Forem: Nathan

Shadow API Adoption Skyrockets 900%! 🚀

Nathan — Thu, 07 Sep 2023 12:39:29 +0000

In the API world, there's a buzz around a mysterious term: Shadow APIS. These hidden APIs are undocumented or unofficial application programming interfaces (APIs) within web services. While the visible web is like the tip of an iceberg, Shadow APIs are the hidden bulk beneath.

Why Do They Matter?

Shadow APIs are crucial because they drive innovation and interoperability. Developers use them to create unofficial integrations and features, enhancing user experiences and enabling automation. But their use raises ethical concerns, as they can skirt privacy and security boundaries. The term "Shadow API" extend from unofficial or undocumented APIs to official APIs that are hidden or even forgotten due to growth of micro-services.
(The growing problem of shadow apis check this article )
According to researches, in the latter part of 2022, to staggering 45 billion shadow API search queries were initiated, revealing a jaw-dropping 900% surge compared to the mere 5 billion attempts seen in the first half of the year.
In the New OWASP TOP 10 API a new categorize appears API Improper Inventory Management 09.
According to OWASP Maintaining a comprehensive host and deployed API version inventory is crucial for addressing concerns like deprecated API versions and the inadvertent exposure of debug endpoints or shadow API.
Shadow APIs pose a unique challenge for organizations like every organization, as they can be hard to detect and trace, potentially compromising data security and privacy.

Some Tips to reduce improper management

Inventory and Documentation:Documenting and Documenting
Educate and Raise Awareness: Educate your teams about the importance of using official, documented APIs whenever possible.
Establish API Governance: Implement a clear API governance framework
Managing and Discovery:
Blst can assist you in managing all your APIs, including shadow ones, API Security Platform offers a single, comprehensive view of your data sources, both on-premise and in the cloud. It can monitor load balancers, API gateways, and web application firewalls, helping you discover and categorize various types of APIs, such as HTTP, RESTful, GraphQL, SOAP, XML-RPC, JSON-RPC, and gRPC.
Secure Official APIs: Prioritize the security of official APIs by implementing proper authentication, authorization, encryption, and access controls. Make official APIs more attractive and functional to discourage the use of shadow alternatives.
Review Third-Party Integrations: Examine third-party integrations and vendor relationships. Ensure that external partners and vendors are using official APIs and following security best practices. Refer to OWASP for more info.
Regular Audits and Assessments: Conduct regular audits and security assessments of your API ecosystem, including both official and shadow APIs. Identify vulnerabilities and address them promptly.

Shadow APIs offer a glimpse into the web's hidden power. They represent both innovation and ethical dilemmas, making responsible exploration essential in this digital frontier.

If you are interested to hear more about the subject
join our webinar.
Register at the link bellow 👇 -
https://blstsecurity.com/how-to-discover-your-hidden-apis-webinar

How to make your Rust project management successful?

Nathan — Tue, 14 Feb 2023 16:34:58 +0000

The module system in Rust provides a range of features for organizing your code, such as controlling what details are public or private and managing the scope and names of items within your programs. This system comprises several features, including:

Packages
Crates
Modules

Why do we need crates?

Crates provide a way to modularize code. This means that code can be organized into smaller pieces that can be used independently of each other. This is especially important for large projects, where it can be difficult to keep track of all the code in one place.
Crates also provide a way to share code between different projects. This is important for two reasons. First, it allows different projects to reuse code that has already been written, which saves time and effort. Second, it allows different projects to use the same code base, which makes it easier to maintain and update the code.

Crates are the key to successful Rust project management. By keeping your project's dependencies isolated in crates, you can ensure that your project will build and run correctly on any platform. Crates also allow you to manage your project's dependencies more effectively, by allowing you to specify exactly which versions of each crate your project depends on.
Crates allow you to modularize your code, and they provide a way for you to manage dependencies between different parts of your codebase.
We need to distanguish two types of crates:

binary crates can be compiled to executables program.
library crates are simply libraries as other programming language

What are packages?

