Identifies all published APIs — sanctioned and shadow – and alerts the organization to risk and compliance issues. June 24, 2020 webinar.
By Peter Kelley, Kelley Group Two
APIs introduce security problems that make it much easier for bad actors to attack enterprises by exploiting common mistakes routinely made during app development. That’s why APIs – which are used universally to simplify data sharing, system connectivity, delivery of new features, etc. – are increasingly a preferred conduit for cyber-attacks.
“Organizations typically spend more time focused on active attacks and breaches than they do assessing their code and environments for vulnerabilities and security gaps which are often hiding in plain sight. In most cases, they simply lack tools that can provide that level of visibility for APIs,” said Ed Amoroso, chief executive officer of TAG Cyber.
“API security is the fastest-growing segment of the security market today, but has been largely underserved by siloed point products that only address a part of the problem,” said Ameya Talwalkar, co-founder and chief product officer of Cequence Security.
API Sentinel from Cequence Security helps organizations find and better understand their API security issues. It provides continuous run-time API visibility, shadow API discovery, risk analysis, and conformance assessment in a single platform. It integrates with existing API management tools such as gateways and proxies, and provides the insight into API usage that’s needed to mitigate security vulnerabilities.
It reveals all of an organization’s published APIs – both sanctioned and shadow – including how and where they’re used, and the organization’s overall API risk exposure and potential API-related compliance concerns. Key capabilities include:
• Continuous Risk Scoring: Assesses and assigns a numeric risk factor for each API based on strength of authentication used, presence of PII, PCI or other sensitive data, detection of unencrypted communication, and non-conformance to the OpenAPI specification.
• Runtime API Catalog and Usage Analysis: Automatically discovers all APIs, including managed and shadow APIs. Analyzes API usage and access, including geolocation, IP addresses and organizations. Provides a view into headers, parameters, and response codes with flexible time-based filtering.
• Schema Non-conformance Detection: Performs a runtime comparison of your inventoried APIs against an OpenAPI specification to uncover and flag API endpoints, headers, parameters and response codes as non-conformant. Discovered out-of-spec elements can be addressed by development, effectively mitigating security risks before they reach production.
“API Sentinel fills a critical need so that security and development can collaborate to secure and protect today’s API-driven applications,” TAG Cyber’s Amaroso said.
It takes an “end-to-end approach ensures that API security can be clearly understood and actioned across development, security, operations, and compliance teams,” Talwalkar said.
“The Cequence team is committed to helping us enhance API security to protect our environments from potential bad actors. They helped bolster and protect our API security from all forms of risk. As a platform designed to drive long-term customer loyalty, we appreciate their dedication to help further protect the brands we serve,” said Ram Ravichadran, CTO of Narvar. More than 600 retailers and major brands use Narvar’s platform to engage customers throughout the pre-purchase, online and in-store customer journey and interactions across every touchpoint, including Web, Mobile, Email, SMS, Facebook Messenger, Google Assistant, Voice, etc.
For more on API attacks, see “Tales from the Front Lines: Attackers Target APIs with GET-Based ATOs”
To register for the Cequence Security June 24, 2020, 11 am PDT webinar on API Sentinel, go to: https://bit.ly/3fd3dHB
For a free trial of API Sentinel, visit: www.cequence.ai/api-sentinel.
Follow Brilliance Security Magazine on Twitter and LinkedIn to ensure you receive alerts for the most up-to-date security and cybersecurity news and information.