Audit and intrusion tests Archives - KYOS https://www.kyos.ch/en/category/sec-en/sec_check-en/ Better safe than sorry Tue, 22 Oct 2024 14:18:45 +0000 en-US hourly 1 https://www.kyos.ch/wp-content/uploads/2021/04/cropped-Kyos_favicon_transparent-32x32.png Audit and intrusion tests Archives - KYOS https://www.kyos.ch/en/category/sec-en/sec_check-en/ 32 32 API in Danger: Underestimated Security Holes  https://www.kyos.ch/en/in-the-news/api-in-danger/ Tue, 22 Oct 2024 13:49:20 +0000 https://www.kyos.ch/?p=19944 In recent years, API security has become a crucial issue for companies, with several significant leaks revealing the vulnerabilities of API integrations. For example, in June 2024, Authy (Twilio) suffered an attack resulting in the exfiltration of personal data of 33.4 million users [1]. This was caused by poor API authorization management, exposing phone numbers. […]

The post API in Danger: Underestimated Security Holes  appeared first on KYOS.

]]>
À propos
Main Menu

API in Danger: Underestimated Security Holes 

In recent years, API security has become a crucial issue for companies, with several significant leaks revealing the vulnerabilities of API integrations. For example, in June 2024, Authy (Twilio) suffered an attack resulting in the exfiltration of personal data of 33.4 million users [1]. This was caused by poor API authorization management, exposing phone numbers. Another major breach hit Ivanti, where cyber attackers exploited an API authentication bypass flaw, allowing unauthorized access to endpoints and indirectly compromising 12 Norwegian ministries [2]. 

These incidents are just the tip of the iceberg. They illustrate a growing trend of API attacks, which have exploded in recent years. Yet, many companies are unaware of the number of APIs they use. APIs are now ubiquitous, even on showcase sites with third-party extensions, making every interface a potential door for cybercriminals. 

What is an API?

An API (Application Programming Interface) is a set of rules and protocols that allow different applications to communicate with each other. The most commonly used APIs are REST, SOAP, and GraphQL. Here are their main differences: 

  • REST (Representational State Transfer): An architectural style using the HTTP protocol to interact with resources via URLs. It returns data in various formats (JSON, XML, etc.), with JSON being the most used for its lightness. REST is stateless, meaning each request must contain all the information needed for its processing. 
  • SOAP (Simple Object Access Protocol): A standard protocol for exchanging XML messages. It is more complex than REST but offers robust security standards (WS-Security). SOAP can operate in a stateless or stateful manner, allowing session management. 
  • GraphQL (Graph Query Language): Designed by Facebook, GraphQL allows clients to request exactly the data they need. Unlike REST, which relies on distinct resources, GraphQL uses a single endpoint to return the information specified by the client in JSON format. 

The choice of API type depends on the specific needs of the application. REST is often preferred for modern web applications, SOAP for environments requiring high security standards, and GraphQL for complex applications with precise data needs. 

Securing APIs: A Top Priority

A single flaw can be very costly and permanently tarnish a company’s image, with significant financial and reputational consequences. One solution for organizations is to regularly conduct security audits and penetration tests on their APIs. These actions help detect and correct vulnerabilities before they are exploited by cybercriminals. 

Recent examples of breaches clearly show why API security must be a priority for any company. Even showcase sites integrating third-party extensions can expose flaws. 

API-targeted attacks are becoming increasingly sophisticated and frequent. Protecting these interfaces is therefore essential to ensure the security of your data and the continuity of your operations. Don’t let a flaw jeopardize your business. 

Protect your web applications today!

An undetected security flaw can compromise the security of your web applications and damage the trust of your customers. At KYOS, we offer comprehensive penetration testing of your interfaces, including REST APIs and web applications, to identify and correct critical vulnerabilities. 

Our Pentest Web Essential offer includes: 

  • A kick-off meeting 
  • Definition of prerequisites 
  • Analysis of 20 endpoints (web pages or API functions) 
  • Full report with findings and recommendations 

Additional options are available, such as analysis of a further 20 endpoints or a review session of the results. 

Contact us today to secure your applications and guarantee your customers’ trust! 

More information on this subject?

We are at your disposal!

Contact us

The post API in Danger: Underestimated Security Holes  appeared first on KYOS.

]]> We successfully renewed our Crest Membership https://www.kyos.ch/en/sec-en/sec_check-en/we-successfully-renewed-our-crest-membership/ https://www.kyos.ch/en/sec-en/sec_check-en/we-successfully-renewed-our-crest-membership/#respond Mon, 18 Oct 2021 11:52:11 +0000 https://www.kyos.ch/?p=13748 Kyos team is proud to announce that we successfully renewed our Crest Membership. This accreditation allows our clients to get CREST Certified penetration testings directly from Kyos. This standard ensures clients that they can get high-quality services from Kyos and entrusted professional ethical hackers. ‘CREST is pleased to welcome Kyos as an accredited member company’, […]

The post We successfully renewed our Crest Membership appeared first on KYOS.

]]>

About

Main Menu

We successfully renewed our Crest Membership

Kyos team is proud to announce that we successfully renewed our Crest Membership. This accreditation allows our clients to get CREST Certified penetration testings directly from Kyos. This standard ensures clients that they can get high-quality services from Kyos and entrusted professional ethical hackers.

‘CREST is pleased to welcome Kyos as an accredited member company’, said Ian Glover a year ago, president of CREST, ‘Kyos has been through a demanding assessment process that examined test methodologies, legal and regulatory requirements, data protection standards, logging and auditing, internal and external communications with stakeholders, as well as how test data security is maintained. Awarding Kyos membership for its penetration testing services means that we are formally recognizing that the company consistently delivers the highest professional security services standards to its customers’.

In fact, CREST provides clients with a clear indication of the quality of the organization and the technical capability of staff they have access to, including:

  • Access to trusted service organizations utilizing highly skilled, knowledgeable and competent individuals
  • Procurement support
  • Industry benchmarks
  • Rigorous application process for added assurance

In order to become certified, Kyos has submitted policies, processes and procedures relating to our service provision to CREST providing added assurance for our clients. These policies, processes and procedures have been assessed by CREST and have been deemed fit for purpose and include:

  • Certified individuals
  • Language capability
  • Assignment preparation & scope
  • Assignment execution
  • Technical Methodology
  • Tools & resources
  • Event analysis & response
  • Data Storage and Transmission Controls
  • Information sharing
  • Reporting
  • Deliverables
  • Post technical delivery
  • Asset/Information/Document Storage, Retention and Destruction

About CREST

CREST is a not-for-profit accreditation and certification body representing the technical information security industry. CREST provides internationally recognized accreditations for organizations providing technical security services and professional level certifications for individuals providing vulnerability assessment, penetration testing, cyber incident response, threat intelligence and security operations center (SOC) services. CREST Member companies undergo regular and stringent assessment, whilst CREST certified individuals undertake rigorous examinations to demonstrate the highest levels of knowledge, skill and competence. To ensure currency of knowledge in fast-changing technical security environments, the certification process is repeated every three years.

More information on this subject?

We are at your disposal!

Contact us

The post We successfully renewed our Crest Membership appeared first on KYOS.

]]> https://www.kyos.ch/en/sec-en/sec_check-en/we-successfully-renewed-our-crest-membership/feed/ 0