About Us

Cequence Security added API security testing to its API protection platform 

Cequence Security has expanded the testing capabilities of its Unified API Protection Platform with the addition of API Security Testing. This API Security Testing framework encourages shift-left efforts by providing security and development teams with the tools they need to quickly uncover and remediate API vulnerabilities in pre-production environments that could otherwise cause business disruption in production. 

Varun Kohli, CMO at Cequence Security stated, “Driven by the rapid rise in API exploits caused by coding errors, security and development teams are looking at ways to improve their API testing efforts without jeopardising their continuous development release cycles. 

API Security Testing complements our runtime compliance capabilities that detect security risks such as business logic abuse and OWASP API Top 10 risks in production APIs. With API Security Testing, teams can apply the same compliance and security checks to their build processes to detect compliance issues earlier in the development cycle for pre-production APIs.” 

API Security Testing enables security and development teams to incorporate continuous and automated testing of pre-production APIs into the development and release cycle. In scenarios where no API specifications exist, security teams can use real-time API traffic analysis to create baseline API specifications based on runtime traffic, eliminating the need to track down legacy API owners or create specifications from scratch. 

The following are some of the new offering’s key capabilities: 

Continual development (CD), continuous integration (CI), and integration of collaboration tools: Integrates with CI/CD tools such as Gitlab, Azure DevOps, Jenkins, and Bamboo, allowing developers to run security tests against pre-production APIs to detect and report security risks. 

Visualize results and fix test failures: Security and development teams can visualize results and drill down into details to better understand compliance issues in pre-production APIs. Summary reports enable results to be exported and shared with API owners and development teams for rapid test remediation and re-execution. 

Comprehensive OWASP API top 10 risk detection: Detects security risks such as the OWASP API Top 10 as well as business logic risks such as the introduction of shadow APIs and the exposure of sensitive data. Administrators can customize sensitive data exposure and risk categories for different groups of APIs based on vertical. Retail customers, for example, can create policies that explicitly look for credit card numbers, whereas automotive customers can monitor and prevent the exposure of vehicle identification numbers. 

Wallarm API Leak Management helps to detect API keys and secrets  

Wallarm has released the Wallarm API Leak Management solution, an improved API security technology designed to assist organizations in identifying and remediating attacks based on leaked API keys and secrets, as well as providing ongoing protection against hacks in the event of a leak. 

Ivan Novikov, CEO of Wallarm commented, “API keys and secrets are an essential part of enterprise applications, but they are also a common target for attackers since they provide direct access to the data and infrastructure. 

Our API Leak Management solution allows enterprise customers to automatically detect and block the use of leaked API keys, providing an additional layer of security for their data to reduce organizational risk.” 

In light of the recent surge in hacks involving leaked API keys and other API secrets, Wallarm created the API Leak Management solution to provide a comprehensive solution to this problem by automatically detecting leaked API keys and secrets, implementing controls to prevent their use, and protecting against any subsequent attacks. 

This prevents unauthorized access to sensitive data within enterprise organizations while also protecting internal operations and end users from unauthorized use of that data. 

Wallarm’s proactive API leak management solution prioritizes automated detection, remediation, and control via a three-pronged approach: 

Detect: Wallarm automatically scans public sources for leaked API secrets, which hackers can find and exploit in less than a minute. 

Remediate: Wallarm immediately blocks requests that use compromised API secrets across the entire API portfolio, regardless of protocol. 

Control: Wallarm also monitors and prevents the use of leaked API secrets in the future. 

The Wallarm API Management solution is integrated with other Wallarm capabilities such as API Discovery, API Threat Prevention, and Cloud-Native WAAP. The Wallarm API Security Platform provides customers with full-spectrum visibility, detection, and protection across their entire web application and API portfolio, regardless of protocol or environment. This reduces tool sprawl and costs while improving risk management and fostering innovation. 

Synack launched API pentesting capability  

Synack has launched an API pen testing capability, which is supported by its global community of elite security researchers. Organizations can now rely on the Synack platform to provide continuous pen-testing coverage across “headless” API endpoints, which lack a user interface and are therefore increasingly vulnerable to attackers. 