Package is a group of crates that do things.
A package may contain one or more crates.
A package is declared in cargo.toml.
Packages allow you to divide your code into logical units that you can reuse in other projects.
This can help to organize and maintain your code.
It also allows you to easily share code with other developers.
Cargo will generate a new project including the cargo.toml
file for you when you create it.
create a new package:

This cargo.toml contains information about your project, including its dependencies (packages that your project needs to compile). You can edit this file to add new dependencies or remove existing ones.

What are modules?

Modules in Rust are a way to organise related code in a hierarchical fashion, similar to how folders organise files on your computer.
Modules enable you to break down your codebase into smaller, more manageable chunks, making it easier to find and reason about your code.

Modules in Rust also aid in code encapsulation and privacy by limiting the visibility of code elements to other parts of the programme. They also facilitate code reuse by allowing you to use the use keyword to bring functionality from other modules into your own code.

Modules in code:



 my_module.rs

mod my_module {
    // define functions and variables here
    pub fn hello_world() {
        println!("Hello, world!");
    }
}

In the above code, we defined a module named my_module and added a function called hello_world to it. We also added the pub keyword before the function name to make it public and accessible from outside the module.

To use this module in another file, you can use the use keyword followed by the path to the module. Here's an example:

file mains.rs



mod my_module;

fn main() {
    my_module::hello_world();
}

In conclusion, in Rust you can organise your code into smaller parts called "crates" and "modules". This allows you to better structure your code and refer to code defined in one section from another. Crates are like standalone libraries that can be used in multiple projects, whereas modules are like crate sub-sections that contain related code. Modules allow you to divide your code into smaller, more manageable chunks and refer to functions or variables defined in one module from another.

Should you learn Rust as Web Developer?

Nathan — Sun, 25 Dec 2022 08:34:18 +0000

As a web developer, you are constantly looking for ways to improve your skills and stay up-to-date with the latest technologies. One language that has gained a lot of attention in recent years is Rust, a statically-typed systems programming language known for its focus on safety and performance. But is Rust a good fit for web development, and should web developers consider learning it?

One key benefit of Rust for web development is its emphasis on safety. The language includes a borrow checker and other safety features that can help prevent common programming errors, which is especially important when building secure web applications. In addition, Rust's static typing can help catch errors at compile-time rather than runtime, leading to more reliable code.

Another advantage of Rust is its high performance. The language is designed to be fast and efficient, and it can often match or exceed the performance of other languages, including C++. This can be beneficial for web applications that need to handle a lot of data or perform complex calculations.

Rust's support for concurrent programming can also be a major benefit for web developers. The language makes it easy to write programs that can take advantage of modern multi-core processors, allowing you to build web applications that can scale to meet the demands of your users.

Which framework to use for Building Web site?

There are a number of frameworks available for building web applications in Rust, each with its own set of features and capabilities. Some popular options include:

Actix Web: A lightweight, async web framework that is designed to be fast and easy to use. It supports a variety of features, including routing, middleware, and templates.
Rocket: A web framework that is designed to be simple and easy to use, with an emphasis on security. It includes features such as routing, templates, and request/response handling.
Tide: A framework for building async web applications with a focus on simplicity and flexibility. It includes features such as routing, request/response handling, and middleware support.
Nickel: A lightweight, modular web framework that is designed to be easy to use and flexible. It includes features such as routing, templates, and request/response handling.

Ultimately, the best framework for building a web application in Rust will depend on your specific needs and goals. It's a good idea to research and compare the different options to see which one best meets your requirements.

Finally, Rust has a growing ecosystem of libraries and tools that can make it easier to build web applications. This includes libraries for building web servers, working with databases, and more.

All of these factors make Rust a strong choice for web development, especially if you are interested in building high-performance or secure web applications. That being said, whether or not you should learn Rust as a web developer will ultimately depend on your specific goals and interests.
If you are looking to expand your skill set and are interested in building web applications with Rust, then it could be a valuable addition to your toolkit.

However, if you are more focused on other aspects of web development, such as front-end development or working with specific frameworks, then Rust might not be as relevant to your needs.

Star our Rust repo!

Why companies are migrating to Rust?

