About Us

Synack launched API pentesting capability  

Synack has launched an API pen testing capability, which is supported by its global community of elite security researchers. Organizations can now rely on the Synack platform to provide continuous pen-testing coverage across “headless” API endpoints, which lack a user interface and are therefore increasingly vulnerable to attackers. 

Peter Blanks, Chief Product Officer at Synack stated, “Many organizations are struggling to find the top-tier cyber talent needed to root out API-specific vulnerabilities. We’re excited to extend our Synack platform to provide human-powered offensive security testing on APIs.” 

Synack’s headless API capability is based on years of API pentesting experience with web and mobile applications. Customers can now enter API documentation to guide testing scope and coverage using the new platform features. The Synack Red Team then attempts to exploit API endpoints in the manner of a real external adversary. 

On API requests, only Synack Red Team members with proven API testing skills are activated, reducing noise. In 2022, Synack’s Special Projects division successfully conducted over 100 pentests against headless APIs, providing customers with critical proof-of-coverage reports while validating researchers’ API expertise. 

Mark Kuhr, CTO, and co-founder at Synack and a former National Security Agency cybersecurity expert commented, “Synack’s human-led, the adversarial approach is ideal for testing APIs that form the backbone of society’s digital transformation. We are thrilled to offer customers a unique, scalable way to secure this growing area of their attack surfaces.” 

Vulnerability submissions and testing reports are routed through Synack’s Vulnerability Operations team for a thorough vetting process before being displayed in the platform, minimizing false positives, and ensuring high-quality results. 

Read More : API Security Should Be Your Priority in 2022

Authomize expanded its REST API framework

Authomize announced the expansion of its REST API framework to enable customers to build their own custom connectors to their cloud and homegrown applications and services in a couple of hours. With the help of Authomize’s Software-as-a-Service (SaaS) solution, businesses can automatically secure access rights across every cloud service they use, including IaaS, SaaS, and IAM solutions. 

Guy Katzir, Head of Product at Authomize stated, “Authomize’s exceedingly granular connectors allow us to provide in-depth visibility into the most complex IAM permission models, including users, groups, roles, access privileges, assets, and activity. Our ability to map and understand the hierarchy structures within assets and groups gives customers the fine-grained insights they need to apply the most effective identities and access security controls and perform the most thorough incident investigations. 

We are already seeing customers using the REST API to build integrations to Coupa, Workday, Zuora, Chef, NetSuite, and Tenable.io. and more. They are using these connectors to get the same high level of IAM permission modeling and depth of visibility value that we provide for our native connectors. Our new framework enables them to perform all functions they look to Authomize for, from running accurate streamlined User Access Reviews to enforcing security policies with continuous monitoring.” 

Authomize can ingest, normalize, and analyze identity and access data from any cloud, on-premises, or custom application or service by using native connectors, REST APIs, SCIM connectors, and a file uploader. Using this data as a foundation, Authomize can gain deep insights into the efficient access paths that would otherwise be hidden by the proliferation of IAM structures and siloed environments across multiple clouds. To enable users to connect more of their applications and services with the same level of granularity and coverage as the native connectors, Authomize has just released a new version of its API. 

Businesses can integrate Authomize with every component of their security infrastructure, including the top SIEMs, SOARs, and ITSMs, using the new REST API. 

Along with the recently released APIs, users can now take advantage of new webhook functionalities to automate access privilege revocation directly through Okta, send alerts to security orchestration tools like Microsoft Sentinel, and open tickets in ServiceNow and Jira, enhancing the value of the rest of their tooling ecosystem with Authomize’s identity and access data enrichment. 

Authomize has expanded its integrations by including Identity Providers (IdPs) OneLogin and JumpCloud, as well as Bamboo HR and Delinea’s Secret Server, which will enable them to track users between Secret Server and AWS, assisting clients in locating stale accounts and secrets. 

Read More : API Security Should Be Your Priority in 2022

DataMotion introduced DataMotion No-Code Experience

DataMotion introduced DataMotion No-Code Experience for mobile applications and portals. It offers a more user-friendly method of accessing the DataMotion platform after considering the market conditions now and the associated limitations faced by enterprise and healthcare development teams. 

The No-Code Experience is launched as a web component, with the goal of providing a simple and secure customer experience that requires few or no development resources. Customers can drop the No-Code web component into their responsive webpage by making a few settings changes in an intuitive user interface and gathering the necessary code snippet. In the client’s mobile app or portal, this develops a personalized, secure message center. Customers using the No-Code Experience can configure the web component to suit their unique use case. 

Bob Janacek, CEO of DataMotion commented, “DataMotion provides APIs and pre-built solutions so that our customers can introduce and enhance their secure exchange workflows where they need it. Currently, our API-first approach requires customers to develop their user interface to call our platform. But in looking at market conditions, it is obvious that the impact of the ‘Great Resignation’ has stretched our customers’ development resources too thin. The team at DataMotion stepped back, reimagined how we can deliver services to our customers, and concluded that our best approach was to develop the No-Code Experience. This experience brings the solution to market quickly, and results in compliance win immediately.” 

The enterprise portal’s features have been carefully incorporated into the web component’s design. This also involves inheriting CSS and branding with unique colors in the settings screen for a fully responsive solution. It’s easy to have complete control over what users see on the screen. The DataMotion No-Code Experience is integrated with providers of enterprise single sign-on (SSO) solutions, which makes deployment even easier. 

“This solution allows us to simplify the use of DataMotion’s platform where it is needed, without the enterprise having to build the UI. We deliver secure content exchange to the customer’s website, mobile site, and anywhere it is needed.”, Janacek continued. 

Read More : API Security Should Be Your Priority in 2022

ArmorCode Partners with Traceable AI!

ArmorCode, the industry leader in AppSecOps, partnered with Traceable AI, the leading API security and observability firm in order to improve Application Security Posture from code to cloud,. Modern applications are increasingly using APIs to supply functionality to move at the speed of business.  

The problem is that every new API must be protected, and as the number of APIs in use rises, it is getting more and more difficult for businesses to keep track of which APIs are used, as new apps are constantly launched. With the help of this new connection, ArmorCode customers can now efficiently track the usage of their APIs and identify malicious users within the context of a larger application security posture. 

Upendra Mardikar, Chief Security Officer of Snap Finance said, “Agile DevOps, Cloud Deployment, Microservices, API adoption, and Open Source have all dramatically accelerated application delivery and application risk posture. ArmorCode’s platform provides us with a unified visibility into applications, microservices, and automates complex DevSecOps workflows. Traceable AI solves for us one of the biggest problems security teams face, which is distinguishing between valid and malicious use of an application’s APIs. The ArmorCode and Traceable AI combination helps us do this at a fraction of the cost and time. 

“The broad use of APIs in cloud-native applications has greatly expanded the attack surface for enterprises. Traceable monitors end-to-end application activity, from the user and session all the way through the application code. Traceable’s integration with ArmorCode simplifies AppSec and Development teams workflows, removing friction between these teams to further accelerate the delivery of secure APIs.”  Jyoti Bansal, CEO and Co-founder of Traceable AI. 

ArmorCode offers a full range of services to assist businesses in addressing the continuously growing attack surface. Companies can only safeguard what they see, and given the present climate, it is essential to invest in a number of solutions in order to acquire the insights required to rigorously manage security threats. With over 130 pre-built integrations that can effortlessly interface with the ArmorCode AppSecOps platform, ArmorCode can serve as the central centre for these products.  

Read More: API Security Should Be Your Priority in 2022

Traceable AI Enhances its Security Platform to Improve Observability and Visibility

Traceable AI, a context-aware API security platform, recently added extended Berkeley Packet Filter (eBPF) data to its platform. With no additional instrumentation or delay, Traceable AI assists CISOs, DevSecOps, and DevOps teams in enhancing their organizations’ API security posture by enabling deeper observability and visibility into APIs.

Traceable AI, an API security platform with years of experience in distributed tracing and observability, delivers automatic and continuous API discovery, prevents API assaults, and offers actionable intelligence to help with threat hunting and security decisions. In addition to identifying APIs, Traceable also assesses API risk posture, thwarts API assaults that cause incidents like data exfiltration, and offers analytics for threat hunting and forensic investigation. With its latest solution, businesses of any size can efficiently identify, manage, and secure their APIs.

The eBPF kernel technology, which has its roots in Linux, enables programs to operate without altering the kernel source code or incorporating additional instrumentation. Traceable AI benefits from it through eBPF’s deep data collected from the application environment. This method offers consumers 360-degree observability and visibility into every API activity when paired with Traceable AI’s cutting-edge technology.

