Application programming interfaces enable applications to communicate, making users able to access what they want, where they want, when they want from the nebulous “nowhere and everywhere” of the cloud. Without APIs, cloud computing as we know it wouldn’t exist.
They are so pervasive that API calls constitute 83% of all web traffic. But this ubiquitous nature makes APIs a prime target for criminals. Information technology research and consultancy firm Gartner Inc. predicted that in 2022, “API attacks will be the most-frequent attack vector causing breaches for enterprise web applications.”
As with many security issues in IT infrastructure management, it all comes down to a lack of observability.
“People don’t even know where their APIs are,” said Shreyans Mehta (pictured), founder and chief technology officer of Cequence Security Inc. “Last year, there was a third-party API that was exposing credit scores without proper authentication. Facebook had a [Broken Object-Level Authorization API] vulnerability … everybody is exposed.”
Mehta spoke with theCUBE industry analysts John Furrier and Dave Vellante at AWS re:Inforce, during an exclusive broadcast on theCUBE, SiliconANGLE Media’s livestreaming studio. They discussed Cequence’s six-step process for ensuring API security. (* Disclosure below.)
Cequence provides API observability on steroids
Unified API protection provider Cequence protects close to 6 million API transactions each day, covering more than $2 trillion in customer assets across 2 billion accounts. Since being featured in theCUBE’s “AWS Startup Showcase: The next big thing in AI, Security, and Life Sciences” event last year, the company has seen a 410% increase in users, which it projects will translate into a 1230% upswing in the amount of traffic it protects.
“What we provide is a unified view, number one, and the unified way to protect those applications,” Mehta explained. “Think of it like you have a data plane that is sprinkled around wherever your edges and gateways and ingress controllers are, and you have a central brain to manage it in one place in a unified way.”
There are six steps to the unified API protection process, according to Mehta, who outlined them for theCUBE:
Step one: Discover where your APIs are.
Cequence’s six-step process to full API protection starts with its API Spyder, an agentless tool that provides visibility into an organization’s API attack surface.
“You can just sign up on our portal and then fire it away. And within a few minutes to an hour, we’ll give you complete visibility,” Mehta said.
Step two: Catalog your APIs.
Once the APIs have been located, Cequence integrates into an organization’s cloud and on-premises environments and automates an API cataloging process.
Step three: Ensure compliance.
After cataloging the APIs, Cequence performs a risk assessment, examining the information each could potentially be exposing.
“There could be credit card information, health information, so [Cequence] will treat every API differently based on the information that they’re actually exposing,” Mehta said.
Step four: Detect API abuse.
“Every business has a business logic that they end up exposing, and then the bad guys are abusing them,” Mehta said.
These could be critical or sensitive business data, such as login endpoints, new account information, shopping information or pricing structures. Cequence detects any vulnerabilities, and then …
Step five: Prevent API abuse.
… natively prevents these vulnerabilities from exploitation on its platform.
“Because if you send signals to third-party platforms … it’s already too late and it’s too coarse grain to be able to act on it,” Mehta stated.
Step six: Shift left to full-spectrum API security.
The final step involves bringing the continuous integration/continuous development pipeline into the security loop.
“It’s not just about shifting left,” Mehta stated. “Unified API protection [is] protecting around the full life cycle of your APIs, ranging from discovery all the way to testing. So, helping you throughout the life cycle of APIs, wherever those APIs are — in any cloud environment, on-prem or in the cloud, in your serverless environments. That’s what Cequence is about.”
Here’s the complete video interview, part of SiliconANGLE’s and theCUBE’s coverage of the AWS re:Inforce event:
(* Disclosure: Cequence Security Inc. sponsored this segment of theCUBE. Neither Cequence nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)
Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.