Nathan — Wed, 21 Dec 2022 06:52:32 +0000

As a statically-typed systems programming language, Rust has gained a lot of traction in recent years for its focus on safety and performance. This has led many companies to consider migrating from C++, a similarly popular systems language, to Rust.

One key reason for this migration is Rust's emphasis on safety. The language includes a borrow checker, which helps prevent common programming errors such as null or dangling pointer references. This can lead to more reliable and secure code, which is especially important for companies that rely on their software for mission-critical applications.

In addition to its safety features, Rust is also known for its high performance. It is designed to be a fast and efficient language, and it can often match or exceed the performance of C++. This makes it an attractive choice for companies looking to build software that needs to handle a lot of data or perform complex calculations.

Another advantage of Rust is its support for concurrency. The language makes it easy to write programs that can take advantage of modern multi-core processors, allowing companies to build software that can scale to meet the demands of their users.

Finally, Rust has a growing ecosystem of libraries and tools that make it easier for developers to get started with the language and build software more efficiently. This can be a major benefit for companies looking to reduce the time and resources needed to develop and maintain their software.

Some examples of companies that have migrated from C++ to Rust include Firefox, which uses Rust to build its Gecko rendering engine, and Dropbox, which has been using Rust to build a number of its core infrastructure components. These companies have found that Rust's safety, performance, and concurrency features make it a strong choice for their needs.

In conclusion, there are a number of reasons why companies might consider migrating from C++ to Rust, including its emphasis on safety, high performance, support for concurrency, and growing ecosystem. While the decision to migrate will depend on the specific needs and goals of each company, Rust is increasingly being seen as a viable alternative to C++ for building reliable and efficient software.

Star our Github repo!

How open sources tool can help you to secure your website api?

Nathan — Sun, 18 Dec 2022 14:33:11 +0000

API security is an increasingly important concern for businesses as more and more organizations rely on APIs to exchange data and enable functionality between different systems.
In order to ensure the security of their APIs, businesses need to take a number of steps, including implementing authentication and authorization mechanisms, implementing secure communication protocols, and regularly testing and monitoring their APIs for vulnerabilities.

One way to help secure your website APIs is by using open source tools.
Open source tools are software programs that are freely available for anyone to use, modify, and distribute.
Many open source tools are developed and maintained by communities of volunteers, and they offer a range of features and capabilities that can be leveraged to help secure your APIs.

Here are a few ways that open source tools can help you secure your website APIs:

Implementing authentication and authorization

One of the key ways to secure your APIs is by implementing authentication and authorization mechanisms. This involves verifying the identity of users who are accessing your APIs and controlling which users are allowed to access which resources.

There are a number of open source tools that can help you implement authentication and authorization for your APIs. For example, OAuth is a popular open source framework that allows users to authenticate and authorize access to APIs by using a third-party service. Other options include JSON Web Tokens (JWTs) and SAML (Security Assertion Markup Language).

Ensuring secure communication

Another important aspect of API security is ensuring that communication between different systems is secure. This involves using secure protocols such as HTTPS (Hypertext Transfer Protocol Secure) to encrypt data as it is transmitted between systems.

There are a number of open source tools that can help you implement secure communication protocols for your APIs. For example, OpenSSL is an open source library that provides a range of encryption algorithms and tools that can be used to secure communication between systems. Other options include Transport Layer Security (TLS) and Secure Sockets Layer (SSL).

Testing and monitoring for vulnerabilities

Testing and monitoring your APIs for vulnerabilities is an important part of maintaining API security. This involves regularly scanning your APIs for potential vulnerabilities and addressing any issues that are discovered.

There are a number of open source tools that can help you test and monitor your APIs . For example Postman and SoapUI, which are open source tools that can be used to test and monitor APIs.

Testing for API Logic Vulnerabilities

Testing against Business logic vulnerabilities: These occur when there are weaknesses in the way that business processes are implemented in an application. For example, an online shopping site might have a flaw in its checkout process that allows users to add items to their cart without paying for them.

Input validation vulnerabilities: These occur when an application does not properly validate or sanitize input data, allowing attackers to inject malicious code or data into the system.

