Application programming interfaces, or APIs, are a double-edged sword in today’s IT infrastructure. They are a driving force behind many digital transformation efforts, but they are loved by threat actors for many of the same reasons developers love them.

APIs allow integration between numerous applications to enable modern web and mobile experiences, and this makes them a coveted avenue for cybercriminals to exploit vulnerabilities in these apps. Gartner has noted a 30% year-on-year increase in client inquiries related to API security and predicts that API abuses will move to the most-frequent attack vector by 2022, resulting in data breaches for enterprise web applications.

“What we are discovering amongst our customers is that there are elementary gaps that are being left behind in APIs, for instance, APIs that are completely unauthenticated.” said Subbu Iyer (pictured), vice president of product management at Cequence Security Inc. “And it’s practically like leaving your front door open and allowing anybody to walk in.”

Iyer spoke with Dave Vellante, host of theCUBE, SiliconANGLE Media’s livestreaming studio, during the AWS Startup Showcase: The Next Big Things in AI, Security & Life Sciences. They discussed the top API-related security incidents and breaches, as well as how Cequence Security addresses these issues. (* Disclosure below.)

Knowing the APIs is the starting point

Cyber​​attacks have been drawing public attention recently for hitting big companies like the Experian Inc. credit bureau, the exercise equipment maker Peloton Inc. and the popular social media platform Clubhouse. For all three firms, an open API allowed sensitive personal data to be exposed.

The starting point of any solution that aims to protect APIs is visibility, according to Iyer.

“In an age where APIs are ubiquitous, like everything talks to everything else by APIs, lack of knowledge of how many APIs there are out there and that a customer has exposed is the number one challenge that anybody should start with,” he stated.

This means that businesses need to identify APIs that are internal and third-party, are known and unknown and go from the edge to the service mesh environment.

“Once you have discovered all those APIs, then you basically look at what risk those APIs pose to you,” Iyer explained. “How many of those APIs aren’t authenticated? How many of those APIs are using very weak forms of authentication or are exposing sensitive information or subject to some of the other commonly seen risks?”

Lack of authentication and weak authentication are the most basic and frequent flaws in APIs, according to Iyer. In this case, “attackers really don’t have to even break a sweat to kind of find their way around them and walk in,” he said.

Excess of sensitive data exposure is another issue, listed as a top 10 by the Open Web Application Security Project, or OWASP, an online community that produces freely available articles, methodologies, documentation, tools and technologies for web application security.

“One of the key things that we do in Cequence is provide visibility to our customers about what form, which APIs are exposing sensitive data information … and really how are they leaking this information? Is it in the response body? Is it in the response header? And so on,” Iyer highlighted. “So, we really give them the ability to hone in on where the leakage is happening.”

To enable this visibility to customers, Cequence taps into an API gateway, load balancer or microservices applications to get a complete picture of what their applications’ attack surface looks like.

“All of these become what we call sensors that essentially communicate information back to a central repository and aggregate all that information together,” Iyer said. “And then that’s where a lot of analysis happens to see who’s communicating [with] all of these APIs.”

‘Shielding right’ while shifting left

After giving visibility to APIs, Cequence’s platform allows for mitigation actions in which customers act at runtime to stop the bad traffic. For example, if the visibility stage encounters unknown APIs, such as a newer version of an API that has been improperly made public, Cequence’s mitigation product will take care of that.

“They can use Cequence to essentially block traffic to those APIs, these unreleased APIs, or these hidden APIs that should never have gone public but are public, either because of unintentional mistakes on somebody’s part or because of certain compliance loopholes,” Iyer explained.

Cequence sees its solutions closely aligned with the development lifecycle and complementary to the shift-left approach, which means inserting security steps in the middle of the development process. The company believes in a balance where adequate “shield-right protection mechanisms” are in place to support a more secure shift-left adoption.

“While shielding the right, we allow customers to start shifting left so that they can start testing some of these APIs before they go into production,” Iyer said. “We absolutely see that as an evolution for customers.”

The entire Cequence solution is deployed as a software-as-a-service in any kind of infrastructure. The company can spin up an environment in the cloud in a matter of minutes or hours, according to Iyer.

“The backend can be consumed either as a software-based application, like a Docker or Kubernetes application on the customer’s premises, or consumed within the sequence cloud, so needing absolutely nothing to be managed or maintained by the customer at all,” Iyer concluded.

Watch the complete video interview below, and be sure to check out more of SiliconANGLE’s and theCUBE’s coverage of the AWS Startup Showcase: The Next Big Things in AI, Security & Life Sciences. (* Disclosure: Cequence Security Inc. sponsored this segment of theCUBE. Neither Cequence Security nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)

Photo: SiliconANGLE