AI Agents Are a New Kind of Identity — and Most Organizations Aren't Ready
If you're handling AI agents like a service account or API token, consider yourself behind. AI agents need a fundamentally different approach.
API security focuses on protecting application interfaces from unauthorized access, data exposure, abuse, and flaws in authentication or design.
Search across headline titles and summaries.
Background for this topic.
Application Programming Interfaces (APIs) are sets of rules that allow software applications to communicate and exchange data, often enabling functionality across different systems or services. APIs define how requests and responses are structured, making it possible for programs to interact without direct user involvement. In cybersecurity, APIs are commonly exposed over networks as endpoints that handle sensitive operations like data retrieval, user authentication, or transaction processing.
APIs increase the attack surface by exposing endpoints that attackers can target with unauthorized access attempts, injection attacks, or denial-of-service. Common risks include weak or missing authentication, insufficient input validation, and improper rate limiting. Effective API security requires strong authentication protocols (e.g., OAuth), strict input validation to prevent injection, rate limiting to mitigate abuse, and comprehensive logging to detect anomalies. Protecting APIs is critical to prevent data leaks, privilege escalation, and service disruption in interconnected environments.
Weekly headline count for the current query.
If you're handling AI agents like a service account or API token, consider yourself behind. AI agents need a fundamentally different approach.
A security researcher discovered the API keys can still be used for up to 23 minutes after deletion, even though the cloud provider claims deletion is immediate.
Someone used AI to build an entire Web platform, which then did something predictable and preventable: It exposed all its data through a publicly accessible API.
Malware used in a months-long attack demonstrates how bad actors are misusing generative AI services in unique and stealthy ways.
Hardcoded credentials, access tokens, and API keys are ending up in the darnedest places, prompting a call for organizations to stop over-privileging secrets.
Exposure of APIs, sensitive data, and corporate documents are just some of the security issues that the purveyor of Big Macs was cooking up.
Using the API Connections for Azure Logic Apps, a security researcher found unauthenticated users could access sensitive data of other customers.
Data exfiltration was the most common malware in Sonatype report, with more than 4,400 packages designed to steal secrets, personally identifiable information, credentials, and API tokens.
The attack is similar to previous campaigns by an actor called Commando Cat to use misconfigured APIs to compromise containers and deploy cryptocurrency miners.
Researchers discovered an attack chain that uses several layers of obfuscated batch files and PowerShell scripts to deliver an advanced and persistent rootkit.
The new The F5 Application Delivery Controller and Security Platform combines BIG-IP, NGNIX and Distributed Cloud Services and new AI Gateway and AI Assistants.
The secret use of other people's generative AI platforms, wherein hijackers gain unauthorized access to an LLM while someone else foots the bill, is getting quicker and stealthier by the month.
Third-party API security requires a tailored approach for different scenarios. Learn how to adapt your security strategy to outbound data flows, inbound traffic, and SaaS-to-SaaS interconnections.
The attack used a stolen remote support SaaS API key to exfiltrate data from workstations in the Treasury Department's Office of Foreign Assets Control.
The number of DDoS-related incidents targeting APIs have jumped by 30x compared with traditional Web assets, suggesting that attackers see the growing API landscape as the more attractive target.
Open source Prometheus servers and exporters are leaking plaintext passwords and tokens, along with API addresses of internal locations.
Attackers are betting that the hype around generative AI (GenAI) is attracting less technical, less cautious developers who might be more inclined to download an open source Python code package for free access, without vetting it or thinking twice.
Attackers are exploiting the "Envelopes: create API" of the enormously popular document-signing service to flood corporate inboxes with convincing phishing emails aimed at defrauding organizations. It's an unusual attack vector with a high success rate.
Misconfigurations, weak authentication and logic flaws are among the main drivers of API security risks at many organizations.