Peter Blanks, Chief Product Officer at Synack stated, “Many organizations are struggling to find the top-tier cyber talent needed to root out API-specific vulnerabilities. We’re excited to extend our Synack platform to provide human-powered offensive security testing on APIs.” 

Synack’s headless API capability is based on years of API pentesting experience with web and mobile applications. Customers can now enter API documentation to guide testing scope and coverage using the new platform features. The Synack Red Team then attempts to exploit API endpoints in the manner of a real external adversary. 

On API requests, only Synack Red Team members with proven API testing skills are activated, reducing noise. In 2022, Synack’s Special Projects division successfully conducted over 100 pentests against headless APIs, providing customers with critical proof-of-coverage reports while validating researchers’ API expertise. 

Mark Kuhr, CTO, and co-founder at Synack and a former National Security Agency cybersecurity expert commented, “Synack’s human-led, the adversarial approach is ideal for testing APIs that form the backbone of society’s digital transformation. We are thrilled to offer customers a unique, scalable way to secure this growing area of their attack surfaces.” 

Vulnerability submissions and testing reports are routed through Synack’s Vulnerability Operations team for a thorough vetting process before being displayed in the platform, minimizing false positives, and ensuring high-quality results. 

Read More : API Security Should Be Your Priority in 2022

Authomize expanded its REST API framework

Authomize announced the expansion of its REST API framework to enable customers to build their own custom connectors to their cloud and homegrown applications and services in a couple of hours. With the help of Authomize’s Software-as-a-Service (SaaS) solution, businesses can automatically secure access rights across every cloud service they use, including IaaS, SaaS, and IAM solutions. 

Guy Katzir, Head of Product at Authomize stated, “Authomize’s exceedingly granular connectors allow us to provide in-depth visibility into the most complex IAM permission models, including users, groups, roles, access privileges, assets, and activity. Our ability to map and understand the hierarchy structures within assets and groups gives customers the fine-grained insights they need to apply the most effective identities and access security controls and perform the most thorough incident investigations. 

We are already seeing customers using the REST API to build integrations to Coupa, Workday, Zuora, Chef, NetSuite, and Tenable.io. and more. They are using these connectors to get the same high level of IAM permission modeling and depth of visibility value that we provide for our native connectors. Our new framework enables them to perform all functions they look to Authomize for, from running accurate streamlined User Access Reviews to enforcing security policies with continuous monitoring.” 

Authomize can ingest, normalize, and analyze identity and access data from any cloud, on-premises, or custom application or service by using native connectors, REST APIs, SCIM connectors, and a file uploader. Using this data as a foundation, Authomize can gain deep insights into the efficient access paths that would otherwise be hidden by the proliferation of IAM structures and siloed environments across multiple clouds. To enable users to connect more of their applications and services with the same level of granularity and coverage as the native connectors, Authomize has just released a new version of its API. 

Businesses can integrate Authomize with every component of their security infrastructure, including the top SIEMs, SOARs, and ITSMs, using the new REST API. 

Along with the recently released APIs, users can now take advantage of new webhook functionalities to automate access privilege revocation directly through Okta, send alerts to security orchestration tools like Microsoft Sentinel, and open tickets in ServiceNow and Jira, enhancing the value of the rest of their tooling ecosystem with Authomize’s identity and access data enrichment. 

Authomize has expanded its integrations by including Identity Providers (IdPs) OneLogin and JumpCloud, as well as Bamboo HR and Delinea’s Secret Server, which will enable them to track users between Secret Server and AWS, assisting clients in locating stale accounts and secrets. 

Read More : API Security Should Be Your Priority in 2022

DataMotion introduced DataMotion No-Code Experience

DataMotion introduced DataMotion No-Code Experience for mobile applications and portals. It offers a more user-friendly method of accessing the DataMotion platform after considering the market conditions now and the associated limitations faced by enterprise and healthcare development teams. 

The No-Code Experience is launched as a web component, with the goal of providing a simple and secure customer experience that requires few or no development resources. Customers can drop the No-Code web component into their responsive webpage by making a few settings changes in an intuitive user interface and gathering the necessary code snippet. In the client’s mobile app or portal, this develops a personalized, secure message center. Customers using the No-Code Experience can configure the web component to suit their unique use case. 

