Blog

Cequence Announces API Security Testing, Extending Their Lead in Unified API Protection

February 13, 2023 | 7 MIN READ

by Subbu Iyer

API Security Testing and API Spartan

We are excited to announce Unified API Protection v2.0, the latest release of our market leading API security platform. Unified API Protection v2.0 adds dynamic API Security Testing to the platform to help security and development teams find and remediate API vulnerabilities before they are released to production. In addition to the new API Security Testing product, this release includes API discovery, risk analysis and protection enhancements that will help customers accelerate their 2023 API protection initiatives.

API Security Testing

We’re launching a new API Security Testing solution that will enable security teams to deploy continuous integrated testing for their pre-production continuous integration and deployment (CI/CD) environments to detect Open Web Application Security Project (OWASP) API risks. The new API Security Testing solution complements and extends Cequence API Sentinel ability to discover and manage the inventory of pre-production APIs and compare against those in the production versions. API Security Testing detects security risks in pre-production APIs, such as shadow API endpoints, sensitive data exposure and the rest of the OWASP API Top 10 risks so that security teams can remediate them before the APIs are released to production.

The following capabilities of API Security Testing are now available:

  • CI/CD Integration of Pre-production Environments: This enables customers to integrate API Security Testing into any CI/CD pipeline environment such as GitHub, Gitlab or Jenkins. Using Cequence-provided containers, customers can integrate and customize the configuration in their environments.
  • Visualization of Test Results: This enables security teams to view the results of each test run and the security issues raised in it. The results are exportable to allow sharing with API owners and development teams who can then remediate the respective findings.
  • Comprehensive Detection of OWASP API10+: The list of security tests covers the OWASP API Security Top 10 and attacks that target APIs that are coded correctly, properly inventoried and are not susceptible to any of the OWASP API Security Top 10 threats. The list is customizable for each run and allows security teams to customize the security checks for different API groups, including adding new ones to the pre-defined catalog of API risk categories.

Cequence API Security Testing showing CI/CD integrated test runs

Cequence API Security Testing showing CI/CD integrated test runs

For more information, reach out for a demo of this exciting capability.

Zero-touch API Discovery and Shadow API Notifications

We launched API Spyder in June 2022 to allow organizations to discover their exposed API attack surface without deploying any agents or network changes. This approach to attack surface management was unique in the API security space, and we were flattered to note that the market validated our approach with other vendors emulating API Spyder capabilities. Today we’re excited to announce the following key enhancements to API Spyder.

  • Proactive Notification of Shadow APIs: Our initial API Spyder deployments have helped customers discover shadow or rogue API server deployments outside of their approved security posture but within the environment that the apps are authorized to be hosted. We’re enhancing API Spyder to proactively notify customers about shadow API implementations that are not actively being monitored and protected. This enables security teams to instantly detect rogue API implementations, often manifesting as pre-production or user acceptance testing (UAT) deployments, and quickly remediate the situation with the respective API owner team. Since API Spyder is SaaS-based, this functionality is available immediately and will automatically be delivered to all existing API Spyder customers.API Spyder showing API attack surface not protected by Cequence UAP

    API Spyder showing API attack surface not protected by Cequence UAP

  • Granular API Attack Surface Visibility and Reporting: API Spyder now supports detailed reporting of the discovered API attack surface with added information about whether each discovered API server is actively protected by Cequence or not. Such information is available via the dashboard UI as well, allowing authorized users to easily get a quick view of how many API servers are being discovered, and their security posture.
  • Customized Crawl Scheduling and Domain Configuration: Our customers are now crawling hundreds of their domains to monitor their public API attack surface. With today’s update, now they can set customized crawl schedules for specific domains, allowing API Spyder to focus in on those areas that might be of top concern.

Cequence Bot Defense Has Now Evolved to API Spartan

To align with its current charter of protecting web and API apps from more than just automated bot traffic, we’ve not only renamed the Bot Defense module to API Spartan but we’ve added new features unmatched by any existing bot management solution in the market.

When Cequence came out of stealth mode in 2015 with our flagship Bot Defense product, the main problem statement it solved was to detect and block automated bad traffic attempting account takeover attacks. Cequence made a design decision to solve this problem without using any client-side instrumentation such as JavaScript or SDKs that were commonly used to solve this problem. The “no-code instrumentation” technique became widely popular, winning us many customers including Fortune-50 organizations who found the technology incredibly fast to deploy and highly effective at protecting APIs and web apps with equal efficacy.

In retrospect, that design decision became one of the fundamental underpinnings of the Unified API Protection solution since API traffic can originate from web or mobile apps or be clientless direct API calls. We have made several recent enhancements to this product that transcend the original goal of protecting against automated bot traffic. We have chosen to rename Bot Defense to API Spartan to more accurately reflect its expanded focus on detecting and protecting against traditional OWASP Automated Top 20 as well as API-specific attacks such as broken object-level authorization, enumeration attacks and business logic abuse.

Recent API Spartan enhancements include:

  • Dynamic Confidence Score-Based Mitigation: Cequence API Spartan automatically profiles good and bad traffic, assigning each request a confidence score that quantifies the potentially malicious nature of the request. During an attack on APIs, the confidence scores of malicious traffic start surging much higher than those of good traffic. The product now has built-in automatic logic that captures the behavioral patterns of the malicious traffic and pushes those out to Cequence Defenders, which take action inline, such as blocking, rate-limiting, or inserting headers into the malicious traffic. This helps security teams to automatically detect and mitigate malicious traffic without having to manually triage the behavioral characteristics of the traffic.
  • Block Malicious API Traffic using Advanced Mitigation Criteria: API Spartan now supports advanced mitigation criteria that can act on malicious API traffic based on rapidly mutating behavioral characteristics. These characteristics include deep payload inspection for patterns observed in the malicious traffic including rapidly changing query parameters, header values or body parameter values. This allows security teams to apply deep web application firewall (WAF)-like controls to block the attack as it happens. Using a combination of customized machine learning (ML) models and out-of-the-box rules, customers can have an automated deployment that detects and protects against malicious API traffic.New Improved API Spartan DashboardNew Improved API Spartan Dashboard

Runtime Inventory—API Sentinel

API Sentinel has several new capabilities for comprehensive runtime API inventory and security compliance.

  • Tracking of API Inventory Over Time with Summary Dashboard: Using API Sentinel, customers now have access to a summary dashboard that lists several key metrics that help them track API inventory over time. Newly discovered shadow APIs or OWASP API risks are immediately visible on this dashboard, allowing security teams to take remediation action.OWASP API Risk Metrics on the API Sentinel Summary DashboardOWASP API Risk Metrics on the API Sentinel Summary Dashboard
  • Instant Report Generation: A dashboard user can also instantly generate a detailed report listing the findings from the summary dashboard. This report summarizes the findings from the dashboard for executive target users, including the actionable findings of OWASP API risks for app teams to act on.API Security New FindingsExported API Sentinel report showing actionable risk findings

Requesting a Demo

To learn more about any of the new capabilities in Unified API Protection v2, feel free to request a demo. We’d be happy to get on a call to show you these exciting new capabilities!

Request a Demo

Subbu Iyer

Author

Subbu Iyer

Vice President of Product Management

Subbu Iyer is VP of Product Management at Cequence and drives product innovation by bridging customer needs with engineering and data science. With extensive experience at Oracle, Bluebox Security, and Zscaler, Subbu shapes Cequence's API security strategy.

Related Articles