Protection file

Are API Threat Protection and Bot Management related?

2021 Gartner® Hype Cycle The report is an information-rich document often used by clients to assess their investments in a particular technology segment. The 2021 Hype Cycle for Application Security is no exception, covering around 30 segments in the application security space. In the report, Cequence Security was recognized by Gartner as an example of a vendor in the API Threat Protection and Bot Management segments.

Cequence is the only vendor to be recognized in the API Threat Protection and Bot Management segments, recognition which we believe confirms our belief that a comprehensive API security platform MUST be able to detect and mitigate API threats. natively in real time while scanning your APIs to help find and fix exploits caused by coding errors. Most API security vendors simply detect threats and then rely on third parties to mitigate them. Cequence is the API security leader that covers all stages of the API security lifecycle – discovery, detection and defense, natively without relying on third-party solutions.

Perfectly coded APIs can be attacked

APIs are the connective tissue of everything we do digitally, hence the importance of protecting them from all forms of malicious use. Your mobile and business app UI, designed to deliver an engaging user experience, is supported by APIs that connect to compute resources located elsewhere, whether in the cloud, data center, or of them. Validating that APIs are the developer tool of choice, Cequence Security’s latest report on API usage and threats found that 14.4 billion or 70% of the 21.1 billion application requests analyzed were based on APIs. Confirming that even perfectly coded APIs are susceptible to attack, the threat research team found that 80% of the nearly 2 billion attacks mitigated were API-based. In the Bot Management section of the Hype Cycle for Application Security:

“Robot traffic continues to grow, along with the growing sophistication of robots. Attackers are leveraging bots to automate their attacks on companies’ online assets, including scraping, scalping, and credential stuffing. The rise of the ‘hu-bot’, a combination of specialized bots with human-run fraud farm services, requires ever-increasing sophistication in detection and response. » — Hype Cycle for Application Security, 2021, Bot Management Section, Jeremy D’Hoinne, Ramon Krikken, Akif Khan

Cequence is a pioneer in API security as we have focused on it since 2015, when most vendors either did not exist or were still in stealth mode. We took the approach that even the most perfectly coded account registration, shopping cart, or language translation API can be attacked and built a platform that:

  • Suppose malicious actors will use both APIs (and web endpoints) to make their attacks appear legitimate, easily circumventing JavaScript and SDK-based prevention tools and other security tools (e.g., firewalls, IPS, WAF, security gateways and fraud tools).
  • Uses a multidimensional machine learning engine called CQAI to create a behavioral fingerprint based on analysis of the tools, infrastructure, credentials, and behaviors used in each API transaction. Behavioral fingerprinting casts the widest net with the greatest possible efficiency and confirms malicious intent (or not).
  • Leverages NetworkIQ, the world’s largest API security database with over 100 million IP addresses and information on over 200,000 malicious organizations. NetworkIQ combined with Behavioral Fingerprinting helps our customers confidently prevent attacks with a high degree of effectiveness.

Most importantly, CQAI analysis can be immediately translated into real-time mitigation policies that include blocking, rate limiting, geo-fencing, and deception.

API security with a prevention-focused approach

Unlike some API security upstarts, I’m of the opinion that left-shift efforts improve API and application security — but they don’t replace the protective steps outlined above. Improving API security on the development side is an ever-evolving team effort — it’s not a one-time job. Developers are human, mistakes are made, processes are not followed, and adjustments must be made to ensure these security flaws are discovered and fixed quickly. APIs discovered as vulnerable but too critical to be removed from production must be protected against attacks while being fixed on the backend. In the API Threat Protection section of the Hype Cycle for Application Security:

“Since APIs are typically used to access data or application functionality, often tied to systems of record, the impact of an API breach can be substantial. Privacy regulations generally require reporting if private data is breached through an insecure API. APIs are easily and intentionally programmable, so a vulnerability can leak large volumes of data. That it may be difficult to separate valid API use from malicious access increases the risk of blocking valid use. — Hype Cycle for Application Security, 2021, API Threat Protection Section, Mark O’Neill, Jeremy D’Hoinne.

The Cequence platform builds on our prevention-based expertise, adding a rich set of features that encourage collaboration between security and development teams – without injecting friction or extra work.

  • Security teams can use the platform to identify the entire attack surface, effectively seeing what an attacker might see. Results can be quickly translated into actions to close potential security vulnerabilities.
  • Security and development can use platform API discovery, inventory tracking, and risk assessment to control the API footprint while discovering and fixing common errors such as poorly implemented authentication; exposed sensitive data; and non-compliance with specifications.
  • Development teams can use the platform to automatically generate OpenAPI 3.1 specifications for out-of-spec APIs, improving quality, consistency, and security.

As CMO of Cequence, I have the pleasure of seeing firsthand how our products help our customers discover the true size of their API footprint, assess and remediate risk while continuously finding and blocking attacks. automation, business logic abuse and exploits natively, and in real time. We believe these endorsements are great validation points for our customers, prospects, and team, in addition to creating a whole new cybersecurity category – API Security.

Read the 2021 Gartner Hype Cycle for Application Security here.


Gartner, Hype Cycle for Application Security, 2021, July 12, 2021, by Joerg Fritsch

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

This graph was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Cequence.

GARTNER and Hype Cycle are registered trademarks and service marks of Gartner, Inc. and/or its subsidiaries in the United States and internationally and are used herein with permission. All rights reserved.

Are API Threat Protection and Bot Management related? appeared first on Cequence.

*** This is a syndicated blog from Cequence’s Security Bloggers Network written by Varun Kohli. Read the original post at: https://www.cequence.ai/blog/are-api-threat-protection-and-bot-management-related/