As mentioned in an earlier blog post, the Log4j vulnerability poses new risks to APIs. APIs are both a new attack vector for this exploit and attackers can extend their reach via APIs.
We also outlined in the previous post that the way Java packages are built makes it extremely hard to find if the Log4j library is even in use, especially in large, complex environments. With hundreds or even thousands of APIs potentially exposing this vulnerability to servers and applications, security orgs are working tirelessly to find and patch the Log4j vulnerabilities and identify which APIs could be impacted. It’s more critical than ever to find which APIs are using the vulnerable Log4j library before they are exploited.
Many Noname Security customers have been successfully using our Active Testing functionality to identify which new and existing APIs are using a vulnerable version of the Log4j library. The Noname API Security Platform has a suite of over 100 tests that you can run against your API inventory, one of which can identify if the API is using the vulnerable version of Log4j. Active testing can instantly help you find the Log4j “needles” in your digital environment “haystack”.
Noname Security understands how challenging this time is for security teams. We’re working round the clock with our customers to help in any way that we can to both proactively identify API exposure to Log4j with our Active Testing capabilities, and block Log4j API attacks in real-time with our Runtime Security capabilities.
If you’re interested in trialing the Noname API Security Platform or speaking to a member of our technical staff, please request a demo.