lifecycle while protecting sensitive information stored in business systems.

Based on author's experience designing and implementing API’s for variety of clients in financial, insurance, telecom and public sectors, security is often overlooked in favor of simplistic, vendor/product specific solutions.

This article addresses best practices for API security design in product neutral manner to help architects to plan and build easy to work with and secure API's.

Recommended approach is to separate API security from its business functionality and allow back-end developers to concentrate only on business functions. Once business logic for an API is ready, it can be published using common security components described in this article.

This article does not provide any product specific recommendations, but any modern API security/governance platform will be able to satisfy majority of suggested requirements using out-of-the-box functionality.

Read more
Rating 0
Views 1.5K
Comments 2

New botnet with lots of cameras and some routers

Qrator Labs corporate blog Information Security *IT Infrastructure *Network technologies *

DDoS attacks send ripples on the ocean of the Internet, produced by creations of various sizes - botnets. Some of them feed at the top of the ocean, but there also exists a category of huge, deep water monstrosities that are rare and dangerous enough they could be seen only once in a very long time.

November 2021 we encountered, and mitigated, several attacks from a botnet, that seems to be unrelated to one described and/or well-known, like variants of Mirai, Bashlite, Hajime or Brickerbot.

Although our findings are reminiscent of Mirai, we suppose this botnet is not based purely on propagating Linux malware, but a combination of brute forcing and exploiting already patched CVEs in unpatched devices to grow the size of it. Either way, to confirm how exactly this botnet operates, we need to have a sample device to analyze, which isn’t our area of expertise.

This time, we won’t give it a name. It is not 100% clear what we are looking at, what are the exact characteristics of it, and how big this thing actually is. But there are some numbers, and where possible, we have made additional reconnaissance in order to better understand what we’re dealing with.

But let us first show you the data we’ve gathered, and leave conclusions closer to the end of this post.

Read more
Total votes 12: ↑12 and ↓0 +12
Views 455
Comments 0

On the recent vulnerability in Diebold Nixdorf ATMs

Positive Technologies corporate blog Information Security *Cryptography *Reverse engineering *Programming microcontrollers *

Hi there! A while ago, Positive Technologies published the news that ATMs manufactured by Diebold Nixdorf (previously known as Wincor), or more specifically, the RM3 and CMDv5 cash dispensers, contained a vulnerability which allowed attackers to withdraw cash and upload modified (vulnerable) firmware. And since my former colleague Alexei Stennikov and I were directly involved in finding this vulnerability, I would like to share some details.

Read more
Total votes 5: ↑5 and ↓0 +5
Views 2.1K
Comments 2

How to choose a static analysis tool

PVS-Studio corporate blog Information Security *Development Management *Project management *Software

Tools to improve and control code quality can be a key success factor in a complex software project implementation. Static analyzers belong to such tools. Nowadays, you can find various static analyzers: from free open-source to cross-functional commercial solutions. On the one hand, it's great – you can choose from many options. On the other hand – you have to perform advanced research to find the right tool for your team.

Read more
Total votes 4: ↑2 and ↓2 0
Views 728
Comments 0

How to detect a cyberattack and prevent money theft

Positive Technologies corporate blog Information Security *Programming *Research and forecasts in IT

Money theft is one of the most important risks for any organization, regardless of its scope of activity. According to our data, 42% of cyberattacks on companies are committed to obtain direct financial benefits.  You can detect an attack at various stages—from network penetration to the moment when attackers start withdrawing money.  In this article, we will show how to detect an attack at each of its stages and minimize the risk, as well as analyze two common scenarios of such attacks: money theft manually using remote control programs and using special malware—a banking trojan.

Read more
Rating 0
Views 990
Comments 0

MFA-protected SSH access to Ubuntu servers with LDAP or Azure AD Credentials and hardware or software tokens

Token2.com corporate blog Information Security *

SSH, the secure shell, is often used to access remote Linux systems. Because we often use it to connect with computers containing important data, it’s recommended to add another security layer, such as the second factor.

