• Search for:
    18Dec, 2023
    MongoDB Suffers Security Breach, Exposing Customer Data

    MongoDB on Saturday disclosed it’s actively investigating a security incident that has led to unauthorized access to “certain” corporate systems, resulting in the exposure of customer account metadata and contact information.

    The American database software company said it first detected anomalous activity on December 13, 2023, and that it immediately activated its incident response efforts.

    It further noted that “this unauthorized access has been going on for some period of time before discovery,” but emphasized it’s not “aware of any exposure to the data that customers store in MongoDB Atlas.” It did not disclose the exact time period of the compromise.

    In light of the breach, MongoDB recommends that all customers be on the lookout for social engineering and phishing attacks, enforce phishing-resistant multi-factor authentication (MFA), as well as rotate their MongoDB Atlas passwords.

    That’s not all. The company said it’s also experiencing elevated login attempts that are causing issues for customers attempting to log in to Atlas and its Support Portal. It, however, said the problem is unrelated to the security event.

    When reached for comment, MongoDB told The Hacker News that the incident is a matter of ongoing investigation and that it will “provide updates as soon as we can.”

    Resource : https://thehackernews.com/2023/12/mongodb-suffers-security-breach.html

    24Nov, 2023
    Introducing Bambdas

    You’ve might have heard of Lambdas. But have you heard of Bambdas? They’re a unique new way to customize Burp Suite directly from the UI, using only small snippets of Java.

    Changing the face of Burp Suite

    The introduction of Bambdas exposes some of the core “behind the scenes” functionality of Burp Suite for the very first time. In essence, as the feature is rolled out across various tools within Burp Suite, you’ll be able to customize Burp to make it work in exactly the way that you want it to.

    The possibilities contained within the Bambdas functionality are theoretically endless. As the feature develops, we believe it’ll enable you to replace the age-old frustrated cry of “Why can’t Burp do this?” with a shiny new phrase. “I wonder if I can create a Bambda to make this work the way I need it to?”.

    How to work with Bambdas

    The first Bambda we’ve introduced enables you to write custom filters for the Proxy HTTP history. To help you get to grips with the unique potential of this functionality, we’ve created some examples to showcase some interesting request and response filters you might want to try.

    Find requests with a specific cookie value

    //Find requests with a specific cookie value
    if (requestResponse.request().hasParameter("foo", HttpParameterType.COOKIE)) {
    var cookieValue = requestResponse
    .request()
    .parameter("foo", HttpParameterType.COOKIE)
    .value();

    return cookieValue.contains("1337");
    }

    return false;

    Find JSON responses with wrong Content-Type

    //Find JSON respones with wrong Content-Type
    //The content is probably json but the content type is not application/json

    var contentType = requestResponse.response().headerValue("Content-Type");

    if (contentType != null && !contentType.contains("application/json")) {
    String body = requestResponse.response().bodyToString().trim();

    return body.startsWith( "{" ) || body.startsWith( "[" );
    }

    return false;

    Find role within JWT claims

    //Find role within JWT claims
    var body = requestResponse.response().bodyToString().trim();

    if (requestResponse.response().hasHeader("authorization")) {
    var authValue = requestResponse.response().headerValue("authorization");

    if (authValue.startsWith("Bearer ey")) {
    var tokens = authValue.split("\\.");

    if (tokens.length == 3) {
    var decodedClaims = utilities().base64Utils().decode(tokens[1], Base64DecodingOptions.URL).toString();

    return decodedClaims.toLowerCase().contains("role");
    }
    }
    }

    return false;

    Some helpful Bambdas code snippets

    Once you’re comfortable with the basics of how Bambdas work, there are a few tricks you might want to utilize to help you get even more value from the functionality. If you’re using something a lot, and want to save yourself some time, you can assign it to a variable. For example:var request = requestResponse.request();

    If you want to check if a parameter exists, and if it’s value is present, you can request it by name and check it for null instead:var cookie = request.parameter("foo", HttpParameterType.COOKIE);

    So that you can see how these code snippets can be applied, we’ve recreated the first example on finding requests with a specific cookie value.

    Hear from the developers of Bambdas

    Sean from the development team is here to introduce you to Bambdas, a unique new way to customize Burp Suite on the fly with small snippets of Java. You’ll learn what a Bambda is, why we’ve built them into Burp Suite, and see a couple of examples of how Bambdas work.