“Traceable is the first API security vendor that captures API security-related data from application environments using eBPF within its platform. eBPF is critical for the most efficient API security at scale and is especially important for businesses with high-performance security requirements. Think of it as a [web]space telescope, giving companies unprecedented views into their APIs without performance drawbacks. Leading with innovation, our focus has always been on observability, and this move continues to drive our leadership”, said Sanjay Nagaraj, co-founder and CTO of Traceable AI.

Read More : API Security Should Be Your Priority in 2022

ThreatX Introduced Quick Start Program for API Protection

ThreatX has introduced the API Protection Quick Start Program, which is designed to aid organizations in better protecting their APIs by quickly deploying real-time protection against botnet, DDoS, and complex, multi-mode attacks.

APIs are a gold mine for attackers because they allow applications to share data and are increasingly being used to streamline communication between consumers and business partners. As a result, API adoption has outpaced security teams’ ability to protect against threats, leaving the connected systems vulnerable. While some vendor offerings claim to provide complete API security, they frequently lack bot protection and real-time blocking capabilities, leaving customers vulnerable to threats.

Billy Toomey, Vice President of Sales at ThreatX commented, “We’ve seen firsthand that security teams are struggling to understand how to protect their organization’s APIs against real-time threats, and they’re often trying to do so with scarce time, resources, and human power. We’re thrilled to launch this program, and are confident it will empower small, midsized, and enterprise customers to begin building their API security programs with the full support of ThreatX SOC.”

ThreatX Quick Start program helps businesses get started with API protection by allowing them to build their API security program without putting their resources at risk. The program provides real-time monitoring and blocking of API attacks, allowing protection without the need for additional tools or attack data that must be analyzed after the fact. The fully managed program offers customers support from ThreatX Security Operations Center (SOC), which offers 24/7 coverage and expertise.

Read more articles:

API Security Should Be Your Priority in 2022

Neosec Launched ShadowHunt For API Security

Neosec launched ShadowHunt, a managed threat hunting service staffed by experts, to supplement its platform with human oversight from active threat hunters to identify the most hidden and obfuscated API abuse. Neosec’s SaaS platform discovers all APIs, analyzes their behavior, audits risk, and eliminates threats lurking within. It brings together security and development teams to protect modern applications at scale from threats.

Neosec applies threat hunting techniques like those used in EDR and XDR to API security. ShadowHunt provides security teams with the assurance that API security experts are investigating unusual behavior on their API estate.

Giora Engel, co-founder, and chief executive officer of Neosec stated, “The increasing potential for insiders or attackers to utilize business APIs for criminal or malicious gain requires a new level of scrutiny and sophistication. The new ShadowHunt service augments our platform with an expert team to monitor API usage and hunt for fraud, abuse, or critical vulnerabilities without any drain on an organization’s existing security team.”

Organizations can manage the growing risk of manipulation, theft, and misuse of core business systems, assets, and data by combining the ShadowHunt service with the Neosec cloud-based platform. Because APIs are increasingly used to connect important business systems to customers, suppliers, and partners, the service is ideal for companies where security teams are understaffed or lack the expertise required to identify threats in business API traffic.

The Neosec platform handles API vulnerabilities by automatically and continuously identifying all APIs in use by a company, assessing their risk posture, and monitoring user behavioral anomalies that could involve data theft or other misuses. Most businesses do not have a complete API inventory, let alone an understanding of the nature of typical API usage. The ShadowHunt service can now supplement the use of the Neosec platform with a team of experts to respond quickly to findings, investigate potential threats, and recommend immediate remediation and actions.

The ShadowHunt service and the Neosec platform work together to provide a quick way to incorporate full monitoring and investigation of anomalous business API usage without interfering with existing security operations or team workload. The combination can quickly and transparently add protection against vulnerability exploits and API business abuse.

Read more articles:

API Security Should Be Your Priority in 2022

API Security Should Be Your Priority in 2022

API security represents the application of any security best practice to APIs, which are widely used in modern applications. API security encompasses API access control and privacy, as well as the detection and remediation of API-related attacks such as API reverse engineering and the exploitation of API vulnerabilities.