In this guide, we will show how to leverage the TOKEN2 TOTPRadius appliance to organize SSH access to your Ubuntu server using local LDAP or Azure AD as the primary authentication factor, and TOTP factor from TOTPRadius as the secondary factor. The secondary authentication factors available with TOTPRadius can be a mobile authentication app or a hardware token.

Read more
Total votes 3: ↑3 and ↓0 +3
Views 594
Comments 0

OWASP Top Ten and Software Composition Analysis (SCA)

PVS-Studio corporate blog Information Security *.NET *C# *

The OWASP Top Ten 2017 category A9 (which became A6 in OWASP Top Ten 2021) is dedicated to using components with known vulnerabilities. To cover this category in PVS-Studio, developers have to turn the analyzer into a full SCA solution. How will the analyzer look for vulnerabilities in the components used? What is SCA? Let's try to find the answers in this article!

Read more
Rating 0
Views 386
Comments 0

Q3 2021 DDoS attacks and BGP incidents

Qrator Labs corporate blog Information Security *IT Infrastructure *Network technologies *

The third quarter of 2021 brought a massive upheaval in the scale and intensity of DDoS attacks worldwide.

It all led to September when together with Yandex, we uncovered one of the most devastating botnets since the Mirai and named it Meris, as it was held accountable for a series of attacks with a very high RPS rate. And as those attacks were aimed all over the world, our quarterly statistics also changed.

This quarter, we've also prepared for your consideration a slice of statistics on the application layer (L7) DDoS attacks. Without further ado, let us elaborate on the details of DDoS attacks statistics and BGP incidents for Q3, 2021.

Read more
Total votes 17: ↑17 and ↓0 +17
Views 2.9K
Comments 0

CWE Top 25 2021. What is it, what is it for and how is it useful for static analysis?

PVS-Studio corporate blog Information Security *Java *C++ *C# *

For the first time PVS-Studio provided support for the CWE classification in the 6.21 release. It took place on January 15, 2018. Years have passed since then and we would like to tell you about the improvements related to the support of this classification in the latest analyzer version.


Read more →
Rating 0
Views 371
Comments 0

How malware gets into the App Store and why Apple can't stop that

Information Security *Development for iOS *Development of mobile applications *Reverse engineering *Swift *

Only after I had published a post detailing three iOS 0-day vulnerabilities and expressing my frustration with Apple Security Bounty Program, I received a reply from Apple:

We saw your blog post regarding this issue and your other reports.

We apologize for the delay in responding to you. We want to let you know that we are still investigating these issues and how we can address them to protect customers. Thank you again for taking the time to report these issues to us, we appreciate your assistance.

Please let us know if you have any questions.

Indeed, I do have questions. The same ones that you have ignored. I'm gonna repeat them. Why was the fix for analyticsd vulnerability quietly included in iOS 14.7 update but not mentioned on its security content list? Why did you promise to include it in the next update's list but broke your words not once but trice? Why do you keep ignoring these questions?

After my previous post, some people have expressed doubts that such code can make its way into the App Store. It's understandable why they think this way. That's because Apple makes people believe that the App Store is safe by repeating it over and over. Moreover, they claim that they disallow alternative stores and application sideloading to keep users safe and otherwise they would be in great danger. Android has alternative stores and unrestricted sideloading, and have you heard about any kind of security problems with Android recently? I haven't. But it the last few months alone there were so many reports about security and privacy issues on Apple platforms. And the real reason that Apple doesn't allow any alternatives to the App Store is that they receive 30% commission on all purchases made inside any app and it's a tremendously lucrative business for them. They also enact censorship by choosing to allow or disallow any app into the App Store based purely on subjective opinions of their employees and managers.

So in this article I'm going to dispute the claim that the App Store is safe, voice my complaints about the App Store review process and provide a detailed explanation (including source code) how malicious apps on the App Store conceal their functionality from the App Store review team and are able to sneak into the App Store.

