Didn't make it out to #RSAC 2025 this week? ๐ No worries. For those of you who didn't catch Graylog at the conference, Seth Goldhammer is here to share some of #Graylog + #RSA with you. ๐
We had a great time showing off what's new in Graylog 6.2 this weekโincluding our new detection chain capability. Watch below and learn all about it! ๐บ ๐ https://graylog.org/post/introducing-graylog-6-2-a-siem-without-compromise/ #cybersecurity #SIEM #APIsecurity
It's been a great week at #RSA! And, you have one last chance to see us in-person, today. Got questions about the new #Graylog 6.2? Let's talk about data routing + Graylogโs provided data lake, our adversary informed defense, context-aware AI assistance via LLMs that analyze investigation evidence in real time, and more.
https://graylog.org/rsa-2025/ #RSAC #RSAC2025 #SIEM #APIsecurity
5 Ways to Secure Agentic Access to APIs | Nordic APIs | https://buff.ly/EfQmZis
"This shift from human-driven API calls to autonomous and large-scale agentic interactions means that security must become more dynamic, more machine-centric, and based on workloads rather than simple identity." -- #KristopherSandoval
Had a blast at the API security happy hour, and not just 'cause it was in a pub!๐ป Big thanks to all who shared how my content helped you - your stories mean the world to me!๐ #APIsecurity #RSAC2025
Hey hey, #RSA! Welcome to Tuesday. ๐ ๐ See us today, in #3134 to...
๐ค Connect with our amazing team, in-person
๐ก Learn all about #SIEM without compromise
๐๏ธ Get your stickers, key chains, fancy water bottles, โmore
๐ฃ๏ธ Talk about the new Illuminate Content Hub in 6.2
...and so much more.
Want a personalized demo with our experts? We got ya. C'mon over! ๐ฅ๏ธ https://graylog.org/rsa-2025/ #cybersecurity #RSAC #RSAC2025 #APIsecurity #security
๐ The Digital Terrain Is Shifting โ Are Your Apps and APIs Ready?
As AI adoption accelerates, so do AI-driven attacks.
In their new research report, Akamai Technologies uncovers the evolving threats facing web applications and APIs โ and how organizations can respond before attackers get ahead.
State of Apps and API Security 2025: How #AI Is Shifting the Digital Terrain explores the sharp rise in automated, intelligent threats โ and the new defenses emerging to meet them.
๐ฅ Download the full report here: https://itspm.ag/akamaixmwd
๐ Research like this helps #security professionals, #leaders, and #developers stay ahead of the curve โ and shape the future of #digital defense.
๐๏ธ Weโre also proud to feature Akamai in our RSAC 2025 coverage โ with a Brand Story recorded pre-event and a follow-up conversation happening on location at the conference in San Francisco with Rupesh Chokshi, Sean Martin, CISSP, and Marco Ciappelli.
Watch the pre-event recording here: https://youtu.be/DMm6INJ_2Z8
๐ A huge thank you to the Akamai team for sponsoring our coverage and sharing their insights with our global audience.
๐ Check out the report and stay tuned for more from RSAC:
๐ฅ Download the Report: https://itspm.ag/akamaixmwd
๐ Explore our RSAC 2025 Coverage: https://www.itspmagazine.com/events/rsac-2025
#akamai #rsac2025 #brandstory #apigateway #applicationsecurity #aiinsecurity #webappsecurity #cybersecurityresearch #infosec #devsecops #digitaldefense #threatintelligence #itspmagazine #rsaconference #apisecurity #aiattacks #securityreport #cybersecurityinnovation #securitystrategy #zerotrust #appsec
Going to apidays NYC? Don't miss this preso by Jeff Zemerick and #Graylog's Rob DickinsonโCatching the Quiet Thief: Detecting Low-and-Slow #API Data Exfiltrations in Real Time. ๐ฆน
This session explores how attackers exploit #APIs for long-term data theft and how runtime monitoring with full payload visibility helps detect and block them.
Learn how PII-aware detection, risk scoring, and real-time response can uncover threats hiding in plain sightโbefore they become data breaches.
