High Severity Vulnerabilities Reported In F5 BIG-IP And BIG-IQ Devices

By   ISBuzz Team
Writer , Information Security Buzz | Nov 23, 2022 03:17 am PST

High Severity Vulnerabilities Reported in F5 BIG-IP and BIG-IQ Devices


Notify of
1 Expert Comment
Oldest Most Voted
Inline Feedbacks
View all comments
Nick Rago
Nick Rago , Field CTO
InfoSec Expert
November 23, 2022 11:23 am

Organizations don’t always write all of their own APIs. For many organizations, production APIs in use extend beyond only in-house developed APIs. 3rd party developed APIs (sometimes referred to as ghost or ghostwritten apis) are commonly deployed and used as part of packaged applications (commercial and open-source), SaaS-based services, on-premise and cloud based infrastructure components (such as an admin API on a virtual appliance), and more. Organizations exert no influence over how the APIs are developed and must trust that outside developers followed API security best practices. 3rd party APIs are used daily as part of a functional digital supply chain or serve as critical interfaces to 3rd party infrastructure management. In some cases, 3rd party APIs are unintentionally and unknowingly exposed as part of a packaged application, no code platform, or appliance rollout. In either case, because the 3rd party developed APIs are written and published outside the typical devops cycle that an internally developed API flushes through, they frequently have not been properly inventoried, governed, tested, monitored, and maintained.

This poses a large array of security risks to an application and its underlying infrastructure. At the end of the day, that fact you didn’t write an API that is exposed and in use in your environment doesn’t give you a security pass. 

You are still responsible for ensuring those APIs are inventoried, secured, maintained (kept up to date) and monitored for potential vulnerabilities and abuse.

Last edited 9 months ago by Nick Rago

Recent Posts

Would love your thoughts, please comment.x