API Keys

Mobile app developers keep hearing that they shouldn’t store API keys in their app code but they don’t hear where they should store them. In this article we discuss the topic and provide some practical solutions. Read Full Story

API abuse, when the API is used in an unexpected way, is a growing problem in software development and one of the leading attack vectors cybercriminals exploit. According to a recent security research report that surveyed more than 200 enterprise security professionals, there was a 21.32% growth in malicious API call volume between December 2020 and December 2021. The same study also established that 95% of respondents had suffered an API security incident in the past year. Read Full Story

A Man-in-the-Middle attack can come in multiple forms. This article describes these and how you can mitigate such attacks. Read Full Story

    After a couple of false starts, we are finally emerging from behind the shadow of the Covid pandemic. Some businesses prospered explosively during it as people suddenly needed to access key services remotely, such as the fintech and healthcare sectors; others were forced to deal with an almost instant switch-off of commercial activity, for example the travel and tourism markets. In this article we will look at the travel sector and anticipate what kinds of security challenges might lie ahead as the market evolves and recovers. Read Full Story

Alissa Knight’s latest security research report “Scorched Earth” was recently released. In this blog we’ll look at 3 key themes from the report and the immediate mitigations that banks, crypto companies and fintechs should implement. Read Full Story

As I explained in a previous blog about the FHIR API Research Alissa Knight recently completed, “Shift Left, but Shield Right” is a strategy Alissa recommends to address the issues she uncovered in the mobile apps she tested.  Read Full Story

We sponsored a major report “Playing with FHIR” by Alissa Knight, released in October 2021 (download it here) which investigated the security of mobile healthcare apps and APIs which use the FHIR standard. This report has certainly sparked a lot of debate about the security of healthcare apps and a broader discussion about who is accountable for keeping patient data safe as the ecosystem expands.  Read Full Story

Editor's note: This post was originally published in September 2021 in Threatpost. Data breaches and hacking put internet users at risk of account takeover, if cyber-criminals successfully gain access to valid login credentials. There are reckoned to be in excess of  8.4 million discrete passwords currently circulating online, over 3.5 billion of which are tied to active email addresses. Read Full Story

Photo credit: iStock.com/Evkaz We are all very aware of the issues around phishing of user credentials. But it is not only users that can be phished, apps can be too. In previous blogs we’ve shown you how you can make a MITM attack against an app. In this blog we’ll demonstrate that a MITM attack against an app is analogous to a phishing attack against a human. Moreover, there are some similar characteristics to the protections required. Read Full Story

Python FastAPI framework’s first commit dates from 5th December 2018, followed by the first release on 25th December 2018. It was created by Sebastián Ramírez as a direct reflection of his several years of experience in creating APIs with complex requirements. Read Full Story