News
Expert comment: Twitter confirm stolen user records
November 2022 by Ed Williams, EMEA Director of SpiderLabs at Trustwave
In light of the news that Twitter confirmed that over 5.4 million Twitter user records containing non-public information, stolen by Pompompurin using an API vulnerability fixed in January, the comment by Ed Williams, EMEA Director of SpiderLabs at Trustwave. Ed details how API security is one of the most underestimated areas of cybersecurity, and what more needs to be done. Ed Williams, EMEA Director of SpiderLabs at Trustwave explain:
"API (Application Programmer Interface) security appears to be one of the most underestimated areas of cyber security. APIs allow computers to communicate with one another, and accounts for 80% of all the traffic that traverses the Internet. In short, APIs are very important and should be treated as such.
Yet, we still see common security related issues around APIs; most notably authentication (or lack of) based issues, a lack of resource and rate limiting, and generic API security misconfigurations like TLS, error handling and logging. We know from recent data breaches that a combination of these can yield significant amounts of personal data.
APIs, like all other forms of Internet facing infrastructure, should be hardened from a security perspective, this can be achieved through appropriate threat modelling, security design and focused Penetration Testing.
It’s also important to consider APIs in terms of asset management, all too often APIs have been compromised without the client knowing the API existed in the first place. To be able to secure something, you must first know you have it or intend to have it."