4:05 PM ET, Wednesday, May 14th. https://www.apidays.global/new-york/ #cybersecurity #APIsecurity
It's almost time for #RSAC2025! โฐ ๐ We'll be there, in Moscone South #3134, showcasing our Spring โ25 release. ๐
๐ Want to see what's new? Get a live demo of the latest Graylog Security release โ a platform purpose-built for mid-enterprise #security teams that demand speed, accuracy, and efficiency.
Stop by, say hi, and see Graylog in action at #RSA. https://graylog.org/rsa-2025/ #cybersecurity #APIsecurity #SIEM
Verizon Call Filter API flaw exposed customer call history without authentication. #Verizon #APIsecurity #DataBreach
More details: https://thedefendopsdiaries.com/understanding-the-verizon-call-filter-api-vulnerability/ - https://www.flagthis.com/news/12390
Staying ahead means staying informed, right? Here's our latest wrap of the day's Cyber News:
๐๏ธ https://opalsec.io/daily-news-update-thursday-april-3-2025-australia-melbourne/
If you're short on time, hereโs a quick whip-around of the top 3 stories of note:
๐ต๏ธโโ๏ธ Hunters Ransomware Rethink: Is the heat getting too much? Hunters International leadership reportedly told affiliates ransomware is now too "risky," planning a shift to pure data theft/extortion under a "World Leaks" banner. While their current status is murky, this potential pivot away from encryption echoes moves by other groups and highlights how defensive pressures are forcing attacker evolution โ something we all need to track.
๐ง White House OpSec Woes: Remember that recent White House Signal mishap? Well, now the same National Security Adviser is reportedly facing heat for using personal Gmail for sensitive (if unclassified) government discussions, raising serious OpSec and compliance alarms. It's a potent reminder for us all: even seemingly benign comms on personal platforms can create significant risks, and basic security hygiene is non-negotiable, especially when sensitive info is involved.
๐ Verizon API Call Log Leak: Hereโs a worrying find: a simple API flaw in Verizon's Call Filter app exposed the incoming call history of potentially all their wireless customers to each other. Technically, it was a textbook case of broken object-level authorization โ the API didn't check if the user's token matched the phone number whose logs were requested in a header. This highlights the critical need for robust API authorization checks and the significant privacy impact even call metadata can have.
Have a read of the full newsletter, and sign up to get all the details straight to your inbox each day:
๐จ https://opalsec.io/daily-news-update-thursday-april-3-2025-australia-melbourne/#/portal/signup
#CyberSecurity #InfoSec #ThreatIntel #Ransomware #DataBreach #DataLeak #Vulnerability #APIsecurity #CloudSecurity #SupplyChainSecurity #Malware #Privacy #CyberAttack #InfoSecNews #ThreatHunting #CISCO #Verizon #GitHub #NationalSecurity #AndroidSecurity #EDR #CyberAwareness
"API keys are foundational elements for authentication, but relying solely on them is inherently a risky proposal.
Firstly, thereโs the reality that API keys are not securely designed โ they were never meant to be used as the sole form of authentication, and as such, they arenโt really built for the task. These keys can often be easily stolen, leaked, or, in some cases (especially if generated incrementally), outright guessed. An API key is suitable for tracking usage but is poor for security.
There is also the additional reality that keys in their default state lack some critical functionality. Thereโs not a lot of verification built-in for identity management, and what does exist offers very little in the way of granular access control.
Ultimately, solely relying on API keys is a mistake common with novice developers but frighteningly common even in advanced products.
Best Practices
Instead of relying heavily on API keys as a sole mechanism, combine those keys with additional approaches such as OAuth 2.0 or mTLS. Implement rigorous expiration and rotation policies to ensure that keys which are made public are only useful for a short amount of time. Consider more advanced approaches, such as IP whitelisting or device fingerprinting, to add another layer of security atop the API key process."
