API Access, Building Defenses, and Scripting

SecPro Community Wisdom #8: API Access, Building Defenses, and Scripting


Hello and welcome to the 8th Community Wisdom ⚡ issue of 2022!

Here is another issue, filled to the brim with wisdom from people who have been working in cybersecurity and related industries for a long time. Thank you to everyone who responded – we will be selecting winners from the pool of respondents tomorrow and sending out emails to the winners of our competition.

As always, if you have any extra comments that you would like to share, send them to me and I will try to work them into our newsletter. We are grateful for all the replies we receive and want to make sure that our community sees its voice represented in everything we put out.

Austin Miller

What programming/scripting language do you find most useful in your day to day life in cybersecurity?

It would be the bash and shell. Most commonly while we do some PoC on red team attack, we both use such script to perform the action and trying to call other package to help.

  • Sam, Purple Team Leader

Python for network automation and bash for scheduling tasks.

  • John, Cloud Engineer

To build up effective defense over time, what is the best way to begin assessing threats, attack paths, and adversaries?

Our organization, which contracts for a federal agency, requires significant code releases to go through a automated security scan. In addition, the top level IT departments will mandate specific patches as high priority. Those responsibilities for system administration are outside of the scope of my application development team. Still, I would recommend this as a basic starting point for any software-oriented business.

  • Jose, Web Developer

The first defense is to remove the vulnerability that can be used from the attacker side. But not always the vulnerability is easy to find, sometimes the idea is to have good pentesting procedures that can open the cyberanalyst mind to a not easy to find threats.

  • Mauro, Cybersecurity Analyst/DevSecOps

A correctly configured SOAR surely let the CSIRT’s to be more effective and faster when a security incident will occours. Moreover with SOAR is possible to standardize security operations, reduce the number of human errors and made threat intelligence really effective. In my humble opinion there are not real open-source solutions that can be used in midlle to large enterprises.

  • Danilo, CISO

How do you ensure that open-source web frameworks are trustworthy, especially when they have many dependencies (possibly from unknown or untrusted parties)?

Some of the node package managers for front end development will start throwing known security vulnerabilities or required patches during the build step itself. The tricky part is paying attention to the council during every day development, because our continuous integration processes may not always catch those warnings.

  • Jose, Web Developer

In a few words, you can’t, at least not a reasonable cost. If you have the source code you can use a tool for static code analysis, but usually this operation can lead to a high number of true and false positives. It is my opinion that the correct trade-off is to define and implement a secure development lifecycle and prepare your product to be monitored in order to detect attacks and/or other security issues.

  • Danilo, CISO

What are the best practices for securing API access?

Have a very good JSON Web Token system, based on a very good user validation (if it is possible) and with a very strong signature. This is one of the solutions. At the same time, use a very strong parameter validation control, and use some (more than one) vulnerability scanners, that can play with the parameters trying to find problems. Checking the business logic is also important. Securing API access is not easy work.

  • Jose, Web Developer

Remove information that’s not meant to be shared via TLS.

  • Radu, Administrator

Stay up to date with the latest threats

Our newsletter is packed with analysis of trending threats and attacks, practical tutorials, hands-on labs, and actionable content. No spam. No jibber jabber.