The rapid adoption of APIs to facilitate both digital transformation and the pandemic-related growth in online commerce has caused a rush to market. But as with all code produced and released in haste, there are frequent problems. Cyberattacks against APIs have become a growth area for cybercriminals.
Sunnyvale, Calif-based API security firm Cequence has raised $60 million in a Series C funding round led by new investor Menlo Ventures. Other new investors include ICON Ventures, Telstra Ventures and HarbourVest Partners, while existing investors Shasta Ventures, Dell Technologies Capital and T-Mobile Ventures also participated. This brings the total raised by Cequence to $100 million.
One of the difficulties with APIs is that companies easily lose sight of them. APIs are not published directly but are usually used as part of web or mobile applications. They can allow attackers access to the most sensitive parts of a company network, yet security teams have little visibility on them. Typical flaws may include broken authentication and authorization, a lack of rate limiting, and code injection vulnerabilities.
The Cequence API security solution has three basic phases: API discovery, possible abuse detection, and abuse mitigation.
Discovery is the initial first critical step: you cannot secure what you cannot see – and companies frequently don’t fully know their own inventory. “One customer, a top U.S. carrier, was simply seeking a better understanding of how APIs were being exposed by its customers,” Cequence CEO Larry Link told SecurityWeek. “The process was that APIs should be registered when invoked in code – a sort of self-policing approach. The carrier had approximately 2,000 self-registered APIs. But when Cequence checked, it found 18,000 APIs.”
Such ‘hidden’ APIs are not limited to carriers, but occur with most customers. “With one retail customer, the discovery phase uncovered instances of APIs that were initially deployed in a test environment and hadn’t been taken down. They became deployed as part of a Salesforce marketing relationship and were overexposing sensitive information. Anybody building a digital customer experience using APIs can lose track of them,” he continued.
The second phase is to analyze the traffic for abuse or flaws. A danger with APIs is that they are basically machine to machine with no direct human oversight, and potential access to confidential PII. This lends itself to automated and potentially large-scale but unseen attacks. For example, in one instance a customer had offered a limited edition of a product at a discount price. An ‘attacker’ took advantage of a rate limiting failure in the API and immediately bought the entire limited-edition stock for on-selling at an inflated price. Such incidents are not direct security incidents, but are unintended consequences of the way the API is written and could lead to reputational damage.
Cequence applies a series of tests to the APIs, checking authentication and whether it is leaking credentials or exposing confidential PII such as credit card numbers or social security numbers. The results of these tests allow Cequence to apply a risk rating of one to ten to each API. That data is passed to the security team, which is able to inform the API developer on what aspects need to be improved – or indeed, whether the API needs to be blocked immediately.
The fluid nature of APIs, which must change every time the associated application is modified, means that this type of continuous monitoring and assessment is essential.
Cequence was founded in 2014 by Ameya Talwalkar (chief product officer), Michael Barrett, (previously CISO, now CISO at Latch), and Shreyans Mehta (CTO). It raised $17 million in a Series B funding round in February 2019.
Related: The Next Big Cyber-Attack Vector: APIs
Related: UK-Based API Security Firm 42Crunch Raises $17 Million
Related: Mozilla Blocks Malicious Firefox Add-Ons Abusing Proxy API
Related: U.S. Postal Service API Flaw Exposes Data of 60 Million Customers