Whether an application focuses on consumers, or anyone else, the client-side (mobile app or web app) interacts with the server-side via Application Programming Interface (API). APIs make it simple for a developer to create a client-side app. APIs enable microservice architectures as well.

An attack on API could include bypassing the client-side application to disrupt the operation of an application for other users or to compromise private information. API security is concerned with securing this application layer and addressing what might happen if a malicious hacker interacts with the API.

According to Infosecurity Outlook, “by 2023, API abuses will be the most common attack vector resulting in data breaches for enterprise web applications. To avoid these attacks, it is best to take a continuous approach throughout the API development and delivery cycle, designing security into APIs.”

Features of API Security

API security is concerned with securing the APIs that you expose directly or indirectly. API security is less concerned with the APIs you use that are provided by third parties, though analyzing outgoing API traffic, one can get valuable insights that can be used whenever possible.

It’s also worth noting that API security as a practice involves several teams and systems. API security includes network security concepts like rate limiting and throttling, as well as data security, identity-based security, and monitoring.

Technology advancements such as cloud services, API gateways, and integration platforms enable API providers to secure APIs in novel ways. The technology stack you use to build your APIs has an impact on, how secure they are.

Larger organizations have different departments, and they can develop their own applications using their own APIs. Large organizations also end up with multiple API stacks or API silos because of mergers and acquisitions.

As we know, API security requirements can be directly mapped to the technology of a single silo when all your APIs are contained within it. In the future, these security configurations should be portable enough to be extracted and mapped to another technology.

However, in heterogeneous environments, API security rules are typically defined using API security-specific infrastructure that operates across these API silos. The connectivity between API silos and API security infrastructure can be achieved by using the sidecars, sideband agents, and APIs integrated between cloud and on-premises deployments.

API Discovery

There are numerous barriers that prevent security operatives from having full visibility into all APIs exposed by their organization. API silos reduce API visibility by providing only a subset of APIs under disconnected governance.

API discovery is a tussle between API providers and hackers who will easily exploit the APIs once discovered. API traffic metadata can be used to locate APIs before they are discovered by attackers. This information is extracted from API gateways, load balancers, or directly inline network traffic, and then fed into a specialized engine that generates a useful list of APIs that can be compared to API management layer catalogues.

OAuth and API Access Control

To limit API resources to only those users who should be able to access them. The user, as well as any applications acting on their behalf, must be identified. This is typically accomplished by requiring client-side applications to include a token in API calls to the service, which can then validate that token and retrieve user information from it. OAuth is the standard that describes how a client-side application first obtains an access token. OAuth defines numerous grant types to accommodate different flows and user experiences.

API Data Governance and Privacy Protection

API leaks occur because data flows through APIs. As a result, API security must also include inspecting the structured data flowing into and out of your APIs and enforcing rules at the data layer.

Because data in your API traffic is structured predictably, enforcing data security by inspecting API traffic is an excellent choice for this task. API data governance, in addition to [yes/no] type rules, allows you to transform the data structured into your API traffic in real-time for redaction purposes. This pattern is commonly used to redact specific fields that may contain information that a user’s privacy settings dictate should be hidden from the requesting application.

API Threat Identification

API threat detection is a logical extension of general threat protection measures. APIs, for example, are frequently protected by a firewall, which provides some basic security. APIs are sometimes protected by a web application firewall (WAF). A WAF may scan API traffic to detect signature-based threats such as SQL injections and other injection attacks. API gateways also play a role in API-specific threat detection. A gateway may impose a strict schema on the way in as well as general input sanitization. In addition to acting as a policy enforcement point, it will look for deep nesting patterns, and XML bombs, and apply rate limits.

API Analytics and Behaviour

An AI engine can build models for what normal API traffic looks like using API traffic metadata and then use this model to look for anomalous behavior. These anomalies can aid in the detection of ongoing attacks, but they can also indicate system misbehaviors and other non-malicious disruptions to your services, such as friendly fire. Such a layer can pinpoint the source of this attack or misbehavior by analyzing API traffic metadata, and this information can then be used to cease the incident in progress and fix it.

Conclusion

APIs are highly regarded targets for malicious actors and are expected to become the primary attack. APIs require a dedicated approach to security and compliance due to the critical role they play in digital transformation and the access to internal sensitive data and systems they provide.

Read more articles:

What is API Security?

Noname Security and BlueFort Security Collaborate to Provide Proactive API Security

Noname Security, a leader in application programming interface (API) security and BlueFort Security, the UK’s largest provider of cybersecurity solutions, have announced a strategic partnership agreement. The Noname API Security Platform is the only solution that addresses all three pillars of API security: API Posture Management, API Runtime Security, and Secure API Software Development Life Cycle (SDLC).

VP EMEA at Noname Security, Dirk Marichal stated, “Partnering with BlueFort is an excellent fit for us given the team’s expertise as a cyber security partner providing valuable technical expertise and hands-on support to businesses across the UK. BlueFort’s service offerings are highly evolved and built upon solid skill sets and subject matter expertise, making the partnership a natural choice in a fast-moving technology area where users need guidance, thought leadership and innovation. The Noname API Security platform will help BlueFort customers mitigate risks, prevent attacks, and keep business APIs secure.” 

The strategic collaboration with Noname will add to BlueFort’s already extensive cybersecurity offerings, which are based on carefully chosen partnerships, intelligence, and knowledge to create innovative, end-to-end IT security solutions to protect BlueFort customers’ environments. The Noname API Security Platform will also provide API vulnerability scanning as part of BlueFort Evolve, a cyber-focused services package designed to provide enhanced support, additional incident response resources, and specialist technical and professional services to help internal IT teams improve their security posture.

Customers of BlueFort will have significant exposure to the Noname API Security Platform as part of the partnership agreement, which will allow them to proactively secure their environments against API security vulnerabilities, misconfigurations, and design flaws, as well as provide API attack protection with automated detection and response.

The Noname API Security Platform can connect to any environment and seamlessly interacts with an organization’s existing technological stack, in addition to addressing the whole API security scope. It is the only API security platform that supports both SaaS and on-premises deployments, as well as API testing before production, allowing customers to uncover risks early in the API software development lifecycle.

The CEO of Sales & Marketing at BlueFort Security, Dave Henderson, commented, “We are pleased to be able to offer BlueFort customers access to the most powerful, complete, and easy-to-use API security platform – both as a standalone solution and as part of our value-add BlueFort Evolve offering. IT discovery is now a top priority for CISOs, who are faced with securing an ever-expanding attack surface in an increasingly hostile global threat environment. Noname Security provides a complete view of API security and helps CISOs proactively secure their environments from vulnerabilities and misconfiguration. This strategic partnership reflects our shared ethos of providing innovative solutions that focus on addressing fast-evolving security challenges across all market sectors.”

ThreatX Collaborates with Distology

ThreatX enables enterprises to detect and respond to sophisticated threats to their APIs and web applications by combining AI and machine learning capabilities along with comprehensive managed services. ThreatX has announced a partnership with Distology which is a leading cloud security distributor in the United Kingdom and other European markets. ThreatX will be able to deliver its API protection platform and managed services at scale through this partnership with Distology. ThreatX will gain from Distology’s extensive outreach, knowledge, and strong relationships covering the United Kingdom, Ireland, and Benelux markets.

Dave Howell, CMO at ThreatX commented, “Distology will jumpstart ThreatX’s expansion into the U.K. and neighboring European markets. When choosing partners, Distology identifies and evaluates products that it considers to be ‘best of breed,’ and our solution meets, and exceeds, these criteria. We are thrilled to offer our solution in both new and existing markets as we continue to build upon our tremendous start to 2022.”

ThreatX’s success is strong and the partnership with Distology is evident of that, the company reported record-breaking growth in the first quarter of calendar 2022 alone, with record new business bookings and increased average revenue per customer. In addition, the company recently expanded and improved its API protection capabilities to provide customers with better protection and visibility into their API attack surface.

Billy Toomey, VP of Sales, ThreatX stated, “Distology is one of the most thoughtful and strategic security software distributors I’ve encountered. Rather than focus on transactional relationships, the Distology team builds deep, and meaningful, partnerships centered on solving customer problems, I’m excited for our partnership and believe this is truly a win-win for both companies, as Distology offers its partners the unique ability to help customers both identify and stop attacks on APIs in real-time.”

ThreatX’s API protection platform protects APIs from all threats, including DDoS attempts, bot attacks, API abuse, exploitation of known vulnerabilities, and zero-day attacks. ThreatX protects APIs for businesses in every industry around the world effectively and efficiently.

Read more articles:

API Security?

Cloud Security?