Application programming interfaces, or APIs, are great for introducing services to new customers, making it easier to publish content fast and sharing information cross-platform. However, APIs aren’t so great for security.

Consumer-focused companies that have learned this lesson in recent weeks include farm machinery manufacturer John Deere Inc., the Experian Inc. credit bureau, and exercise equipment maker Peloton Inc. For all three firms, plus the popular social media platform Clubhouse, an open API allowed sensitive personal data to be exposed.

“The news has been ripe with this lately,” said Jason Kent (pictured, left), hacker in residence at API security software company Cequence Security Inc. “John Deere got hit, yet another credit bureau got hit. I log onto the platform, I’m authorized to be there, but I can see someone else’s stuff. That’s exactly what happened in Peloton.”

In anticipation of the AWS Startup Showcase: The Next Big Thing in Security, AI and Life Sciences event — set to kick off on June 16 — John Furrier, host of theCUBE, SiliconANGLE Media’s livestreaming studio spoke with Kent for a special CUBE Conversation. He was joined by Shreyans Mehta (pictured, right), co-founder and chief technology officer of Cequence, and they discussed how the company leverages its platform to provide visibility and strengthen runtime API protection. (* Disclosure below.)

Defending against API exploits

Cequence bases its solution on consolidating multiple security functions within an AI-powered software platform that protects mobile, web and API-based apps.

“We detect and defend against things like account takeovers, fake account creation, scraping, pretty much anything and everything an application or API is exposed to or from the attackers,” Mehta said. “The reality is there’s just too many APIs out there. The key is really to understand your attack surface; that’s your starting point.”

To better gain a handle on what that attack surface may look like, “hacker in residence” Kent plays the role of a malicious actor. His job is to launch attacks against a client’s platform and see what mayhem he can cause.

“I spend a lot of my time trying to beat on clients’ backdoors and try to hit their APIs with as many attacks as I can,” Kent explained. “I’m going to poke around like a regular user, but I’m going to look for places that make sense to try and do an attack. It helps us understand how an attacker is going to approach a specific client and helps us too with machine learning models to make sure we can defend against those kinds of things.”

What Kent often finds are common risks in APIs that correlate with the OWASP Top Ten, a summary of the most critical security vulnerabilities in web applications. These run the gamut, from security misconfigurations to broken authorization controls that grant attackers trouble-causing functionality.

“Broken object level authorization is usually the first one,” Kent noted. “There’s also insecure direct object reference, where I don’t have to be logged in. I can just make the request without any authentication and get information back.”

Identifying behaviors

Cequence’s approach is to provide a software platform that can strengthen an organization’s runtime API protections. That requires visibility to identify relationships and behaviors in the IT environment.

“Once you are bubbling up those behaviors, then you can go ahead and protect from various attacks,” Mehta said. “It’s being able to get that visibility into these environments, understanding the user behavior and how these applications are interacted with. The ability to differentiate normal human behavior or legitimate automation from malicious intents or the probing and business logic attacks is key to understanding and defending these applications.”

In May, Cequence announced the release of its API Sentinel 2.0, which included a number of new security features. Customers can create an up-to-date inventory and risk posture of APIs, facilitate collaboration between development and security teams, and take advantage of 360-degree visibility, encompassing the edge, datacenter and ingress controllers.

“It’s a flip of a switch where an internal API can be externally exposed,” Mehta said. “You need to think like a bad guy. What are they going to go after? Get that visibility first, and then protect these environments.”

Watch the complete video interview below, be sure to check out more of SiliconANGLE’s and theCUBE’s CUBE Conversations, and tune in to theCUBE’s live coverage of the AWS Startup Showcase: The Next Big Thing in Security, AI and Life Sciences event on June 16. (* Disclosure: Cequence Security Inc. sponsored this CUBE Conversation. Neither Cequence nor other sponsors have editorial control over the content on theCUBE or SiliconANGLE.)

Photo: SiliconANGLE