Tag Archive for: API

Working at Cequence in 2022: World’s Most Comprehensive API Security Platform

/in


With our recent round of funding, we have opened up numerous API security career opportunities around the world, both in-office (Sunnyvale, CA and Cincinnati OH) and remote. You can review the available API security openings here. But before you do, I thought I would update my 2018 blog on what it’s like to work here.

Obviously, the biggest change between 2018 and now is the notion of “office or not.” We have always embraced remote working, although not as a formal policy. With the pandemic, we have formally embraced it – how many organizations can tell you that they have customer success engineers in both Anchorage, Alaska, AND Newfoundland, Canada?

The other significant change since 2018 is we have added API discovery, inventory tracking, risk analysis, and remediation to our existing ML-based API threat protection, bringing to market the most comprehensive API Security Platform on the market. Why? Today, everything we do relies on APIs. Modern cars, your favorite mobile app, frequently used shopping site, and finance management all use APIs as their underlying connective tissue to deliver an engaging end-user experience. For these same reasons, threat actors love APIs, with Gartner predicting that by 2022 API attacks will become the most-frequent attack vector, causing data breaches for enterprise web applications.

The expansion was easy for us – we have been protecting APIs for our F500 customers for years now, using patented, ML-based behavioral fingerprinting to natively detect and mitigate attacks and vulnerabilities hiding in plain sight among legitimate traffic. With our API Security Platform, customers can deploy runtime protection while also analyzing their APIs to uncover and remediate developer errors before they are exposed. Something we call Shielding Right While Shifting Left.

API Security is exploding and we are hiring staff for significant growth over the next few years. We are looking for talented individuals, working anywhere, who want to join a fast-paced organization to deliver and support the most comprehensive API security solution on the market. If the mission and culture I discuss below are a fit, then slip on over to the API Security careers

Source…

Developing Best Practices for API Security

/in


APIs are pivotal to the overall success of a digital transformation. They allow developers to work across the digital assets and across multiple systems with ease. More organizations are adopting API initiatives, and are approaching digital transformations with an API-first attitude, according to a report from Google.

“Some 58% say top API initiatives emphasize speeding up new application development; 47% include creation of a developer platform among their core API projects; 32% are using APIs to develop B2B partner programs; and 10% are focused on monetizing APIs to unlock new revenue streams,” the report stated.

But with increased use of APIs comes increased security risks, largely because developers struggle with API security for mobile use. One major reason is that too many developers don’t follow security best practices in the design and development phases.

Two Levels of API Security

To create best practices for API security, developers need a better understanding of where the organization’s specific security pain points are. Sam Rehman, chief information security officer, EPAM Systems, said in an email interview that there are two specific areas to consider when thinking about and developing an API security best practices list: the strategic/design level and the tactical level.

“From a strategic/design level, APIs prioritize access and reusability,” Rehman explained. “It allows others to take advantage of what has already been built without reinventing the wheel. Then, they can build on top of what has already been tested, scaled out and, hopefully, properly managed.”

API designers want to create flexibility to enable API use for various purposes, so they focus on providing as many features and access points to the core functionality as possible. The design of the API also has to take into consideration the constant changes and upgrades necessary to deliver new features.

“Although this flexibility benefits many, it also creates an opportunity for attackers to exploit the system by using factors like multiple entry points and the large attack surface, for example. At the strategic and design level, flexibility and opportunities for attack act as opposing…

Source…

How API attacks work, and how to identify and prevent them

/in


In early May, fitness company Peloton announced that it had exposed customer account data on the internet. Anyone could access users’ account data from Peloton’s servers, even if the users set their account profiles as private. The cause: a faulty API that permitted unauthenticated requests.

Application programming interfaces (APIs) allow for easy machine-to-machine communication.  API use has seen explosive growth lately. According to Akamai, API communications now account for more than 83% of all internet traffic.

They’re also the cause of a lot of security issues. In addition to Peloton, other companies in the news recently for API-related cybersecurity problems include Equifax, Instagram, Facebook, Amazon and Paypal.

API use and attacks growing

According to a report released in February by Salt Security, 91% of companies had security problems last year related to APIs. Most common were vulnerabilities, with 54% of respondents, authentication issues at 46%, bots at 20%, and denial of service (DoS) at 19%.

Source…

How API attacks are hamstringing mobile healthcare apps

/in


The rise of API vulnerabilities in mobile healthcare apps

The rise of API vulnerabilities in mobile healthcare apps (Photo by JOAQUIN SARMIENTO / AFP)

  • Reports find that mobile health apps leak sensitive data through APIs
  • By 2022, API attacks will no longer be infrequent but will become the most frequent attack vector for application breaches

The Covid-19 pandemic has accelerated the use of mobile healthcare apps and virtual care. Due to that, the personal health data of millions of individuals is being exposed through the Application Programming Interfaces (APIs) used by mobile health (mHealth) applications, according to a recent study published by Knight Ink and cybersecurity firm Approov. 

Several widely-used mobile health apps have basic security flaws that could leave them vulnerable to attacks, whereby the processing, transmitting, and storing of a lot of vital and presently valuable information – protected health information (PHI) – are being sold on the dark web. Knight partnered with mobile security company Approov to hack 30 mobile health apps to highlight the threats they face through APIs. 

The findings were published in a recent report, “All That We Let In”, and it was discovered that all of the apps are vulnerable to API attacks, and some allowed access to electronic health records (EHRs). The 30 apps collectively expose 23 million mobile health users to attacks, Knight reported. Of the 30 apps tests: 77% contained hardcoded API keys, of which some do not expire according to the report, and 7% had hardcoded usernames and passwords.

Approov CEO and founder, David Stewart, explained that APIs are the communication channels between a mobile app and a cloud service, physical server, or hospital infrastructure. The threat to APIs is concerning as Gartner predicts that by 2022, API attacks will no longer be infrequent but will become the most frequent attack vector for application breaches. In healthcare, APIs will allow mobile phones to access patient X-rays, pathology reports, and allergy data, among other things. 

“There are plenty of mobile healthcare apps that may not be directly accessing the patient’s medical records, but they’re still accessing extremely sensitive information – like which prescriptions they…

Source…