Bob Janacek, CEO of DataMotion commented, “DataMotion provides APIs and pre-built solutions so that our customers can introduce and enhance their secure exchange workflows where they need it. Currently, our API-first approach requires customers to develop their user interface to call our platform. But in looking at market conditions, it is obvious that the impact of the ‘Great Resignation’ has stretched our customers’ development resources too thin. The team at DataMotion stepped back, reimagined how we can deliver services to our customers, and concluded that our best approach was to develop the No-Code Experience. This experience brings the solution to market quickly, and results in compliance win immediately.” 

The enterprise portal’s features have been carefully incorporated into the web component’s design. This also involves inheriting CSS and branding with unique colors in the settings screen for a fully responsive solution. It’s easy to have complete control over what users see on the screen. The DataMotion No-Code Experience is integrated with providers of enterprise single sign-on (SSO) solutions, which makes deployment even easier. 

“This solution allows us to simplify the use of DataMotion’s platform where it is needed, without the enterprise having to build the UI. We deliver secure content exchange to the customer’s website, mobile site, and anywhere it is needed.”, Janacek continued. 

Read More : API Security Should Be Your Priority in 2022

ArmorCode Partners with Traceable AI!

ArmorCode, the industry leader in AppSecOps, partnered with Traceable AI, the leading API security and observability firm in order to improve Application Security Posture from code to cloud,. Modern applications are increasingly using APIs to supply functionality to move at the speed of business.  

The problem is that every new API must be protected, and as the number of APIs in use rises, it is getting more and more difficult for businesses to keep track of which APIs are used, as new apps are constantly launched. With the help of this new connection, ArmorCode customers can now efficiently track the usage of their APIs and identify malicious users within the context of a larger application security posture. 

Upendra Mardikar, Chief Security Officer of Snap Finance said, “Agile DevOps, Cloud Deployment, Microservices, API adoption, and Open Source have all dramatically accelerated application delivery and application risk posture. ArmorCode’s platform provides us with a unified visibility into applications, microservices, and automates complex DevSecOps workflows. Traceable AI solves for us one of the biggest problems security teams face, which is distinguishing between valid and malicious use of an application’s APIs. The ArmorCode and Traceable AI combination helps us do this at a fraction of the cost and time. 

“The broad use of APIs in cloud-native applications has greatly expanded the attack surface for enterprises. Traceable monitors end-to-end application activity, from the user and session all the way through the application code. Traceable’s integration with ArmorCode simplifies AppSec and Development teams workflows, removing friction between these teams to further accelerate the delivery of secure APIs.”  Jyoti Bansal, CEO and Co-founder of Traceable AI. 

ArmorCode offers a full range of services to assist businesses in addressing the continuously growing attack surface. Companies can only safeguard what they see, and given the present climate, it is essential to invest in a number of solutions in order to acquire the insights required to rigorously manage security threats. With over 130 pre-built integrations that can effortlessly interface with the ArmorCode AppSecOps platform, ArmorCode can serve as the central centre for these products.  

Read More: API Security Should Be Your Priority in 2022

Traceable AI Enhances its Security Platform to Improve Observability and Visibility

Traceable AI, a context-aware API security platform, recently added extended Berkeley Packet Filter (eBPF) data to its platform. With no additional instrumentation or delay, Traceable AI assists CISOs, DevSecOps, and DevOps teams in enhancing their organizations’ API security posture by enabling deeper observability and visibility into APIs.

Traceable AI, an API security platform with years of experience in distributed tracing and observability, delivers automatic and continuous API discovery, prevents API assaults, and offers actionable intelligence to help with threat hunting and security decisions. In addition to identifying APIs, Traceable also assesses API risk posture, thwarts API assaults that cause incidents like data exfiltration, and offers analytics for threat hunting and forensic investigation. With its latest solution, businesses of any size can efficiently identify, manage, and secure their APIs.

The eBPF kernel technology, which has its roots in Linux, enables programs to operate without altering the kernel source code or incorporating additional instrumentation. Traceable AI benefits from it through eBPF’s deep data collected from the application environment. This method offers consumers 360-degree observability and visibility into every API activity when paired with Traceable AI’s cutting-edge technology.

