Salt Security Launches Salt Labs

July 2021 by Marc Jacob

Salt Security announced the launch of Salt Labs, a now-public forum for publishing research on API vulnerabilities. Through its vulnerability and threat research as well as industry reports, Salt Labs will be a resource for enterprises looking to harden infrastructure against API risk. It will also be a source of more wide-spread public awareness of API security threats, furthering the mission of Salt Security to provide comprehensive API security and accelerate business innovation by making APIs attack-proof.

API security concerns have become a significant inhibitor of business innovation. According to the Salt Security State of API Security Report, 66% of organizations have delayed the deployment of a new application because of API security concerns. To counter these concerns, Salt Labs will provide research and reports organizations can use to improve their API security posture and mitigate threats impacting API-centric businesses. Utilizing a deep technical understanding of API threats, security gaps, and misconfigurations, Salt Labs will focus on delivering high-impact threat research, uncovering the latest API attack vectors, and providing remediation best practices to make API security programs increasingly agile and actionable.

The private sharing of API threat research findings to date has highlighted the need for more education related to key API security issues and vulnerabilities, which are too often thought to be thwarted by traditional tools such as web application firewalls (WAFs) and API gateways. Salt Labs aims to enhance users’ abilities to recognize security gaps within their own APIs, enabling them to take aggressive, proactive action to harden their APIs and associated back-end systems. As a result, more companies will be able to secure the integrity and protection of sensitive customer and business-critical data.

Today’s inaugural vulnerability research highlights several API security gaps at a large financial institution. Salt Labs researchers identified inadequate authorization for data access, inadequate authorization for function access, susceptibility to parameter tampering, and improper input filtering across the financial platform used by thousands of customers and financial partners. The Salt Labs researchers exploited these vulnerabilities to demonstrate that:

Any user could read any financial records of any customer, despite lacking the proper authorization

Any user could delete any customer’s user accounts across the financial platform

Any user could tamper with authentication parameters and take over any account

Any user could launch an application-level denial of service attack that would render entire applications unavailable