Access control vulnerabilities: These occur when there are weaknesses in the way that an application controls access to sensitive data or functionality. For example, an application might allow users to access resources that they are not authorized to view.

By validating your API specifications and running API security tests, the CLI tool Cherrybomb assists you in preventing undesired user behavior.
The tool is totaly free and super easy to use.

Conclusion

Open source tools can be an effective way to help secure your website APIs.
By implementing authentication and authorization mechanisms, ensuring secure communication, and regularly testing and monitoring for vulnerabilities, you can help protect your APIs and the data and functionality they enable.

Our Github repo!
Check us at BLST

The 5 best resources to learn Rust !

Nathan — Wed, 14 Dec 2022 10:22:17 +0000

Rust is a popular programming language known for its performance and reliability. It is a systems programming language that runs blazingly fast, prevents segfaults, and guarantees thread safety. If you're looking to learn Rust, there are many great resources available to help you get started.

One of the best places to start learning Rust is the official Rust website, which offers comprehensive documentation, tutorials, and other resources to help you get up and running quickly. The website also features an active community forum where you can ask questions and get help from experienced Rust developers.

Another great resource for learning Rust is the Rust Book, which is available for free online. This book provides a thorough introduction to Rust and covers everything from the basics of the language to advanced concepts and features. It also includes numerous examples and exercises to help you practice and solidify your knowledge.

In the case where you want to quick approach to rust, I suggest you two places:

In addition there are many other online resources available to help you learn Rust. For example, the Rustonomicon is a more advanced resource that covers advanced topics such as unsafe code, concurrency, and more.
If you are interested in building website check this repo.

If you prefer to learn by watching videos, there are also many great Rust tutorials and courses available on platforms such as YouTube and Udemy. Some popular ones to check out include "Lets get rusty" by Bogdan.

Hands-on Ressources

Are you searching for more hands-on approach? Here is the top five resources.

Finally, if you want to dive deeper into Rust and learn from experienced developers, there are many online communities and forums where you can connect with other Rust developers and learn from them. Some popular ones to check out include the Rust subreddit, the Rust users forum, and the Rust programming language Discord server.

In summary, if you want to learn Rust, there are many great resources available to help you get started. Whether you prefer books, videos, or online forums, there is something out there for everyone. With the right resources and a bit of practice, you'll be writing high-performance, reliable Rust code in no time.

Star our Github repo!
Check us at BLST

How to Handle Errors in Rust: A Comprehensive Guide

Nathan — Fri, 02 Dec 2022 13:18:39 +0000

Rust community constantly discusses about error handling.. In this article I will try to explain what is it then why, and how we should use it.

Purpose of Error Handling

Error handling is a process that helps to identify, debug, and resolve errors that occur during the execution of a program.
It helps to ensure the smooth functioning of the program by preventing errors from occurring and allows the program to continue running in an optimal state.
Error handling also allows users to be informed of any problems that may arise and take corrective action to prevent the errors from happening again in the future.

What is a Result?

Result is a built-in enum in the Rust standard library.
It has two variants Ok(T) and Err(E).

Result should be used as a return type for a function that can encounter error situations.
Ok value is return in case of success or an Err value in case of an error.

Implementation of Result in a function.

What is Error Handling

Sometimes we are using functions that can fail, for example calling an endpoint from an API or searching a file. These type of function can encounter errors (in our case the API is not reachable or the file is not existing).
There are similar scenarios where we are using Error Handling.

Explained Step by Step

A Result is the result of the read username from file function. It follows that the function's returned value will either be an Ok that contains a String or an Err that contains an instance of io::Error.

There is a call to "File::open" inside of read username from file, which returns a Result type.

It can return an Ok
It can return an Err

Then the code calls a match to check the result of the function and return the value inside the ok in the case the function was successful or return the Error value.

In the second function read_to_string, the same principle is applied, but in this case we did not use the keyword return as you can see, and we finally return either an OK or an Err.

So you may ask: On every result type I have to write all these Match block?

So hopefully there is a shortcut :)

What is the Question Mark- Propagation Error?

According to the rust lang book:

The question mark operator (?) unwraps valid values or returns erroneous values, propagating them to the calling function. It is a unary postfix operator that can only be applied to the types Result and Option.