    Resource : https://portswigger.net/blog/introducing-bambdas

    8Nov, 2023
    Performance Development: Unlock Your Team’s Potential

    SHRM defines performance management as “the process of maintaining or improving employee job performance through the use of performance assessment tools, coaching, and counseling as well as providing continuous feedback.”

    But far too many organizations stop at the first part — performance assessment — and miss the opportunity to actually improve employee performance. Only about one in four employees strongly agree that their manager provides meaningful feedback to them or that the feedback they receive helps them do better work. And only 21% of employees strongly agree that their performance is managed in a way that motivates them to do outstanding work.

    Best-in-class organizations are integrating continuous feedback and development to enable more effective performance management. This approach is often referred to as performance development — think of it as the place where performance management meets career development — and it can be a great way to unlock your team members’ full potential.

    The benefits of performance development

    Performance development goes beyond traditional employee reviews to focus on fostering continuous growth, skills enhancement, and career progression.

    Investing in a more robust approach to performance management has many benefits, including: 

    • Building emerging skill sets. Skills sets for jobs have changed by around 25% since 2015 — and this number is expected to grow to 65% by 2030. Effective performance management can help your team members identify and learn the in-demand and emerging skills they need to be successful in their current roles — and in their future ones. 
    • Increasing employee engagement. Performance development demonstrates the direct connection between feedback and career growth, motivating employees to go above and beyond at work. In fact, Gallup found that development is a top driver of employee engagement.
    • Reducing turnover. Continuous feedback and development shows your organization’s commitment to an employee’s long-term success, making your team members more likely to stay. The Josh Bersin Company found that organizations that offer ongoing skill development to their employees are 7.2x more likely to retain and engage their employees than those that don’t.
    • Improving business outcomes. Upskilling, engaging, and retaining talented team members through effective performance development practices can make a tremendous impact on your organization’s success. Companies that facilitate career development are 4x more likely to innovate effectively and 2.6x more likely to exceed financial targets.

    Building a performance management program that encourages career development

    Effective performance management is more than an annual event — it’s an ongoing process of goal setting, employee development, performance evaluation, and rewards. Each should be discussed regularly to nurture an engaged, motivated, and highly skilled workforce.

    Align on goals and performance expectations

    Just 50% of employees clearly understand what’s expected of them at work and only 21% strongly agree they have performance metrics that are within their control. Ambiguity and uncertainty around job expectations can hinder performance and negatively impact engagement.

    Discussing goals and expectations with each of your team members is a critical step toward effective performance management. Employees should understand how their success is being measured and feel empowered to accomplish their goals.

    Begin discussions on goal setting during your employee onboarding process by reviewing the job description, organizational goals, and your team member’s expected impact. Work together to build achievable short- and long-term goals, revisiting them during check-ins and performance reviews to gauge progress and make adjustments. 

    Employees whose managers involve them in goal setting are 3.6x more likely than other employees to be engaged, making this a worthwhile step in your performance management process.

    Build and maintain employee development plans

    Every employee has opportunities to learn and develop — and most want to. More than four out of five employees (83%) say that improving their skills is one of their top priorities

    Hold regular conversations with your team members to learn about each person’s professional growth goals, career aspirations, and skills they’d like to master. Then find the intersection of your team member’s development goals and your business needs to create a personalized performance development plan for each employee. 

    Performance development should go beyond addressing areas for improvement to also include honing strengths, learning emerging skills, and reskilling. Employees’ top motivation to learn is progress toward career goals, so it’s crucial to get your team members’ feedback and buy-in around their development plan to ensure alignment.

    Update development plans as your team members acquire new skills and identify additional opportunities for professional growth. The most effective development plans are flexible to accommodate evolving needs and interests.

    Provide continuous feedback

    Only 21% of U.S. employees strongly agree they have received meaningful feedback in the last week, with nearly half saying they receive feedback a few times a year or less. In other words, most employees don’t get enough performance feedback to understand what they’re doing well or when they need a course correction.

