1 Introduction
Over the last decade, Application Programming Interfaces (APIs) have evolved from a purely technical concept created for developers into one of the foundations of the modern digital economy. Today, APIs can be found everywhere. They enable business communications with suppliers, service providers, and customers. They ensure that applications from different vendors can exchange data seamlessly, orchestrate massive cloud infrastructures and global networks of smart devices. They can also unlock new business models for companies to offer their core services in innovative ways or to reach new customers.
In short, APIs are no longer just an IT thing – they have a strong impact on nearly every business's operational efficiency, scalability, and agility and in the end, directly influence its profitability. Unfortunately, in this booming API economy, potential security risks are often underestimated. Alternatively, many companies still believe that traditional security tools like web application firewalls or intrusion detection systems can provide sufficient protection against API-specific attacks. Alas, numerous publications about API-related cyberattacks and data breaches that affect even the largest enterprises like Facebook or Tesla clearly show otherwise.
A proper, well-planned strategy for protecting various internal and external, own and 3rd-party APIs must address every step along the API lifecycle, which, at least for APIs developed in-house, starts with secure design, long before the operational phase. At later phases, several different technologies have to be applied, including but not limited to network security (encryption, firewalling, DLP, etc.), protection against numerous API-specific threats and exploits, strong authentication and fine-grained access control, maintaining sensitive data integrity, as well as monitoring and analytics.
But one could also argue that for all API users, security begins at the discovery stage: without a full inventory, classification, and risk assessment of all known and unknown APIs, consistent protection is simply impossible. And this inventory cannot be a one-time process – continuous real-time monitoring is needed to reflect the ever-changing IT landscapes and new types of threats that emerge constantly. Security analysts, overworked and stressed by thousands of alerts, expect the API security solutions to match other modern security analytics tools in intelligence – being able to detect unknown malicious and suspicious activities, perform risk assessments, and offer actionable (or even better, automated) recommendations for mitigating the identified threats.
Cequence Security is a cybersecurity company headquartered in Sunnyvale, California. Founded in 2015 by a group of security industry veterans previously from Palo Alto Networks and Symantec, the company focuses on developing a unified ML-based Application Security Platform. This cloud-native, containerized platform powers several security products ranging from web and mobile app protection to API inventory, monitoring, and risk assessment.
API Sentinel is the company's specialized API security product, a cloud-native, easily deployable solution for performing real-time API discovery and usage analysis, detection of OpenAPI specification non-conformance, and risk assessment according to multiple metrics and policies, helping users to identify and mitigate API-related security risks before they turn into data breaches. Together with the company's other solutions like Bot Defense and App Firewall, Cequence Security can offer its customers a comprehensive, well-integrated platform for addressing API risks at multiple stages of their lifecycles.