Let's me explain it.

Question mark (?) in Rust is used to indicate a Result type. It is used to return an error value if the operation cannot be completed.
For example, in our function that reads a file, it can return a Result type, where the question mark indicates that an error might be returned if the file cannot be read, or in the other hand the final result.
In other words, used to short-circuit a chain of computations and return early if a condition is not met.



fn read_username_from_file() -> Result<String, io::Error> {
    let mut f = File::open("username.txt")?;
    let mut s = String::new();
    f.read_to_string(&mut s)?;
    Ok(s)
}

Every time you see a ?, that’s a possible early return from the function in case of Error, else , f will hold the file handle the Ok contained and execution of the function continues (similary to unwrap function).

Why use crates for Handle errors?

Standard library does not provide all solutions for Error Handling..
In fact, different errors may be returned by the same function, making it increasingly difficult to handle them precisely.
Personal anecdote, in our company we developed Cherrybomb an API security tool written in Rust, and we need to re-write a good part of it to have a better errors handling.

For example:

Or the same message error can be displayed multiples times.

This is why we need to define our own custom Error enum.

Then our function will look like:

Customize Errors

Thiserror focuses on creating structured errorsand has only one trait that can be used to define new errors:

Thiserror is an error-handling library for Rust that provides a powerful yet concise syntax to create custom error types.

In the cargo toml:
[dependencies] thiserror = "1.0"

It allows developers to create custom error types and handlers without having to write a lot of boilerplate code.

Thank to thiserror crate, we can customize our error messages.

It also provides features to automatically convert between custom error types and the standard error type. We will see it in the next Chapter with Dynamic Error.

Create new errors through #[derive(Error)].
Enums, structs with named fields, tuple structs, and unit structs are all possible.
A Display impl is generated for your error if you provide #[error("...")] messages on the struct or each variant of your enum and support string interpolation.

Example taken from docs.rs:

Dealing Dynamic Errors handling

If you want to be able to use?, your Error type must implement the From trait for the error types of your dependencies. Your program or library may use many dependencies, each of which has its own error you have two different structs of custom error, and we call a function that return one specific type.
For example:

So when we call our main function that return a ErrorA type, we encounter the following error:

So one of the solution is to implement the trait From<ErrorB> for the struct ErrorA.

Our code looks like this now:

Another solution to this problem is to return dynamic errors.
To handle dynamic errors in Rust, in the case of an Err value, you can use the box operator to return the error as a Box (a trait object of the Error trait). This allows the error type to be determined at runtime, rather than at compile time, making it easier to work with errors of different types.

The Box can then be used to store any type of Error, including those from external libraries or custom errors. The Box can then be used to propagate the Error up the call stack, allowing for appropriate handling of the error at each stage.

Thiserror crate

In order to have a code clearer and soft let's use thiserror crate.
The thiserror crate can help handle dynamic errors in Rust by allowing the user to define custom error types. It does this through the #[derive(thiserror::Error)] macro. This macro allows the user to define a custom error type with a specific set of parameters, such as an error code, a message, and the source of the error. The user can then use this error type to return an appropriate error value in the event of a dynamic error. Additionally, the thiserror crate also provides several helpful methods, such as display_chain, which can be used to chain together multiple errors into a single error chain.
In the following we have created our error type ErrorB , then we used the From trait to convert from ErrorB errors into our custom ErrorA error type. If a dynamic error occurs, you can create a new instance of your error type and return it to the caller. See function returns_error_a() in line 13.

Anyhow crate

anyhow was written by the same author, dtolnay, and released in the same week as thiserror.
The anyhow can be used to return errors of any type that implement the std::error::Error trait and will display a nicely formatted error message if the program crashes.
The most common way to use the crate is to wrap your code in a Result type. This type is an alias for the std::result::Result<T, E> type, and it allows you to handle success or failure cases separately.

When an error occurs,for example you can use the context() method to provide more information about the error, or use the with_chain() method to chain multiple errors together.
The anyhow crate provides several convenient macros to simplify the process of constructing and handling errors. These macros include the bail!() and try_with_context!()macros.
The former can be used to quickly construct an error value, while the latter can be used to wrap a function call and automatically handle any errors that occur.

