NEW TECH: Cequence Security’s new ‘API Sentinel’ helps identify, mitigate API exposures

By Byron V. Acohido

Application Programming Interfaces – APIs. Without them digital transformation would never have gotten off the ground.

Related: Defending botnet-driven business logic hacks

APIs made possible the astounding cloud, mobile and IoT services we have today. This happened, at a fundamental level, by freeing up software developers to innovate on the fly. APIs have exploded in enterprise use over the past several years.

However, API deployments have scaled so high and so fast that many companies don’t know how many APIs they have, which types they’re using and how susceptible their APIs might be to being compromised.

Cequence Security, a Sunnyvale, Calif.-based application security vendor, today is launching a new solution, called API Sentinel, designed to help companies jump in and start proactively mitigating API risks, without necessarily having to slow down their innovation steam engine. I had the chance to discuss this with Matt Keil, Cequence’s director of product marketing. For a full drill down, please give the accompanying podcast a listen. Here are key takeaways from our conversation:

API 101

Digital transformation took off when companies discovered that instead of developing monolithic applications that were updated annually – at best – they could tap into the skill and creativity of their developers. This was possible because APIs – the conduits that enable two software applications to exchange information – are open and decentralized, exactly like the Internet.

APIs made it possible to create software applications using modular coding components, called microservices, that developers could mix, match and reuse inside of software containers. Each exchange of data is carried over an API.

That’s just during the software development phase. APIs come into play again, when each new business and consumer app is put into service. Thousands of live APIs, accessible over the Internet, stand at the ready so that you and I can use our go-to smartphone apps. Even the ubiquitious web forms we use to login and register are not supported by APIs calling back to a repository.

“Uber and Twitter are both very API driven,” Keil points out. “When you use your phone to sign-up for an Uber ride, a series of APIs pulls in your user information and connects to Google Maps to help the driver find you and give you a ride. And when you Tweet about an article or share information on Twitter, you’re very much using a series of APIs.”

Not only do APIs enable agile software development, and spiffy new apps, they also have come to saturate mission-critical enterprise operations. A great example of this, Keil points out, is the Open Financial Exchange (OFX,)  the data-stream format that enables wire transfers to be carried out across the Internet. “OFX is the financial service industry’s standard for transferring funds,” he says. “It’s a series of APIs that allow banks to connect to each other.”

API exposures

While APIs have many benefits, they also pose unprecedented risks. If this all seems too familiar, it should be. This is exactly what happened when the corporate sector gravitated to ARPANET, an open, decentralized experiment by the military and academia to remotely connect computers, and transformed ARPANET it into the World Wide Web.

Cyber criminals are fully aware of the many new tiers of fresh attack vectors opened up by the scaled-up use of APIs. And professional hackers employed by the top hacking groups are looking to take full advantage – by training their well-honed tools and techniques on APIs. Cequence researchers recently discovered a stunning demonstration of the emergence of leading-edge API hacks. It takes some context to explain:

Consider two of the most basic information exchanges that happens on the Internet: viewing a webpage and filling out a webform, such as a logon window or shopping cart. To view a webpage, a visitor uses a simple GET query that travels over an API. By design, GET APIs can’t do very much. However, to fill out a webform a visitor uses a much more complex POST query via an API connection. POST APIs can run scripts.

GET and POST queries are the focal points of an entire sub-specialty of cybercrime. This is where threat actors deploy botnets to carry out automated business logic hacks such as account takeovers, web scraping and airline ticket spinning. The end game for the criminals is to get their malware to execute via the highly-capable POST API conduit. And so that’s were security detection tools are focused.

Very recently, the attackers started taking a new tact. One hacking group recognized that the latest mobile apps use a new, much more agile type of GET APIs. Cequence researchers watched as this group began targeting a few of these new GET APIs to see if they could get them to execute account takeover malware. As the GET API testing progressed, the group continued pounding away, as usual, with their traditional POST API hacks – releasing waves of account takeover attempts at the rate of 2.2 million malicious queries per week against one company.

However, once the new GET API attacks proved effective, the criminals did not hesitate making a shift. Their POST API hacks dropped off to 500,000 per week, while the new GET API account takeover attempts spiked to more than 50 million per week. “What we saw was a shift in the sophistication of the attackers,” Keil says. “They began probing and enumerating dozens of the newer GET APIs using the newly developed logic. We saw a 2,000 percent increase in GET-based account takeover attempts, while the well-defended POST-based attacks dropped off by 99 percent.”

API footprint

APIs today are inadvertently exposing far too much sensitive data by  opening up endless vectors for intruders to get in, escalate privileges and move laterally, while escaping detection. Cequence’s new solution, API Sentinel, is designed to help companies get a better handle on their API footprint.


“Knowledge is power; knowing what APIs you have out there is the first step in trying to rein them in and protect them,” Keil says. “But you don’t want to put all kinds of tools in front of the developers and hinder them. You want to let them do their work, and just help them uncover potential security risks — and then continually assess your API risk levels.”

API Sentinel’s functionalities can be grouped into three buckets, Keil noted. The first includes tools to go out and find all of APIs and then commence monitoring usage patterns; the second has systems to determine the risk exposure of each API; and the third provides the ability to analyze each API in real time, based on a predetermined specification.

With an eye toward directing these news capabilities at the nerve center of API activity, Cequence has sought out partnerships with Amazon, Google and Salesforce to integrate API Sentinel into each of the tech giants’ respective API integration systems: Amazon API Gateway, Apigee and MuleSoft.

“This allows organizations to put sensors, if you will, where all of their APIs are going to flow through,” Keil says. “So even if the API has been published in the shadows, behind the scenes, we’ll be able to see that API traffic and begin tracking it because the API is communicating through the gateway.

“We’ll be able to see where the traffic is coming from — the different IP addresses, the different geographic locations, that type of thing. It’s going to give the security team a good visual indicator of what their API footprint is.”

Suffice it to say, API exposures across the corporate landscape today are pervasive – and will have to be comprehensively addressed. It’s encouraging to see the good guys continue to counterpunch, and even start to land effective jabs, like this. There’s a long way to go. I’ll keep watch.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.


Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone