AVAILABLE 24x7
888.662.2724
AVAILABLE 24x7
(888) 66CARAH
Fast & Accurate
Request A Quote
Quick Response
Chat With Us
Carahsoft, in conjunction with its vendor partners, sponsors hundreds of events each year, ranging from webcasts and tradeshows to executive roundtables and technology forums.
Government Events and Resources
Events
F5
F5 Capture the Flag
Event Date: March 18, 2025
Hosted By: F5, WWT & Carahsoft
Location: Montgomery, AL
Hosted By: F5, WWT & Carahsoft
Location: Montgomery, AL
The F5 DISA team hosted an interactive Capture the Flag competition where attendees competed against others to hunt for API vulnerabilities and learn how they work.
In this lab and Capture the Flag exercise, attendees learned how to identify and mitigate:
- Hard-Coded Secrets: Many applications exchange user credentials for a hard-coded token or key. This key allows anyone who knows it to gain access to the application; however, many times, these keys have no expiration, allowing a user to circumvent the authentication process completely.
- Broken Authorization: Providing blanket access to the API keys has proven detrimental to multiple mobile and web applications. Malicious users have used such blanket access to get ahold of confidential data belonging to others.
- Data Access Control on User Interface (UI): Time and again, we have seen implementations where APIs pull more data from a server than an app is authorized to share, so even if the app’s UI filters this information from the user, attackers can access and exploit this data.
- Security Check for User Interface (UI): Over the last few decades, we have learned that no entry made by the client should be blindly trusted. In some instances, checks are built into the UI, but they can be circumvented with man-in-the-middle tools or API tools.
- Weak Tokens: JSON Web Token (JWT) has soared in popularity for use within APIs for its ability to provide integrity. However, an implementation of a JWT without a proper cryptographic signing mechanism can lead to privilege escalation.
- Credential Stuffing: Bots have automated the process of testing stolen website login credentials; testing credentials against APIs is no different. Bots can be used to scrape APIs for data or to validate stolen credentials, eventually leading to account takeover (ATO) attacks.
- Version Troubles: APIs are often changed to add functionality or remove unused features. These changes can cause the clients that use them to break, so it is common practice that organizations maintain multiple versions of APIs to ensure compatibility. Sometimes, out-of-sight and out-of-mind treatment for older versions of APIs has caused breaches, and security controls are not kept up to date for the older version.
Fill out the form below to view this archived event.
Resources
Featured
In this episode of Identiholics, host Christine Owen is joined by Jamie Danker from Venable and Carole House from Terranet. They discuss the importance of women in the cybersecurity field and the need for more women to be involved in privacy and security discussions. The conversation highlights the ...
The discourse around secure mobile communication platforms has escalated in the United States public sector, where security and data integrity aren’t just priorities but mandates. As agencies become increasingly dependent on digital technologies to execute their missions, the need for secure p...
Collibra has been named a Leader in The Forrester Wave™: Data Governance Solutions, Q3 2025 report, recognized for its strong vision and comprehensive capabilities. Download the report to explore emerging trends, evaluation criteria for governance tools, and why Collibra stands out in today&rs...
Ready to fast-track your implementation? The Road to Go-Live Handbook reveals proven strategies, expert tips, and step-by-step guidance to help you launch with confidence and deliver results faster. View this essential playbook for turning process insights into real business impact—download no...
SBOM360 Hub is the tech industry's first SBOM exchange for complex software. The Hub allows publishes to manage, create, publish, and share software that is compliant with SBOMs standards data along the distribution chain. This enables risk reduction and safe transfer of data.
Lineaje Third Party Management (TPRM) provides a solution that reduces the risks in the technology purchased. TPRM analyzes security risks in each device by automatically detecting the security policy violations. Some noticeable capabilities are secure SBOM exchange, Automated Risk Analysis, Auto-up...
Executive order 14028 aims to enhance software supply chain security by updating the requirements. Key requirements of the executive order are SBOM minimum fields based on NTIA specifications, signed self-attestation form, and evidentiary artifacts. This article goes in depth on how each key require...
Government agencies are facing increasing demands to provide services more efficiently, transparently, and with limited resources. To support this transformation, we're thrilled to share that Accela has acquired ePermitHub—marking a significant advancement in streamlining permitting and pl...
During the 2020 pandemic, it highlighted the vulnerabilities the software supply chain has. SBOM360 by Lineaje is the company's first supply chain manager. The Apache Software Foundation (ASF), an open-source provider, shared its extensive findings on the broader open-source world.
Software is under attack by finding a weakness and taking advantages. Taking on these attacks on the supply chain involves different systems to be working simultaneously. A extensive approach is needed in order to handle the full complexity of the problem.