    Effective performance development requires that feedback be given consistently so employees have the guidance they need to be successful in their roles. Things you can do to make sure this happens include:

    • Initiate casual conversations. Let employees know when you see commendable efforts or teachable moments in their day-to-day work. Frequent feedback lets your team members know how you feel about their current performance and guides their development. Record the feedback in your performance management system so it can be referenced during future performance discussions.
    • Plan regular check-ins. Schedule regular one-on-one meetings to discuss progress toward goals, challenges, and development needs. These informal check-ins are a great opportunity to go in-depth on performance development discussions so you can make necessary adjustments to employee goals and development plans. 
    • Conduct regular performance evaluations. Plan comprehensive performance reviews at regular intervals to assess your employee’s overall performance and goal attainment. If you do performance development well, employees shouldn’t be hearing any feedback for the first time during the review process.

    Reward your team members for professional development

    Rewarding your team members for professional development acknowledges their effort and demonstrates the value your organization places on learning and growth. It can also help you retain employees: Compensation and career progression are among the top reasons for turnover.

    Offer raises and promotions as appropriate to reward your team members for developing their skill sets and gaining new experiences. This is particularly important if your employee’s new competencies or responsibilities qualify them for a higher pay grade or job level according to your compensation strategy.

    Final thoughts: Effective performance management is an ongoing process

    Gone are the days where an annual review is considered sufficient to manage employee performance. Modern teams encourage ongoing performance development to help employees achieve professional growth and meet evolving organizational goals. This approach can help you unlock your team’s full potential and drive your company’s success.

    Resource : https://www.linkedin.com/business/talent/blog/learning-and-development/performance-development

    30Oct, 2023
    New Project Analyzes and Catalogs Vendor Support for Secure PLC Coding

    ATLANTA – SECURITYWEEK 2023 ICS CYBERSECURITY CONFERENCE – A new project aims to make it easier for PLC programmers to implement secure coding practices by analyzing and cataloging useful files and functions from each PLC vendor.

    The new project was presented on Tuesday at SecurityWeek’s ICS Cybersecurity Conference in Atlanta by David Formby, CEO and CTO of Fortiphyd Logic, a company that specializes in endpoint detection for programmable logic controllers (PLCs) and virtual industrial control systems (ICS) security training labs.

    The project builds on the ‘Top 20 Secure PLC Coding Practices’, whose goal is to provide PLC programmers with guidelines for improving security. 

    Some of these practices apply to all PLCs, regardless of vendor. This includes modularizing code, leaving operational logic directly in the PLC, assigning registers by function, using correlation and input plausibility checks, monitoring PLC uptime, trapping false negatives/positives, restricting third-party data interfaces, defining a safe start state in case of a restart, and validating timers, paired input/output, and indirections. 

    However, some secure PLC coding practices are different for each vendor and it can be difficult to identify relevant documentation. The goal of the Fortiphyd Logic project is to provide the information needed for vendor-specific practices in an easy-to-digest format. 

    The information is provided in a table format and includes the product name and model, whether required functionality is supported, and the file or function that enables access to the required data. 

    One secure PLC coding recommendation whose implementation is different for each vendor involves tracking the device’s operating mode. PLCs can have various modes, such as ‘run’, ‘program’, ‘test’ and ‘debug’. It’s easier for an attacker to hack a PLC that is not in ‘run’ mode, which is why it’s important that PLCs are not left in ‘program’, ‘test’ and ‘debug’ modes. In addition, mode changes should be monitored in order to detect a potential attack. 

    However, monitoring mode changes is done differently for each PLC, Formby pointed out. For instance, in the case of Rockwell Automation PLCs, the data can be obtained through the ‘GSV(ControllerDevice.Status)’ instruction or from a status file, while in the case of Siemens PLCs this can be achieved using the ‘GET_DIAG’ function.

    Another vendor-specific secure PLC coding practice involves monitoring flags that indicate various errors and faults, which can be triggered by malicious attacks. However, PLCs from each vendor have different errors and faults and there are different ways of reading them, Formby explained. 

    Attackers targeting PLCs can make changes to the PLC logic and some controllers have checksums that enable users to detect changes in logic. Monitoring checksums can be useful for detecting attacks, but different vendors have different functions for achieving this and in some cases checksum monitoring is not supported at all. 

    Other examples of vendor-specific PLC secure coding practices covered by Fortiphyd Logic’s new project include monitoring cycle times, hard stops, and memory usage, as well as the detection of unused software. 

    For the time being, the new project, hosted on GitHub, only provides information for products made by Schneider Electric, Siemens and Rockwell Automation, but information will be added for other vendors as well, with the goal being to cover all PLC vendors. Anyone can contribute to the project. 

