Salt Security has added a new OAuth security offering to its API protection platform to help organizations detect attempts to exploit OAuth and fix vulnerabilities associated with the protocol.
OAuth is an open-standard authorization protocol or framework, that describes how unrelated servers and services can safely allow authenticated access to their assets without actually sharing the initial, related, single logon credential.
“Our new OAuth protection package comes in two parts,” said Eric Schwake, director of cybersecurity strategy at Salt Security. “The first is to strengthen our industry-first API Posture Governance engine. We do this by providing specific posture rules to help reduce OAuth-specific API risks. The second capability part of this package is specific threat detection rules to help prevent OAuth-based threats we have seen attackers using in the wild.”
The offering is available at launch to Salt customers through the Salt Security API protection platform.
Increase in OAuth attacks
Threat actors have widely targeted the OAuth authorization framework due to the incomplete understanding of its controls and poor configuration enforcement.
“Since there are numerous ways that the OAuth process can be implemented, it’s easy to not properly or fully configure OAuth when initially implementing it,” said David Vance, senior analyst at ESG Global. “Moreover, the OAuth specification is relatively vague and flexible by design, so it’s easy to configure OAuth to “just work”, but not be implemented in a fully secure manner. As a result, the most common exploits involve attackers taking advantage of these OAuth misconfigurations and poor implementations, especially during the OAuth flow (aka authentication process) that leads to unauthorized access to user data or systems.”
Salt is the first and the only vendor in the market to provide this functionality to help mitigate risk associated with a new class of OAuth threats, Schwake claimed.
In-house AI for mitigation
Vulnerabilities in OAuth systems can leave access tokens or authorization codes susceptible to theft. Attackers can leverage those stolen elements to impersonate legitimate users and gain unauthorized access to sensitive resources and applications, the company said in a press statement.
“The OAuth 2.0 framework is the industry standard protocol for authentication that has been around for years now (I believe since 2012),” Vance said. “There have been numerous vulnerabilities discovered involving OAuth 2.0, but most are a result of a misconfiguration or poor implementation of OAuth 2.0 that resulted in unauthorized access to user data or unauthorized access to an application or system by bypassing authentication completely.”
Salt Security uses the Salt platform’s proprietary AI to power the new OAuth protection offering. “Our unique AI engine allows us to help detect and mitigate OAuth threats to mitigate risk within APIs in a differentiated fashion,” Schwake added.
Salt Security’s OAuth enhancements are great and needed, considering the increased usage of APIs and microservices that utilize OAuth for authentication and how easy it is to not fully implement OAuth securely, Vance added.
Authentication, Security Software
Leave a Reply