High Severity Vulnerabilities Reported In F5 BIG-IP And BIG-IQ Devices

High Severity Vulnerabilities Reported in F5 BIG-IP and BIG-IQ Devices

https://twitter.com/cyberfeedio/status/1593153764197683201

Subscribe
Notify of
guest
1 Expert Comment
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
Nick Rago
Nick Rago , Field CTO
InfoSec Expert
November 23, 2022 11:23 am

Organizations don’t always write all of their own APIs. For many organizations, production APIs in use extend beyond only in-house developed APIs. 3rd party developed APIs (sometimes referred to as ghost or ghostwritten apis) are commonly deployed and used as part of packaged applications (commercial and open-source), SaaS-based services, on-premise and cloud based infrastructure components (such as an admin API on a virtual appliance), and more. Organizations exert no influence over how the APIs are developed and must trust that outside developers followed API security best practices. 3rd party APIs are used daily as part of a functional digital supply chain or serve as critical interfaces to 3rd party infrastructure management. In some cases, 3rd party APIs are unintentionally and unknowingly exposed as part of a packaged application, no code platform, or appliance rollout. In either case, because the 3rd party developed APIs are written and published outside the typical devops cycle that an internally developed API flushes through, they frequently have not been properly inventoried, governed, tested, monitored, and maintained.

This poses a large array of security risks to an application and its underlying infrastructure. At the end of the day, that fact you didn’t write an API that is exposed and in use in your environment doesn’t give you a security pass. 

You are still responsible for ensuring those APIs are inventoried, secured, maintained (kept up to date) and monitored for potential vulnerabilities and abuse.

Last edited 10 days ago by Nick Rago
1
0
Would love your thoughts, please comment.x
()
x