https://nordicapis.com/9-signs-youre-doing-api-security-wrong/
#API #APIs #APISecurity #APIDesign #WebSecurity #CyberSecurity
API security firm APIsec's exposed database leaked customer data. #APISecurity #DataBreach #Cybersecurity
More details: https://www.upguard.com/breaches/data-leak-apisec - https://www.flagthis.com/news/12270
#APIs act as digital portals that allow data to travel between applications. ๐ณ๏ธ However, as sensitive data moves from one application to another, each API becomes a potential access point that threat actors can exploit. ๐ฌ
๐ Securing APIs is critical to any company's data protection program, and knowing the OWASP API security top 10 will help! ๐ ๐
Read on an learn about:
โ Who OWASP is
โ ๏ธ The 10 most critical API security risks based on several data points
๐ The OWASP top 10 API security risks
https://graylog.org/post/an-introduction-to-the-owasp-api-security-top-10/ #cybersecurity #infosec #APIsecurity #GraylogLabs
Did someone say FREE training? ๐ ๐ ๐ Welcome to #Graylog Academy! ๐ We are excited to give you the tools to gain immediate value, unlock #security analytics, and begin data driven decision-making as you embark upon (or continue) your journey with Graylog. ๐
Check out the awesome selection of FREE courses you can take, including:
โก๏ธ Adding Context and Enriching Your Log Data
โก๏ธ Events, Alerts, and Notifications
โก๏ธ Hardening Graylog with TLS
โก๏ธ Intro to API Security
โก๏ธ Introduction to Graylog Dashboards
โก๏ธ Pipelines, Parsing and the Graylog Information Model
Did we mention that many of the courses are ๐ โ๏ธ What are you waiting for! Let's go. ๐๐จ
https://academy.graylog.org/home #APIsecurity #SIEM #logmanagement #cybersecurity #infosec
It was a packed house for the Graylog #BSidesROC Capture The Flag on Saturday! ๐ ๐ Thank you to everyone who joined us for the fun and games. ๐ฎ ๐ป You are all amazing and, now, a little (or a lot!) more knowledgable about #Graylog! ๐ก It's a win-win. ๐ ๐
And congrats to our challenge winners!
๐ Grand prize winner โ Tyler Smith
๐๏ธ Training voucher winner โ Praveen Kumar Penukonda
๐
Runner up โ Gabriel Schickling
#CTF #cybersecurity #APIsecurity #SIEM #SIEMdoneright #GraylogCTF
Cloudflare boosts API security by disabling HTTP, enforcing HTTPS-only connections. #APISecurity #Cloudflare #Cybersecurity
More details: https://thedefendopsdiaries.com/cloudflares-https-only-initiative-a-new-standard-in-api-security/ - https://www.flagthis.com/news/11712
Cloudflare's HTTPS-Only Initiative: A New Standard in API Security
https://thedefendopsdiaries.com/cloudflares-https-only-initiative-a-new-standard-in-api-security/
Threat actors are increasingly using cloud services to identify the data they intend to exfiltrate or ransom. Cloud native development, containers, and microservices allow dev teams to quickly deploy new builds. But, they also lead to a higher potential for misconfiguration. And where there are misconfigurations there are vulnerabilities that leave openings for threat actors. โ ๏ธ ๐ฆ
So, what can #security teams do about this? ๐ค They can shine a spotlight on whatโs in their #API traffic! ๐ฆ Once you know how #cybercriminals are accessing sensitive data, you can stop them from gaining access to it. ๐
Critical security steps need to happen before data exfiltration does. Learn more about predicting risk and closing your vulnerability gap, in this article by #Graylog's Seth Goldhammer.
https://securityboulevard.com/2025/03/reading-the-data-breach-tea-leaves-preventing-data-exfiltration-before-it-happens/ #cybersecurity #APIsecurity #infosec
๐ New article: Strengthen your Java app's security with API authentication, CSP, CORS, and HTTP security headers.
Dive into this comprehensive guide for Java developers: API Web Application Security
https://ionutbalosin.com/2025/03/api-web-application-security-for-java-developers
APIs often handle vast amounts of Personally Identifiable Information (#PII), which makes them prime targets for API data exfiltration. ๐ฏ๐ So, it's no surprise that #API-based attacks with the aim of stealing sensitive data have increased over time. Many orgs also lack visibility into which APIs are handling PII, which leaves them with massive #security blind spots. ๐ณ
What should orgs do about this? Let's take a closer look at:
๐ฆ The growing risks of PII exposure in API traffic
๐ The methods attackers use to exfiltrate data
๐ Capabilities to look for in a data exfiltration prevention solution
๐ฅ How the new release of Graylog API Security 3.7 can help
https://graylog.org/post/apis-the-silent-highway-for-sensitive-data/ #APIsecurity #APIs #cybersecurity
