Featured article by Jeff Steuart, Kelley Group Two
APIs are the “connective tissue” used in every application that an average user’s likely to touch. They’re used more heavily than ever before according to Cequence Security’s Matt Keil. “Mobile and IoT devices, the adoption of containers and the move to decentralized or agile development are the driving forces behind the explosion in API usage.
That’s one reason why API-focused attacks are increasingly popular with bad actors. Another is the organization’s poor or non-existent visibility into just how many APIs they have and where and how they’re used.
As a result, automated attacks like Account Takeover, Fake account creation and scraping are routinely executed against APIs, and are often only discovered when users find their loyalty points have been stolen, or they are notified of suspicious activity.
Keil notes that APIs can also expose too much information when a request is made, or they can inadvertently grant user with elevated privileges (like an Admin), or they expose API keys that grant access. “Organizations will often discover these types of attacks the hard way – when they are breached. By analyzing the APIs as they are published to discover these errors, API Sentinel can help eliminate the risks. Organizations struggle with the lack of visibility into their API footprint in the form of inventory, usage, risk and specification conformance.”
“Organizations typically spend more time focused on active attacks and breaches than they do assessing their code and environments for vulnerabilities and security gaps which are often hiding in plain sight. In most cases, they simply lack tools that can provide that level of visibility for APIs,” said Ed Amoroso, chief executive officer of TAG Cyber.
And those are some of the problems that API Sentinel by Cequence Security is built to solve.
“API security is the fastest growing segment of the security market today, but has been largely underserved by siloed point products that only address a part of problem. The addition of API Sentinel to the Cequence Application Security Platform extends our API protection beyond automated bot attacks and API abuse to include discovery of API risks introduced by shadow publication, coding or non-conformance errors,” said Ameya Talwalkar, co-founder and chief product officer of Cequence Security. “Our end-to-end approach ensures that API security can be clearly understood and actioned across development, security, operations, and compliance teams.”
API Sentinel integrates with existing API management tools like gateways and proxies, and provides insights into the usage of each API needed to mitigate security vulnerabilities. Key capabilities:
– Continuous Risk Scoring: Assesses and assigns a numeric risk factor for each API based on strength of authentication used, presence of PII, PCI or other sensitive data, detection of unencrypted communication, and non-conformance to the OpenAPI specification.
– Runtime API Catalog and Usage Analysis: Automatically discovers all APIs, including managed and shadow APIs. Analyzes API usage and access, including geo-location, IP addresses and organizations. Provides a view into headers, parameters, and response codes with flexible time-based filtering.
– Schema Non-conformance Detection: Performs a runtime comparison of your inventoried APIs against an OpenAPI specification to uncover and flag API endpoints, headers, parameters and response codes as non-conformant. Discovered out-of-spec elements can be addressed by development, effectively mitigating security risks before they reach production.
API Sentinel discovers and analyzes all of the organization’s APIs to detect and mitigate security risks – Cequence Security.
“The Cequence team is committed to helping us enhance API security to protect our environments from potential bad actors. They helped bolster and protect our API security from all forms of risk,” said Ram Ravichadran, CTO of Narvar a customer engagement platform used by more than 600 retailers and brands.
“API Sentinel fills a critical need so that security and development can collaborate to secure and protect today’s API-driven applications,” Amoroso said.
Cequence is conducting a webinar on API Sentinel Wednesday, June 24, 2020, 11 am PDT. Registration link: https://bit.ly/3fd3dHB
To register for a free trial of API Sentinel, visit: www.cequence.ai/api-sentinel.
