Are API Threat Protection and Bot Management Related? Gartner Hype Cycle Recognition

Gartner Hype Cycle for Application Security: Recognition Confirms Cequence’s Leadership

Cequence is the only vendor to be recognized in both API Threat Protection and Bot Management segments, a recognition that we believe confirms our belief that a comprehensive API security platform MUST be able to detect API threats and natively mitigate them in real-time while also analyzing your APIs to help you find and remediate vulnerability exploits caused by coding errors.

While bot management products provide a level of protection for applications, most have no protection for APIs since they rely on JavaScript or mobile SDKs to be integrated into apps in order to detect bots. Attackers then bypass applications and attack the unprotected APIs directly, which is why it’s critical to have API threat protection in addition to bot management. API threat protection defends APIs from exploits, business logic abuse, and more.

Most API Security vendors just detect threats and then rely on third parties for mitigation, while Cequence Bot Management provides native mitigation including blocking, logging, rate limiting, header injection, and deception. Cequence is the API Security leader that covers all stages of the API Security lifecycle – Discovery, Compliance, and Protection, natively without relying on any third-party solutions.

2021 Gartner® Hype Cycle™ report is information packed documents often used by clients as a means of gauging their investments in a particular technology segment. The 2021 Hype Cycle for Application Security is no exception, covering roughly 30 or segments within the application security space. Within the report, Cequence Security was recognized by Gartner as a Sample Vendor in both the API Threat Protection and Bot Management segments.

Even Perfectly Coded APIs Can Be Attacked

APIs are the connective tissue for everything we do digitally, making the importance of protecting them from all forms of malicious use critically important. The user interface for your mobile and business app that is designed to deliver an engaging user experience is supported by APIs connecting back to compute resources located elsewhere – be it the cloud, the data center, or both. Validating that APIs are the development tool of choice, a Cequence Security API Usage and Threat Report found that 14.4 billion or 70% of the 21.1 billion application requests analyzed were API-based. Confirming that even perfectly coded APIs are susceptible to attack, the Cequence threat research team found that 80% of the nearly 2 billion attacks mitigated were API-based. From the Bot Management Section of the Hype Cycle for Application Security:

“Bot traffic continues to rise, along with increasing sophistication of bots. Attackers leverage bots to automate their attacks onto enterprises’ online assets, including scraping, scalping and credential stuffing. The rise of “hu-bot,” combination of specialized bots with human-operated fraud farm services, requires ever-improving sophistication in detection and response.”

— Hype Cycle for Application Security, 2021, Bot Management Section, Jeremy D’Hoinne, Ramon Krikken, Akif Khan

A New Approach to Preventing API Attacks

Cequence is a pioneer in API security as we have been focused on it since 2015 when most of the vendors did not exist or were still in stealth mode. We took the approach that even the most perfectly coded account registration, shopping cart, or language translation API can be attacked and built a Unified API Protection platform that:

• Assumed that bad actors will use both APIs (and web) endpoints to make their attacks appear legitimate, easily bypassing JavaScript and SDK-based prevention tools and other security tools (e.g., firewalls, IPS, WAFs, Security Gateways, and fraud tools).
• Uses a multi-dimensional machine learning engine to create a behavioral fingerprint based on the analysis of the tools, infrastructure, credentials and behaviors used in every API transaction. The behavioral fingerprint casts the widest net with the highest efficacy possible and distinguishes malicious from legitimate intent.
• Leverages the world’s largest threat intelligence database with hundreds of millions of IP addresses and information on hundreds of thousands of malicious organizations. Cequence’s threat intelligence combined with behavioral fingerprinting helps our customers confidently prevent attacks with a high degree of efficacy.

The analysis can immediately be translated into real-time mitigation policies that include blocking, logging, rate-limiting, header injection, and deception.

API Security with a Prevention-First Approach

Unlike some of the API security upstarts, I am of the opinion that while shift left efforts are improving security for APIs and applications, they are not replacement for the protection steps described above. Improving API security on the development side is a constantly evolving team effort – it’s not a one-and-done. Developers are human, errors are made, processes not followed, and adjustments need to be made to make ensure these security gaps are discovered and remediated quickly. APIs discovered to be vulnerable yet too critical to be removed from production need to be protected from attacks while fixed on the backend. From the API Threat Protection section of the Hype Cycle for Application Security:

“Because APIs are typically used for access to data or application functionality, often linked to systems of record, the impact of an API breach can be substantial. Privacy regulations typically require reporting if private data is breached through an insecure API. APIs are easily and intentionally programmable, so a vulnerability can leak large volumes of data. That it can be challenging to separate valid API use from nefarious access raises the risk of blocking valid use.”

— Hype Cycle for Application Security, 2021, API Threat Protection Section, Mark O’Neill, Jeremy D’Hoinne.

The Cequence Unified API Protection platform builds upon our prevention-based expertise, adding a rich set of features that encourages collaboration between security and development teams – without injecting friction or additional work.

• Security teams can identify the entire attack surface area, effectively seeing what an attacker might see. Findings can be translated into actions quickly to close potential security holes.
• Both security and development can perform API discovery, inventory tracking and risk assessment to rein in the API footprint while uncovering and remediating common errors like poorly implemented authentication, exposed sensitive data, and API specification non-conformance.
• Development teams can use the platform’s ability to automatically generate OpenAPI specifications APIs, resulting in improved quality, consistency and security.

As the CMO of Cequence, I get the pleasure of seeing first hand how our products help our customers discover the true size of their API footprint, assess and remediate risks while continuously looking for and blocking automated attacks, business logic abuse and exploits natively, and in real-time. We believe these mentions are great validation points for our customers, our prospects, and our team, in addition to the creation of a brand new cybersecurity category – API Security. We’d love to show you how we can help your organization with API security and bot management – schedule a personalized demo now.

Gartner, Hype Cycle for Application Security, 2021, 12 July 2021, By Joerg Fritsch

Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Cequence. GARTNER and Hype Cycle are registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved.