INDUSTRY
Unified API Protection for Small and Midsize Business (SMB)
There are millions of business in the U.S. that have sales well below the $1 billion in sales metric. In contrast, there are approximately 20,516 large businesses, qualified as having sales in excess of $1 billion. A recent analysis found that most API-related security incidents were targeted at small and medium sized businesses. This finding is understandable, given that 73% of SMBs do not have a separate information security function (compared with 33% for enterprise organizations). In many cases the business being attacked is using cloud and SaaS-based apps that rely heavily on APIs. Those same APIs are also leveraged by attackers, who use their developer skills for malicious purposes.
With a lack of staffing and the proliferation of APIs, it’s no wonder that these businesses may struggle to uncover API abuse that results in theft, online fraud and business disruption.
By the Numbers
#1
SMBs face the highest number of API security events, with most incidents affecting companies with less than $50 million in revenue.
Source
48%
A 2020 survey found 48% of organizations regularly -- and knowingly -- push vulnerable code into production.
Source
3 Million
Three million open positions for skilled cybersecurity personnel tops the list of barriers organizations face when securing their web applications.
Source
API Protection is a Business Problem
With most small and medium sized businesses stretched thin from a security staffing perspective, its not surprising that bad actors will target APIs directly, finding authentication coding errors that allow escalated privileges to steal data. Or they uncover APIs exposing sensitive data that can lead to compliance violations, or they use automation to execute a shopping bot attack on a perfectly coded API. Attacks on your APIs can introduce a range of risks and they impact the entire business in the following ways:
Infrastructure
Whether it’s an automated ATO on a perfectly coded API, or a volumetric attack against an API coded without resource or rate limiting (OWASP API#4), the impact on infrastructure teams can cause costs to skyrocket. Worse yet, the web site and mobile app can become non-responsive, resulting in (real) user dissatisfaction.
Security
Security is impacted by efforts to slow or stop API attacks, often struggling to separate real transactions from fake, or worse yet, blindsided by an unprotected shadow API.
Marketing, Sales, eCommerce
Depending on the type of attack, these groups may be presented with inflated marketing statistics which turn into poor or misleading sales program decisions, missed revenue projections and damage to vendor relationships.
Customer Satisfaction, PR, Brand
With the understanding that 57% of consumers spend more on brands to which they are loyal, which can generate a 12%-18% incremental revenue growth per year, SMBs are singularly focused on customer retention. A bad experience due to a slow or unavailable website, or desired item can drive them elsewhere, resulting in a 5x increase in costs of acquiring a
Limitations of Traditional Defenses
Today’s security teams simply lack the visibility and defense capabilities they need to protect the ever-growing risk from APIs and other application connections. Many have adopted a belief that compliance with PCI or SOC 2 guidelines combined with a shift-left, DevOps mentality supported by existing security technologies is sufficient to protect APIs. The problem with these strategies is that they don’t have a way to “know the unknown”, meaning they aren’t able to look for all APIs and API vulnerabilities without knowing where to look. Even if all APIs are discovered and “known”, attackers can still leverage seemingly legitimate transactions in an attempt to steal data, or commit fraud. Traditional approaches that WAFs or API gateways depend on easily evadable detection, lack the real-time ability to discern good from bad API activity and are reliant on static, least common denominator protection spread across multiple technology components.
The Journey to Unified API Protection for Retailers
Cequence Security believes in taking a holistic approach to defending enterprises against API-related data risk with a market-defining Unified API Protection solution that goes beyond API security approaches that focus solely on one aspect of the API protection journey. Achieving true peace of mind for comprehensive API attack protection means traveling through six distinct steps associated with the Unified API Protection solution:
Discovery: Viewing an organization’s API attack surface from a threat actor perspective to know the unknown.
Inventory: Performing a comprehensive multi-cloud API inventory, including all existing APIs and connections.
Testing: Integrating API protection into development, which shifts API security left within the organization, so risky code doesn’t go live.
Compliance: Keeping APIs in compliance with specifications, standards and regulations such as OWASP and ensuring ongoing API governance.
Detection: Continuous scanning for threats, including subtle business logic abuse, fraud, and automated malicious activity from bots.
Prevention: Employing countermeasures such as alerts, real-time blocking, deception, without the need for added third-party data security tools.
Unified API Protection is different from fragmented or incomplete API security offerings because it’s a methodology designed to account for multiple types of risk, across every phase of the API protection lifecycle.
Why Cequence?
With the Cequence Unified API Protection solution, customers can continue to reap the competitive and business advantages of ubiquitous API connectivity. The Cequence solution results in attack futility, failure, and fatigue for even the most relentless of attackers. It significantly improves visibility and protection while reducing cost, minimizing fraud, business abuse, data losses and non-compliance.
