Companies today are consuming and deploying more data than ever. At the same time, there's also a growing cybersecurity talent shortage, as well as an increasingly dangerous threat landscape. Unfortunately, this combination leaves companies at risk for costly breaches and vulnerabilities. For this reason, many traditional IT security engineers are upskilling and transitioning into data security to help close the cybersecurity gap and protect private data.

In a Kubernetes cluster, Control Plane controls Nodes, Nodes control Pods, Pods control containers, and containers control applications. But what controls the Control Plane? Kubernetes exposes APIs that let you configure the entire Kubernetes cluster management lifecycle. Thus, securing access to the Kubernetes API is one of the most security-sensitive aspects to consider when considering Kubernetes security.

Hiring is hard. If you're a remote company like we are, you already have a head start. A larger pool of applicants, more practical benefits over a "fun office", etc. That doesn't mean that when the time comes to hire for a new role, you will immediately find the perfect candidate. When we were hiring for our recent frontend developer role, we were surprised how hard it ended up being. Not for lack of candidates, but instead for the right fit within our existing team.

Stop, look, listen; lock, stock, and barrel; "Friends, Romans, Countrymen..." The 3 Little Pigs; Art has 3 primary colors; photography has the rule of thirds; the bands Rush and The Police; the movie The 3 Amigos. On and on it goes - "Omne trium perfectum" – “Everything that comes in threes is perfect.” While this article doesn’t provide perfection, we’ll focus on the top three API vulnerabilities (according to OWASP).

If you don’t think API security is that important, think again. Last year, 91% of organizations had an API security incident. The proliferation of SOAP and REST APIs makes it easy for organizations to tailor their application ecosystems. But, APIs also hold the keys to all of a company’s data. And as data-centric projects become more in demand, it increases the likelihood of a target API attack campaign.

Getting a complete overview of the growing attack surface is difficult. Regardless of how security is organised in your organisation, knowing what Internet-facing assets are exposed and if those assets are vulnerable across many different teams is no simple task. This is doubly true for security teams with dozens – or even hundreds! – of dev teams. We’ve now made it possible for customers on the Enterprise Plan to create and manage subteams through the Detectify API.

As we explained in a previous blog post, we decided to pivot at the end of summer 2020. Pivoting our products has been a major change in our cross-functional team’s organization, and we used it as an opportunity to start our UI/UX and an engineering processes from scratch. One of the aspects of that change is the organizational changes it implied, driven by our desire to iterate fast with the first pioneer users of the product that were—and still are—helping us build it.

This blog describes the attack path we have uncovered during a recent penetration test of a web application, coupled with a back-end infrastructure assessment. Throughout we introduce different attack techniques and tools that can be used to attack the underlying infrastructure and APIs of a web application.

There is a sight gag that has been used in a number of movies and TV comedies that involves an apartment building lobby. It shows how people who don’t live there, but who want to get in anyway, such as Girl Guides looking to sell cookies to the tenants – simply run their fingers down every call button on the tenant directory, like a pianist performing a glissando, knowing that at least one of the dozens of apartments being buzzed will let them in simply out of reflex or laziness.

Gartner’s introduction of the Security Service Edge (SSE) Magic Quadrant in February of 2022 has been an impetus for organizations to reassess their cloud access security broker (CASB) solutions. CASB is one of the three core components of SSE and the piece of the puzzle that handles cloud security for SaaS and IaaS applications.