    Fortiphyd Logic has also created a custom module for the top 20 secure PLC coding practices for CISA’s Cyber Security Evaluation Tool (CSET), which provides a series of requirement questionnaires to help organizations assess their security posture.

    Resource : https://www.securityweek.com/new-project-analyzes-and-catalogs-vendor-support-for-secure-plc-coding/?web_view=true

    27May, 2023
    Fake CapCut Websites Spread Information Stealers

    A malware campaign has been found impersonating the CapCut video editing tool to spread different stealers. CapCut is an official video editor, developed by ByteDance. It is popularly used as an editing tool for TikTok videos (also owned by ByteDance) and comes with several features. CapCut has over 500 million downloads on Google Play and its website receives over 30 million monthly hits, making it an attractive target for cyberattacks.

    What’s happening?

    Owing to the nationwide bans in India, Taiwan, and other countries, users are looking for alternative ways to get access to the CapCut app. The popularity of CapCut has made users look for alternative ways of getting the app. To harness this opportunity, attackers have created websites that spread malware disguised as CapCut.

    • The attackers are suspected to be using search ads, black hat SEO, and social media to advertise these malicious sites.
    • They used multiple domains, such as capcut-editor-video[.]com and capcutdownload[.]com, to deliver information stealers to victims’ systems via two different campaigns detailed below.

    Offx Stealer campaign

    The first campaign uses fake CapCut sites with a download button spreading the Offx Stealer on systems. The stealer binary uses PyInstaller and only runs on Windows 8, 10, and 11.

    • Whenever a victim runs the downloaded file, they are shown a fake error message stating that the app launch has failed. However, Offx Stealer keeps operating in the background.
    • The malware attempts to steal credentials and cookies from web browsers and targets data stored in Discord, Telegram, popular cryptocurrency wallet apps (Bytecoin, Atomic, Zcash), and remote access software (AnyDesk and UltraViewer).

    Redline Stealer campaign

    The second campaign uses fake CapCut sites delivering the ‘CapCut_Pro_Edit_Video[.]rar’ file on systems, including a batch script that executes a PowerShell script when opened.

    • The PowerShell script decompresses, decrypts, and loads the final payload – a DotNET executable and Redline Stealer. The DotNET executable bypasses the AMSI Windows security feature.
    • Additionally, the same fake CapCut site serves as a host for BatLoader.

    Resource: https://cyware.com/news/fake-capcut-websites-spread-information-stealers-7ac5436c

    20Feb, 2023
    API management (APIM): What It Is and Where It’s Going

    Analyzing the concept of API management (APIM), its benefits, and what it will look like as the API landscape continues to evolve.

    There are two fundamental truths in the API landscape.

    • First: APIs have become a strategic tool for companies to expand their digital reach, accelerate their businesses, and do more for their customers.
    • Second: because of the way they work and how they’ve been used so far, APIs are particularly vulnerable to attacks from bad actors. In fact, according to recent research, malicious API attack traffic surged 117% over the past year, indicating that the threat on APIs is far from abating.

    So, where does this leave businesses that want to leverage the power of APIs? For starters, they need to invest in an API security strategy that covers all their bases. A robust strategy will be held up by a number of different tools and methodologies, including API management (APIM).

    In this article, we’re taking a closer look at what APIM is, its benefits, and what it will look like as the API landscape continues to evolve.

    What Is APIM?

    APIM is the process of creating, distributing, monitoring, and analysing APIs that connect applications and data across the enterprise and clouds. Typically deployed as a scalable platform, APIM allows enterprises to share their API configurations while controlling access, monitoring and collecting usage data, and enforcing security policies related to APIs.

    In other words, APIM gives businesses the power to better leverage the API economy without compromising on security. There are also internal benefits: managing all APIs on one unified platform lets enterprises share API documentation and coding constructs between teams, ultimately making things easier (and faster) for developers.

    What Are the Components of APIM?

    To facilitate flexibility, quality, speed, and security for enterprise APIs, APIM platforms are usually comprised of five key elements, outlined below.

    API gateway: The API gateway acts as the portal through which all routing requests and protocol translations are handled. As APIs often have different structures and languages and are constantly changing, an API gateway facilitates communication, providing a single point of contact for internal and external parties to interact with APIs.

    API developer portal: The developer portal provides a self-service hub for developers that want to access and share API documentation. This contributes significantly to speeding up how developers work with APIs, streamlining the building and testing processes, and providing consistency across the team.

    API analytics: There’s a lot of value in understanding and evaluating a given API’s usage and operational metrics — and that’s where an API reporting and analytics function comes in. APIM platforms are often equipped with dashboards that provide this visibility and allow enterprise teams to make better decisions about how they use their APIs, such as whether it’s worth monetizing them. From an operational perspective, these dashboards help identify issues early so they can be addressed proactively.

    API lifecycle management: With APIs, one of the biggest challenges is that there isn’t visibility into the whole lifecycle — from design to implementation and retirement. The reason is that APIs are often created for small internal uses and then launched into bigger use cases without the proper vetting. Lifecycle management mitigates this, providing a sustainable solution for building, testing, and managing APIs with version control support.

    API policy manager: Each API should operate within a set of API policies that shape its evolution. API policy managers control the lifecycle of these policies and house broader policies that impact the entire API infrastructure.

    In an APIM platform, each of these tools comes together to give companies a more complete and comprehensive view into their APIs and the control to enhance security across the API ecosystem.

    What APIM is Not

    From a security perspective, while APIM platforms are key for creating unified visibility and control over a company’s API infrastructure — and for facilitating the implementation of API security features — it’s important to note that it’s only one pillar in a robust API security strategy. API management platforms are not, fundamentally, security platforms. They lack key API security elements organizations should enforce, including continuous authentication and authorization, access control, data validation, runtime security tailored to the OWASP API Top 10 attacks, and a testing plan for APIs both in production and pre-prod.

    It’s also important to note that APIM isn’t a one-size-fits-all solution. It’s essential to evaluate the company’s IT infrastructure and other resources to ensure that they are equipped to adopt and implement a new platform for its APIs. Do you have the right level of expertise on your team? Are you working with enough APIs to justify the adoption of an APIM platform? Do you have API security policies in place to enable your APIM tool to do its best work? These are all critical questions to ask as you evaluate this solution.

    What Are the Benefits of APIM?

    For many enterprises, APIs are the Wild West of their technical infrastructure. APIs often differ significantly from one another, making it challenging to create overarching measures to manage them. The landscape is constantly changing, so documentation quickly becomes outdated and irrelevant. This is part of what makes APIs such an appealing threat vector for cybercriminals. APIM remedies this while providing other benefits.

    APIM supports businesses by:

    • Centralising visibility to all API connections, lowering the risk of attacks, and giving teams the ability to identify gaps and duplicates
    • Facilitating data-driven decisions for the business, such as monetizing the API
    • Protecting the business from API-related threats
    • Enabling the creation of detailed API documentation
    • Creating better user experiences for API consumers
    • Improving developer experiences
    • Providing better insights into the current state of API security, allowing teams to create a better ecosystem

    What Does the Future of APIM Look Like?

    APIs aren’t going anywhere. Businesses are continuing to build applications that rely on hundreds, if not thousands, of APIs. With APIs exposed to multiple data centres, cloud providers, and customers, with different levels of access requirements and customization, the scale and complexity of the ecosystem are only going to get bigger. For enterprises that want to stay agile, organised, and secure, APIM will be crucial.

    APIM will continue to be an important driver for functions such as versioning, deployment processes, usage metrics, and interoperability. And from a security perspective, they will develop as API gateways become more mature, doing more in the rate limiting, data masking, and authentication spaces.

    Other changes will come within the interfaces themselves. There’s a growing shift in the developer tooling space with the emergence of tools that favour visual drag-and-drop functionalities instead of coding. This way, different teams can contribute to APIM within the bounds of their skill sets and still have a clear understanding of the workflows, API lifecycles, and API security policies.

    As APIM platforms continue to mature, they will become an even more strategic asset for businesses that want to make the most of the API landscape without compromising their security.

    About the Author: Ali Cameron is a content marketer that specializes in the cybersecurity and B2B SaaS space. Besides writing for Tripwire’s State of Security blog, she’s also written for brands including Okta, Salesforce, and Microsoft. Taking an unusual route into the world of content, Ali started her career as a management consultant at PwC where she sparked her interest in making complex concepts easy to understand. She blends this interest with a passion for storytelling, a combination that’s well suited for writing in the cybersecurity space. She is also a regular writer for Bora

    Resource : https://securityaffairs.com/141738/security/api-management-apim.html

    20Feb, 2023
    Top 5 API Lessons for Software Engineering Leaders

    It is important for software engineering leaders to balance the technical and business goals of their API strategy and practice by considering these top 5 aspects.