Comparison

The main difference between anyhow and the Thiserror crate in Rust is the way in which errors are handled. Anyhow allows for error handling using any type that implements the Error trait, whereas Thiserror requires you to explicitly define the error types using macros.

Anyhow is an error-handling library for Rust that provides an easy way to convert errors into a uniform type. It allows to write concise and powerful error-handling code by automatically converting many different types of errors into a single, common type.

In conclusion,in Cherrybomb we choose to combining the two, in order to create a custom error type with thiserror and managed it by the anyhow crate.

Did you know you could use OpenAPI for security?

Nathan — Sun, 09 Oct 2022 09:35:04 +0000

What is openapi?

Openapi is a set of tools and standards for creating, managing, and securing APIs. It includes a specification for describing APIs, a runtime for executing APIs, and a set of tools for managing APIs.
The goal of the OpenAPI Initiative is to standardize how APIs are described and to make it easier for developers to create, use, and manage APIs.

API supports, the parameters that each operation requires, the data types that are used by the API, and other information. I already wrote an article about it, you can check it before continue to read.

How can openapi be used for security?

OpenAPI can be used to secure access to APIs by requiring authentication and authorization for all API calls.
OpenAPI can also be used to validate input and output data, ensuring that data is valid and properly formatted. By using OpenAPI, developers can be sure that their APIs are secure and reliable.
I want to talk about these two type of vulnerabilities.

Lack of Authentication.

API often suffer of authentication problem.
For example in this bug report .
A user has the possibility to get Admin permission with a simple endpoint that used to reset password.

So how we can avoid this type of Vulnerability?

Using an Specification can help to have more structure about your permissions level.

In this example the security definition which apply to this endpoint API operations is "pestore_auth" which include "write and read".
We can see, each operation has a scope of defined permissions.
Having a permissions like this type can help to have a better understanding of permissions for an specific operation.

path: "/pet/findByStatus": {
      "get": {
    ....},
        "security": [
          {
            "petstore_auth": [
              "write:pets",
              "read:pets"
            ]
          }
        ]
      },

Insecure Direct Object Reference (IDOR).

Another important common vulnerability occurs when unvalidated user input can be used for unauthorized access to resources or operations.
In this bug report the researcher succeed to delete images from others by simply changing id of the image.

Here we are facing an coding error, the lack of verification from the back-end leads to a high vulnerability.

Back-end be like:

Using OAS here won't necessarily solve the problem, but can detect the problem more easily and earlier (I will explain in the next section).

What are the benefits of using openapi for security?

OpenAPI is a great tool for security because it allows you to easily and quickly understand your API. This makes it easy for Pentester to understand what your API does and how they can exploit it.
Additionally OpenAPI is a great tool for automation not only to generate code but also to automated your security testing.

Using API security tool like Cherrrybomb in earlier stage of development helps you to detect vulnerabilities before the production!

If you're looking for a new way to understand and manage your API, consider using OpenAPI, and if you want to secure it consider using CherryBomb to automate your security test.
Managing and Testing it's the key,now your can keep your API safe :)

Star our Github repo and join the discussion in our Discord channel!
Test your API for free now at BLST!

Learning a Programming Language? Is Not Enough.

Nathan — Thu, 22 Sep 2022 13:32:02 +0000

“To become really good at anything,you have to practice and repeat, practice and repeat, until the technique becomes intuitive”- Paulo Coelho

Today, learning a new programming language is offered to everyone, but it is not enough.

Competences to adopt

One of the most important skills for a developer is the ability to think abstractly. This means being able to see the big picture and understand how the various pieces of a system fit together.
It also means being able to see beyond the code and understand how the system as a whole works.
This is a critical skill for developers, because it allows them to see problems that are not immediately apparent and to find creative solutions.
Another important skill for developers is the ability to solve problems.
This includes both the ability to find and fix errors in code and the ability to design new systems or features.
Developers need to be able to identify problems and then use their creativity and technical expertise to come up with solutions that work.
This is a difficult skill to learn, but it is essential for anyone who wants to be a developer.
The last skill that we will discuss is communication. Developers need to be able to communicate effectively with other developers, users, and other stakeholders.
They need to be able to explain their ideas clearly and concisely.
Also developers need to be able to understand the needs of others and work collaboratively towards a common goal. Communication is a difficult skill, but it is essential for anyone who wants to be a developer.