Read more
Total votes 31: ↑30 and ↓1 +29
Views 35K
Comments 8

Disclosure of three 0-day iOS vulnerabilities and critique of Apple Security Bounty program

Information Security *Development for iOS *Development of mobile applications *Reverse engineering *

I want to share my frustrating experience participating in Apple Security Bounty program. I've reported four 0-day vulnerabilities this year between March 10 and May 4, as of now three of them are still present in the latest iOS version (15.0) and one was fixed in 14.7, but Apple decided to cover it up and not list it on the security content page. When I confronted them, they apologized, assured me it happened due to a processing issue and promised to list it on the security content page of the next update. There were three releases since then and they broke their promise each time.

Read more to learn the specifics of 0-day vulnerabilities.

Read more
Total votes 59: ↑59 and ↓0 +59
Views 147K
Comments 8

Insights Into Proactive Threat Hunting

Information Security *

Proactive search for complex threats seems to be a useful technology but inaccessible for many organizations. Is it really so? What do companies need to do to start Threat Hunting? What tools are needed for threat hunting? What trends in this area can be seen on the market in the coming years? These are some of the questions I would like to answer in my article today.

What is Threat Hunting?

Threat Hunting is a search for threats in a proactive mode when the information security specialist is sure that the network is compromised. He should understand how his network operates in order to be able to identify various attacks by examining the existing anomalies.

Threat Hunting is a search for threats that have already bypassed automated detection systems. Moreover, most often, you do not have signals or alerts that allow you to detect an intrusion.

From the SOC perspective, Threat Hunting is an extension of the service that allows you to counter any level of intruders, including those who use previously unknown tools and methods.

Threat Hunting can be based on some data obtained by a security specialist, or it can be based on a hypothesis. If after testing the hypothesis, the test gives a positive result, then later, it can be used to improve the processes and mechanisms of detecting threats. And also, Threat Hunting allows you to find blind spots in the security system and expand the monitoring area.

What organizations need Threat Hunting?

Proactive threat hunting is relevant to those organizations that can become the target of a complex, targeted APT attack. At the same time, given the trend towards supply chain attacks, a small company may also become a target for motivated attackers.

Read more
Total votes 3: ↑3 and ↓0 +3
Views 561
Comments 0

Mēris botnet, climbing to the record

Яндекс corporate blog Qrator Labs corporate blog Information Security *IT Infrastructure *Network technologies *


For the last five years, there have virtually been almost no global-scale application-layer attacks.

During this period, the industry has learned how to cope with the high bandwidth network layer attacks, including amplification-based ones. It does not mean that botnets are now harmless.

End of June 2021, Qrator Labs started to see signs of a new assaulting force on the Internet – a botnet of a new kind. That is a joint research we conducted together with Yandex to elaborate on the specifics of the DDoS attacks enabler emerging in almost real-time.

Read more
Total votes 28: ↑28 and ↓0 +28
Views 14K
Comments 0

How Visual Studio 2022 ate up 100 GB of memory and what XML bombs had to do with it

PVS-Studio corporate blog Information Security *.NET *Visual Studio *C# *


In April 2021 Microsoft announced a new version of its IDE – Visual Studio 2022 – while also announcing that the IDE would be 64-bit. We've been waiting for this for so long – no more 4 GB memory limitations! However, as it turned out, it's not all that simple...

Read more →
Total votes 2: ↑2 and ↓0 +2
Views 2.3K
Comments 0

Why do you need the MISRA Compliance report and how to generate one in PVS-Studio?

PVS-Studio corporate blog Information Security *C++ *C *Programming microcontrollers *

If you are strongly interested in MISRA and would like to understand whether your project meets one of the MISRA association's standards, there is a solution. It's name is MISRA Compliance. PVS-Studio has recently learned how to generate the MISRA Compliance report. This article describes how you can use this feature. This can make somebody's life better.

Read more
Rating 0
Views 400
Comments 3

Authors' contribution