    Software engineering leaders around the world see application programming interfaces (APIs) as the best option to connect systems and applications to build impactful and composable software architectures. However, they overlook the business potential of APIs as digital products and focus largely on technical use cases. 

    To deliver meaningful business outcomes and gain the trust of stakeholders, organizations need a modern API strategy that is closely aligned to business goals, and which covers API security, governance, life cycle management, developer enablement and potential for monetization. 

    “Software engineering leaders responsible for API strategies shouldn’t focus only on the technical benefits of APIs. They must incorporate the business perspectives to avoid risking the support of business stakeholders,” says Shameen Pillai, Sr Director Analyst at Gartner.

    Here are the top five considerations for software engineering leaders to develop an effective API strategy and practice.

    No. 1. Don’t let API governance create bottlenecks

    For developing, managing and governing APIs without creating bureaucratic hurdles, software engineering leaders can implement an “adaptive governance” model. The idea is to create a federated API platform team (for example, having product managers from different business groups such as digital, commerce and logistic API teams) and manage the locally built APIs without undermining the overall API strategy.

    To support localized standards, tools and processes, ensure that API product teams do not create disjointed or overlapping standards and actively participate in federated API governance. The platform teams and product managers should have consistent communication to be aware of shared assets, policies and practices.

    No. 2. Treat APIs as products, even if you don’t plan to monetize them

    Looking at APIs as a way to achieve technical purposes isn’t enough in the postpandemic world. They are now essential in advancing digital business strategies and should be treated as products without prioritizing monetization. Although many organizations monetize APIs, the majority don’t. Many organizations use API products for internal consumption only.

    Regardless, the development, organization and management of APIs should be driven by a consumer-centric mindset that requires product managers to:

    • Prepare API roadmaps and measure business outcomes
    • Understand and cater to the needs of API consumers (for example, developers) to promote API products and improve developer relations (DevRel)

    No. 3. Discover your APIs before hackers do

    As APIs are the gateways to systems, applications and services, they are always vulnerable to security threats. This may result in the loss of private and sensitive information about millions of users.

    The security strategy for APIs should focus on threat protection, well-refined access control and data privacy. Software engineering leaders often protect the published APIs, but there can be shadow or unpublished APIs. API discovery is the key to ensuring that there are no blind spots and to track any malicious usage of APIs.  

    Software engineering leaders should adopt a DevSecOps strategy and institute a security governance policy across the organization. They should assess and enhance the capabilities of API security and management solutions to discover APIs and potential threats from hackers.

    No. 4.Manage the life cycle of APIs

    An API’s life cycle involves four stages:

    • Planning and initial design
    • Implementation and testing
    • Deploy and run
    • Versioning and retirement

    Software engineering leaders should build a consistent process around the four life cycle stages to develop a comprehensive API strategy and practice. For example, the “planning and initial design” stage should focus on an iterative process, consisting of a design approach, methodology and governance. Likewise, the “deploy and run” stage should focus on advanced security analytics to measure API business value.

    Leverage automation to sustain API quality, track issues and optimize the API’s life cycle based on actual performance.

    Align the development of APIs with the organization’s DevOps process for continuous integration and delivery. This way, software engineering leaders learn about other considerations when building, deploying, testing and implementing APIs in various environments. For example, as per API testing guidelines, certain functional, performance and security testing requirements can be mandatory.

    No. 5. Choose best-fit API technologies

    There are a variety of vendor solutions for developing and managing APIs available in the market today. However, the API market is evolving, with some vendors focusing on specific aspects of APIs like design, testing, monitoring, security, portals and ecosystem management. 

    Related webinar: How to Benefit From API Startups and New API Trends

    With so many different solutions to select from, software engineering leaders should have clarity regarding the needs of their organization and engineering groups. To make the selection more credible and collaborative, involve API product managers, API platform teams and security teams in the process. 

    It may be difficult to identify what differentiates different vendor solutions when it comes to potential, viability and maturity. Review critical capabilities for API life cycle management to understand the respective strengths and weaknesses of each solution and select the best possible fit.

    Resource: https://www.gartner.com/smarterwithgartner/top-5-api-lessons-for-software-engineering-leaders