“Traceable is the first API security vendor that captures API security-related data from application environments using eBPF within its platform. eBPF is critical for the most efficient API security at scale and is especially important for businesses with high-performance security requirements. Think of it as a [web]space telescope, giving companies unprecedented views into their APIs without performance drawbacks. Leading with innovation, our focus has always been on observability, and this move continues to drive our leadership”, said Sanjay Nagaraj, co-founder and CTO of Traceable AI.

Read More : API Security Should Be Your Priority in 2022

ThreatX Introduced Quick Start Program for API Protection

ThreatX has introduced the API Protection Quick Start Program, which is designed to aid organizations in better protecting their APIs by quickly deploying real-time protection against botnet, DDoS, and complex, multi-mode attacks.

APIs are a gold mine for attackers because they allow applications to share data and are increasingly being used to streamline communication between consumers and business partners. As a result, API adoption has outpaced security teams’ ability to protect against threats, leaving the connected systems vulnerable. While some vendor offerings claim to provide complete API security, they frequently lack bot protection and real-time blocking capabilities, leaving customers vulnerable to threats.

Billy Toomey, Vice President of Sales at ThreatX commented, “We’ve seen firsthand that security teams are struggling to understand how to protect their organization’s APIs against real-time threats, and they’re often trying to do so with scarce time, resources, and human power. We’re thrilled to launch this program, and are confident it will empower small, midsized, and enterprise customers to begin building their API security programs with the full support of ThreatX SOC.”

ThreatX Quick Start program helps businesses get started with API protection by allowing them to build their API security program without putting their resources at risk. The program provides real-time monitoring and blocking of API attacks, allowing protection without the need for additional tools or attack data that must be analyzed after the fact. The fully managed program offers customers support from ThreatX Security Operations Center (SOC), which offers 24/7 coverage and expertise.

Read more articles:

API Security Should Be Your Priority in 2022

Neosec Launched ShadowHunt For API Security

Neosec launched ShadowHunt, a managed threat hunting service staffed by experts, to supplement its platform with human oversight from active threat hunters to identify the most hidden and obfuscated API abuse. Neosec’s SaaS platform discovers all APIs, analyzes their behavior, audits risk, and eliminates threats lurking within. It brings together security and development teams to protect modern applications at scale from threats.

Neosec applies threat hunting techniques like those used in EDR and XDR to API security. ShadowHunt provides security teams with the assurance that API security experts are investigating unusual behavior on their API estate.

Giora Engel, co-founder, and chief executive officer of Neosec stated, “The increasing potential for insiders or attackers to utilize business APIs for criminal or malicious gain requires a new level of scrutiny and sophistication. The new ShadowHunt service augments our platform with an expert team to monitor API usage and hunt for fraud, abuse, or critical vulnerabilities without any drain on an organization’s existing security team.”

Organizations can manage the growing risk of manipulation, theft, and misuse of core business systems, assets, and data by combining the ShadowHunt service with the Neosec cloud-based platform. Because APIs are increasingly used to connect important business systems to customers, suppliers, and partners, the service is ideal for companies where security teams are understaffed or lack the expertise required to identify threats in business API traffic.

The Neosec platform handles API vulnerabilities by automatically and continuously identifying all APIs in use by a company, assessing their risk posture, and monitoring user behavioral anomalies that could involve data theft or other misuses. Most businesses do not have a complete API inventory, let alone an understanding of the nature of typical API usage. The ShadowHunt service can now supplement the use of the Neosec platform with a team of experts to respond quickly to findings, investigate potential threats, and recommend immediate remediation and actions.

The ShadowHunt service and the Neosec platform work together to provide a quick way to incorporate full monitoring and investigation of anomalous business API usage without interfering with existing security operations or team workload. The combination can quickly and transparently add protection against vulnerability exploits and API business abuse.

Read more articles:

API Security Should Be Your Priority in 2022

API Security Should Be Your Priority in 2022

API security represents the application of any security best practice to APIs, which are widely used in modern applications. API security encompasses API access control and privacy, as well as the detection and remediation of API-related attacks such as API reverse engineering and the exploitation of API vulnerabilities.

Whether an application focuses on consumers, or anyone else, the client-side (mobile app or web app) interacts with the server-side via Application Programming Interface (API). APIs make it simple for a developer to create a client-side app. APIs enable microservice architectures as well.

An attack on API could include bypassing the client-side application to disrupt the operation of an application for other users or to compromise private information. API security is concerned with securing this application layer and addressing what might happen if a malicious hacker interacts with the API.

According to Infosecurity Outlook, “by 2023, API abuses will be the most common attack vector resulting in data breaches for enterprise web applications. To avoid these attacks, it is best to take a continuous approach throughout the API development and delivery cycle, designing security into APIs.”

Features of API Security

API security is concerned with securing the APIs that you expose directly or indirectly. API security is less concerned with the APIs you use that are provided by third parties, though analyzing outgoing API traffic, one can get valuable insights that can be used whenever possible.

It’s also worth noting that API security as a practice involves several teams and systems. API security includes network security concepts like rate limiting and throttling, as well as data security, identity-based security, and monitoring.

Technology advancements such as cloud services, API gateways, and integration platforms enable API providers to secure APIs in novel ways. The technology stack you use to build your APIs has an impact on, how secure they are.

Larger organizations have different departments, and they can develop their own applications using their own APIs. Large organizations also end up with multiple API stacks or API silos because of mergers and acquisitions.

As we know, API security requirements can be directly mapped to the technology of a single silo when all your APIs are contained within it. In the future, these security configurations should be portable enough to be extracted and mapped to another technology.

However, in heterogeneous environments, API security rules are typically defined using API security-specific infrastructure that operates across these API silos. The connectivity between API silos and API security infrastructure can be achieved by using the sidecars, sideband agents, and APIs integrated between cloud and on-premises deployments.

API Discovery

There are numerous barriers that prevent security operatives from having full visibility into all APIs exposed by their organization. API silos reduce API visibility by providing only a subset of APIs under disconnected governance.

API discovery is a tussle between API providers and hackers who will easily exploit the APIs once discovered. API traffic metadata can be used to locate APIs before they are discovered by attackers. This information is extracted from API gateways, load balancers, or directly inline network traffic, and then fed into a specialized engine that generates a useful list of APIs that can be compared to API management layer catalogues.

OAuth and API Access Control

To limit API resources to only those users who should be able to access them. The user, as well as any applications acting on their behalf, must be identified. This is typically accomplished by requiring client-side applications to include a token in API calls to the service, which can then validate that token and retrieve user information from it. OAuth is the standard that describes how a client-side application first obtains an access token. OAuth defines numerous grant types to accommodate different flows and user experiences.

API Data Governance and Privacy Protection

API leaks occur because data flows through APIs. As a result, API security must also include inspecting the structured data flowing into and out of your APIs and enforcing rules at the data layer.

Because data in your API traffic is structured predictably, enforcing data security by inspecting API traffic is an excellent choice for this task. API data governance, in addition to [yes/no] type rules, allows you to transform the data structured into your API traffic in real-time for redaction purposes. This pattern is commonly used to redact specific fields that may contain information that a user’s privacy settings dictate should be hidden from the requesting application.

API Threat Identification

API threat detection is a logical extension of general threat protection measures. APIs, for example, are frequently protected by a firewall, which provides some basic security. APIs are sometimes protected by a web application firewall (WAF). A WAF may scan API traffic to detect signature-based threats such as SQL injections and other injection attacks. API gateways also play a role in API-specific threat detection. A gateway may impose a strict schema on the way in as well as general input sanitization. In addition to acting as a policy enforcement point, it will look for deep nesting patterns, and XML bombs, and apply rate limits.

API Analytics and Behaviour

An AI engine can build models for what normal API traffic looks like using API traffic metadata and then use this model to look for anomalous behavior. These anomalies can aid in the detection of ongoing attacks, but they can also indicate system misbehaviors and other non-malicious disruptions to your services, such as friendly fire. Such a layer can pinpoint the source of this attack or misbehavior by analyzing API traffic metadata, and this information can then be used to cease the incident in progress and fix it.

Conclusion

APIs are highly regarded targets for malicious actors and are expected to become the primary attack. APIs require a dedicated approach to security and compliance due to the critical role they play in digital transformation and the access to internal sensitive data and systems they provide.

Read more articles:

What is API Security?