The Start-Up Resource Blog
  • Ideas
  • Entrepreneur
  • Marketing
  • Finance
  • Business Growth
  • Work From Home
No Result
View All Result
  • Ideas
  • Entrepreneur
  • Marketing
  • Finance
  • Business Growth
  • Work From Home
No Result
View All Result
The Start-Up Resource Blog
No Result
View All Result
Home Business Growth

DevSec Divide Broadens With New Algolia Incident

DevSec Divide Broadens With New Algolia Incident

Modern application architecture has redefined data security – and not necessarily in a good way. Many applications are now built out of hundreds of moving parts, with enterprise tools offering increasingly bespoke configurations and plugins. So, what is data security? And how can organizations continue to protect customers in a DevOps world that’s sometimes working against them?

Algolia, Hasty Devs, and Insecurities

Across almost every industry, the ability for a customer to search through your site is invaluable. However, it’s not just as simple as customers typing exactly what they want into a search bar. Sometimes, the customer might refer to products in different ways – with a traditional search mechanism, anything that doesn’t exactly match what’s on your site will almost certainly result in a bounce.

Intelligent site search, on the other hand, allows for customer searches that aren’t verbatim. This then transforms a site’s search functions into another tool for conversion, as the customer can now be guided throughout more of your products or services. Alongside being an analytics powerhouse, intelligent site search indexes your site consistently, allowing for the newest content to be prioritized in rankings; meaning it can include a greater breadth of options than just eCommerce products.

Thus, the users could access information they might not have even thought they’d be interested in. Site search tools enable an end-user to quickly discover the area they’re looking for, while clearly being presented the relevant information on products and services you may provide. They can also open the door to severe security flaws.

Algolia is one tool that boasts intelligent site search. With over 17,000 global customers, its industry presence is significant, handling over 1 million requests every week for clients such as Marcari, Gymshark, and more. The Algolia plugin allows any site owner or developer to add the search tool – which leads us to the recent turn of events, wherein Algolia may have suffered from its own success.

The Algolia API leak

Algolia’s plug-and-play approach is facilitated via their Application Programming Interface (API). APIs are ubiquitous to today’s multifaceted tech landscape, as they allow different applications to communicate with one another. A key part of API security is the API key. This is a unique piece of code that is sent from one app to another across a network, ensuring any given interface is being used as intended. API keys are only one part of a broader authentication scheme; they do not provide individual user authentication. However, the keys do provide access to any given API server, meaning that If the key is valid, the server will allow an application to connect.

In November of 2022, CloudSEK researchers found that thousands of third-party applications that used the Algolia API were suffering from deep misconfigurations. In an astonishing example of API mishandling by developers, these API keys were retrievable from the application itself. Dozens of apps were also guilty of hardcoding admin secrets, lending even more ammunition to opportunistic attackers. If an API leaks its key, an attacker could simply access all predefined keys, which include the usage, analytics, and monitoring keys. Having access to these allows an attacker to read personal information about an app’s end-user, alongside being able to modify and delete in-app information and access their IP address.

Alongside the thousands of apps that are essentially ticking time bombs waiting for a data breach event, CloudSEK also discovered 32 applications that even hardcoded admin secrets. This is particularly dangerous, as it essentially makes the API information publicly accessible. Guilty applications spanned all industries, including shopping, education, medical companies, and business.

Unfortunately, this is not a flaw within Algolia itself, nor services that provide integrations. It’s hard evidence of API mishandling by developers themselves. As such, it’s up to individual companies to address these security concerns in their own time. Which is concerning, considering it takes on average only 9 days for attackers to begin exploiting publicly-released vulnerabilities.

 

Securing API keys

The practice of hardcoding API keys into an application isn’t a malicious choice by developers. Instead, it’s a natural result of the pressures faced in tight time-to-markets, and when the drive for efficiency overpowers the necessity of security.

As the problem is rooted in development processes, app developers could simply replace hard coded secrets with a just-in-time delivery mechanism. This only provides API keys to app instances that have already been authenticated, and only when required to make an API call. This format would totally eradicate the Algolia data leak issue, alongside providing higher security throughout the API calling process. While this blocks any attempts to abuse leaked API keys, there are a number of steps companies can make to secure unpatched instances.

A major component to modern API insecurity is that companies may simply not know the full wealth of APIs they rely on. Individual applications are easier to track, but unique APIs continue to represent a persistent visibility challenge. Third-party security solutions can offer in-depth API discovery and classification. This allows you to detect and classify the sensitive information flowing throughout the APi tech stack. The identification and classification of this data represents the first step toward organizational alignment with modern data privacy rules and regulations.

Once you’ve got a handle on the swathes of APIs and the data that each is handling, high-value security solutions make it possible to automatically detect even advanced API threats. This attack detection can trigger at any sign of API abuse and data theft, allowing you to protect the customers that form the backbone of any stable organization.

 

 

 

Previous Post

What’s the Difference in Methods?

Next Post

Steps to becoming a great leader in business

Related Posts

Here are eight ways your company may help the community where you are located.
Business Growth

Here are eight ways your company may help the community where you are located.

November 4, 2022
Why Would You Want to Increase Sales by Using LinkedIn Lead Generation Software?
Business Growth

Why Would You Want to Increase Sales by Using LinkedIn Lead Generation Software?

November 3, 2022
Five Customer Engagement Metrics and KPIs That Are Most Commonly Used
Business Growth

Five Customer Engagement Metrics and KPIs That Are Most Commonly Used

November 2, 2022
4 Vital Information About Your Buyer Persona You Need to Know to Generate Leads
Business Growth

4 Vital Information About Your Buyer Persona You Need to Know to Generate Leads

November 1, 2022
Digital Asset Management’s Next Frontier: Artificial Intelligence
Business Growth

Digital Asset Management’s Next Frontier: Artificial Intelligence

October 31, 2022
The Complete Checklist for Retailers Starting an Online Store
Business Growth

The Complete Checklist for Retailers Starting an Online Store

October 30, 2022
Next Post
Steps to becoming a great leader in business

Steps to becoming a great leader in business

No Result
View All Result

Recent Posts

  • Steps to becoming a great leader in business
  • DevSec Divide Broadens With New Algolia Incident
  • What’s the Difference in Methods?
  • A Guide to the Best Affiliate Marketing Programs for Beginners (2022)
  • Your Guide to Getting Started

Archives

  • January 2023
  • November 2022
  • October 2022
  • September 2022
  • August 2022
  • July 2022
  • June 2022
  • May 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021

Categories

  • Business Growth
  • Entrepreneur
  • Finance
  • Ideas
  • Marketing
  • Work From Home
  • Home
  • Terms and Conditions
  • Privacy & Cookie Policy
  • Contact
  • Cookie Policy

© 2023 My i Life Media

No Result
View All Result
  • Ideas
  • Entrepreneur
  • Marketing
  • Finance
  • Business Growth
  • Work From Home

© 2023 My i Life Media

This website uses information gathering tools including cookies, and other similar technology. We use cookies to personalize content and ads, to provide social media features and to analyze our traffic. We also share information about your use of our site with our social media, advertising and analytics partners. By clicking “Accept”, you consent to the use of ALL the cookies.
Do not sell my personal information. Ad and Cookie Policy
Cookie SettingsAccept



Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT