Just as a User Interface (UI) is how a human user and software interact, an Application Programming Interface (API) is how a software component or system interacts with other software components or systems. It defines how other components or systems can use it. It describes the kinds of calls or requests that can be made, how to make them, the data formats that should be used, and the conventions to follow. The API describes and prescribes expected behavior.
The development and use of APIs are rapidly multiplying. In July 2019, ProgrammableWeb’s Wendell Santos wrote, “The ProgrammableWeb directory eclipsed the 22,000-API mark in June 2019, and this milestone gives us a chance to look at what the data can tell us about the API economy. Since 2005, we’ve seen APIs grow from a curiosity to a trend, and now to the point where APIs are core to many businesses. APIs have provided tremendous value to countless organizations and developers, which is reflected in their continued growth.”
Many of today’s most popular consumer and enterprise apps, such as PayPal, Airbnb, and Uber have third-party APIs and developer services running in the background. No longer seen as a temporary fix, many multi-billion dollar enterprises have built their businesses on the backs of these APIs. They are used to facilitate everything from SMS and email to payments and location-based services.
Like any technology, APIs introduce their own unique security challenges. The question is how to integrate security into your application infrastructure and protect company public-facing websites, web applications, and mobile applications from automated attacks, account takeovers, and fake account creation.
While there are a growing number of tools designed to help mitigate application security, this post will highlight a company focused on delivering highly automated application security software solutions for today’s hyper-connected organizations, Cequence Security.
Founded in 2014 and based in Sunnyvale, CA, Cequence is a venture-backed startup. The Cequence Security leadership team previously contributed to the growth and success of Palo Alto Networks and Symantec.
Brilliance Security Magazine sat down with Matt Keil, Director of Product Marketing at Cequence, to learn more about what they do, how they do it, and what’s next for them.
Cequence describes the threats they address, stating that the web, mobile, and API-based apps that power organizations are also targets for relentless cyberattacks. These include automated bot attacks focused on business logic abuse (such as credential stuffing, site scraping, fake account creation, and more), as well as targeted attacks designed to exploit both known and unknown application vulnerabilities.
Cequence Security stops these attacks with an AI-powered, container-based software platform that can be easily deployed on-premises or in the cloud, wherever your apps need to be protected.
Matt told us, “We look at our customer’s web or application traffic and use machine learning algorithms to look for patterns of automation to determine if it is malicious. While doing this, we mustn’t introduce additional friction to the user experience.
“We collect telemetry and look at the patterns within the traffic. We watch for underlying behavior characteristics that may indicate potentially malicious traffic. We look for indicators such as the use of an old version of a browser, the use of a headless browser that may be more applicable for development purposes or is commonly used for malicious purposes, or the use of an older version of the API. We also look at where the traffic is coming from. We factor in traffic volume and speed to determine if it is reasonable to believe that a human is entering the data.
“From our analytics, we provide our customers a confidence score of zero to 100 – with zero indicating a high probability of legitimate traffic and 100 indicative of malicious behavior. Our customers can then take the appropriate action, such as blocking the traffic or just monitoring it. Or, maybe they want to rate limit traffic from some sources.
“In some cases, our customers may choose to send a deceptive response indicating to the attacker that they were successful, therefore potentially limiting movement of the malicious traffic to alternate interfaces.
“Our solution is customizable. There are over 150 different automation indicators predefined in the product. These can be customized based on the customer’s environment. A retail customer may have very different requirements than a financial services customer.”
A summary of their application security platform, from their website, includes:
A patented machine learning and analytics engine that automatically discovers your web, mobile and API-based applications, while also uncovering threats and vulnerabilities that can be addressed by the two security modules:
- CQ botDefense: uses the CQAI findings to determine the actual intent of the application transactions, allowing you to prevent a broad range of automated business logic abuse attacks.
- CQ appFirewall: leverages CQAI to intelligently extend traditional WAF functionality while reducing administrative effort and addressing a significant WAF deficiency – preventing zero-day attacks.
Import 3rd party data into Cequence ASP or export findings to your existing security infrastructure to strengthen your security posture and improve the productivity of your team.
Centrally manage Cequence ASP with unmatched visibility into your web, mobile and API-based applications wherever they are deployed, allowing you to understand the intent of the traffic and take appropriate mitigation actions.
Matt explained that the near future would bring new functionality to Cequence’s platform. He said, “You will see us expand dramatically with more visualization tools and other tools to help our customers understand the risks associated with their APIs.”
For an in-depth description of Cequence’s solution, including helpful use case narratives, visit their website at https://www.cequence.ai/
Steven Bowcut is an award-winning journalist covering cyber and physical security. He is an editor and writer for Brilliance Security Magazine as well as other security and non-security online publications. Follow and connect with Steve on Twitter, Instagram, and LinkedIn.