The different between a programmer and developer

A programmer can write code, but a developer is someone who can create applications. A developer is someone who can take a problem and create a solution.
A programmer is someone who is able to write code that a computer can understand. They understand how to use different programming languages and how to structure code so that it is effective.
A developer is someone who can take a problem and create a solution. Developers have a broad skillset that goes beyond programming. They might be responsible for designing applications, managing databases, or working with user experience.
Developers need to be able to communicate with other members of a team in order to create an effective solution.
The terms “programmer” and “developer” are often used interchangeably, but they are not the same thing.

What else is needed to be a developer?

It is important for developers to have a strong foundation in computer science. This means understanding algorithms, data structures, and software design principles. Developers should also be able to apply these concepts when building applications. In addition, developers need to be able to work with teams and manage projects.
While there are many different skills that are needed to be a developer, these are some of the most important ones. By having a strong foundation in computer science and being able to problem solve, developers can build amazing applications that make our lives easier.

If you want to be a developer, you need to do more than just learn a programming language. You need to be able to code, debug, and troubleshoot. You also need to be able to work with other developers. Learning a programming language is a good start, but it's not enough.

Star our Github repo and join the discussion in our Discord channel!
Test your API for free now at BLST!

Cherrybomb for OWASP Conference 😁 🥳

Nathan — Thu, 22 Sep 2022 09:09:49 +0000

API Security Testing into your CI Pipeline

Right now, your web app is most likely vulnerable to an attack.
According to a recent survey, 9 out of 10 web applications were vulnerable to attack in recent years, with 45% of production apps exhibiting "high risk" vulnerabilities.
That is a significant number.
CherryBomb can help you run automatic security checks right in your CI/CD pipeline, which is outstanding.

OWASP-CherryBomb

We are glad to announce that we will present CherryBomb at an OWASP conference.
The Open Web Application Security Project (OWASP) is a nonprofit foundation that works to improve the security of software.
This OWASP Conference is open to the entire community, and if you're keen on being ahead of the curve, let's have a chat! But you should surely attend.

It will be shown how the OpenAPI spec and Cherrybomb can be used in the real world.

Points we are going to talk about

OpenAPI specifications concepts and how important and simple they are to generate
API security testing in the CI pipeline, as well as a demonstration of Cherrybomb's functionality.
Demo Time 😋 We'll use Cherrybomb to find a set of vulnerabilities on a live API.

Link for the conference: https://www.meetup.com/owasp-msp-meetup/events/288608767/
Test your API for free now at BLST!

Why I stopped writing articles

Nathan — Tue, 13 Sep 2022 08:51:56 +0000

It’s no secret that the world today is a fastpaced, highstress environment. We’re constantly bombarded with stimuli and expected to be available 24/7.
It’s no wonder that so many of us feel like we’re running on empty all the time.
But what if there was a way to be more productive by taking a break?

The Benefits of Taking Breaks

There are many benefits to taking breaks during your workday. Pausing can help refresh your mind, reduce stress, and boost your overall productivity.
If you’re feeling stuck, taking a break may be just what you need to get back on track.
When you’re working on a task, it can be easy to get bogged down and lose focus.
If this happens, taking a break can be helpful. Breaks give your mind a chance to rest and refocus, which can help you come back to your work with fresh energy and new ideas. Additionally, taking breaks can help reduce stress, which can lead to more productive work in the long run.

If you’re feeling like you need a break, there are many different ways to take one. You could step away from your work for a few minutes and take a walk or stretch.
Or, if you have some time, you could take a longer break and do something relaxing, like reading or listening to music. Taking breaks doesn’t have to be complicated – just do what feels best for you in the moment.
The next time you’re feeling stuck, try taking a break. It just might help you boost your productivity and find some new ideas.

How to Use Pauses to Boost Productivity

When it comes to productivity, pauses are just as important as the work itself. By taking a few minutes to step away from our work, we can come back feeling refreshed and ready to tackle whatever is next. So next time you feel yourself getting overwhelmed, take a break and see how much better you feel afterwards.

My personal experience

So I decided to take a break from work to travel in Greece, and these are my personal feelings after it:

-I felt more relaxed and less stressed
-I had more time to enjoy my hobbies and interests
-I felt more connected to my family and friends
-I had more time to focus on my health and fitness
-I felt more productive when I returned to work
-helps me to come back to work with fresh ideas and a new perspective.

However,you don't need to travel in order to take a break from work. Other ways like disconnecting from electronic devices, taking a walk outside, or using relaxation techniques such as meditation or yoga are good ways to disconnect.

The Science Behind the Break

There is a science behind taking a break from work. Numerous studies have shown that taking regular breaks can increase productivity, improve mental and physical health, and reduce stress.

One of the most popular studies on the subject was conducted by the University of Illinois in 2014. The study found that workers who took regular breaks were more productive than those who did not. The study also found that workers who took breaks were less likely to experience burnout.

Numerous other studies have shown similar results. A study conducted by the University of Toronto found that workers who took breaks were less likely to experience fatigue and more likely to be productive. Another study, conducted by the University of Michigan, found that workers who took breaks had lower levels of stress and anxiety.

When it comes to being productive, pausing can actually help you achieve your goals.
In conclusion, by taking breaks, you can refresh your mind and body, which can lead to improved focus and productivity. So next time you feel like you need a break, don't hesitate to take one!

Join the discussion in our Discord channel
Test your API for free now at BLST!

The first Open-Sourced API security testing tool CI/CD integrated.

Nathan — Mon, 22 Aug 2022 18:04:00 +0000

Hello Community!
Looking forward to hear your thoughts and get your feedback about this. 🙏
Today we released v0.7 of Cherrybomb and I want to tell you about all the new features, and the new integrations we have.

What is Cherrybomb? And how does it work?

CherryBomb is our opensource tool that validate your OpenAPI specification, it is designed for use with popular CI/CD tools such as Jenkins and Travis CI.
It is easy to use, and it integrates with these tools to provide a complete API security testing solution.

Active Check

The active module takes our API testing to a new level. By providing not only static testing and auditing of your OAS file (with the passive module), but a test that tests the API itself by sending requests and analyzing the responses. The Active module tests APIs by verifying that the API follows the specifications dictated in the OAS file and by testing the API for common security vulnerabilities.
Passive Check

Cherrybomb reads your API spec file (Open API Specification) and validates it for best practices and discovers common API design flaws.

There are also the Endpoint and Parameter tables, which sort out and inventory your entire API, using different keys.

Why use it?

API Security Testing can save you time and money by helping you to find and fix vulnerabilities in your code before they are exploited, I wrote an article about it.
By using API Security Testing, you can also ensure that your API is compliant with industry standards and best practices.

How do I get started?

There are two ways you can use Cherrybomb:

You can embed it into your CI pipeline, and If you plan on doing that I would recommend that you go to our website, sign up, go through the CI pipeline integration builder, and copy the groovy/GitHub actions snippet built for you. Example:

You can download it for some tryouts and testing using curl:

curl https://cherrybomb.blstsecurity.com/install    | /bin/bash && cherrybomb oas -f "home/Documents/file_openapi.json"

What this means for the future of API development?

This is a good thing, as it will help to raise the level of security for all APIs. In the longer term, we can expect to see more APIs being developed with security builtin from the start. This will help to ensure that APIs are more secure, and will help to protect the data and systems that they interact with.

So I hope that you enjoy to read my article, if you have ideas or question, feel free to ask in the comments :)

💪 We are looking for contributors for Cherrybomb, together we can make API security easier and affordable for everyone.

If you're looking for a new open-sourced API security testing tool for CI/CD, look no further! We've got just the thing.
Star Cherrybomb and if you have questions or ideas Join our Discord server.