API Runtime Protection: Shields Right While Shifting Everywhere

September 26, 2022 | by Varun Kohli

API Runtime Protection - Shield Right

Over the course of the last two and a half years, we have evolved our runtime protection-based offerings to focus more broadly on the six phases of the API protection lifecycle. It’s been a rapid series of changes in a dynamic market that warrants a quick review to demonstrate how we have evolved to where we are today.

Humble Beginnings: Web App and API Runtime Security

The company was founded to solve the growing problem with automated attacks that were increasingly abusing APIs directly. Rather than follow the existing instrumentation with JavaScript and SDK approach that injected delays in development as well as page load times, Cequence took an agentless, ML-based approach to finding API attacks hiding in plain sight. By following an API first approach, the solution can detect and mitigate bot attacks on APIs, web and mobile apps with the exact same policies to reduce management overload. Flexible, predefined mitigation options to support real-time responses without the need to signal 3rd-party security components. Customer wins at some of the world’s most prestigious brands confirmed that the API first direction was well chosen.

Visibility, Inventory Tracking and Runtime Protection for APIs

In June of 2020, the Unified API Protection Solution expanded with API Sentinel, a perfect extension to the API-first direction we had chosen. API Sentinel added holistic API inventory and risk assessment features to the solution which immediately helped customers find and protect their APIs. Integration with a wide range of networking components (e.g., API gateways, CDNs, Service Mesh, proxies, load balancers) helps ensure that known and unknown, managed or unmanaged APIs are captured and tracked. Support for predefined and custom risk assessment rules helps customers uncover sensitive data, authentication or specification non-conformance related coding errors for production and non-production APIs. An API security report is generated by categorizing and flagging risks for rapid remediation by development. Solving enterprise customer compliance and API sprawl problems confirmed again that the solution is addressing critical API protection pain-points.

Attack Surface Management, API Visibility and Runtime Protection

The most recent addition to the Unified API Protection Solution is API Spyder, a highly innovative API (API) attack surface management tool that gives customers the ability to better protect their APIs with an attacker’s view of their public facing resources – without requiring any software installation, or traffic redirections. Available solely as a service (SaaS), customers enter their web domain into the API Spyder portal and shortly thereafter, they see an API security report that categorizes exposed assets and services for remediation based on risk. Validating that API Spyder is solving customer problems, common discoveries include unapproved cloud resources, unpatched instances of Log4j and LoNg4j vulnerabilities, shadow APIs, non-production APIs publicly exposed and much, much more.

Unified API Protection Encompasses the Entire API Lifecycle

History has shown that the rapid adoption of a particular technology is followed by an equivalent growth in solutions designed to ensure the growing technology is protected. The pace of change often leads to understandable confusion for prospects, customers and other market participants.

Our market-defining Unified API Protection solution takes a holistic approach to defending against API-related risks, going beyond traditional, silo-based API security approaches that may focus solely on one aspect of the API protection journey. The problem with these approaches is that they don’t have a way to “know the unknown”, meaning they aren’t able to look for all APIs and associated vulnerabilities without knowing where to look. Even if all APIs are discovered and “known”, attackers can still leverage seemingly legitimate transactions in an attempt to steal data, or commit fraud. Traditional approaches that use WAFs or API gateways depend on easily evadable detection, lack the real-time ability to discern good from bad API activity and are reliant on static, least common denominator protection spread across multiple technology components.

Achieving true peace of mind for comprehensive API runtime security means addressing each of the six distinct phases associated with the Unified API Protection solution:

  • Outside-in discovery: Viewing an organization’s API attack surface from an attackers’ perspective to know the unknown.
  • Inside-out inventory: Performing a comprehensive API inventory, including all existing APIs and connections.
  • Compliance monitoring: Keeping APIs in compliance with specifications, standards, and regulations such as the OpenAPI Specification to ensure high coding quality, consistency, and governance.
  • Threat detection: Continuously scanning for attacks, including subtle business logic abuses and malicious activity that has not yet been observed.
  • Threat prevention: Employing countermeasures such as alerts, real-time blocking and even deception, without the need for added third-party data security tools.
  • Continuous testing: Integrating API protection into development with specific testcases, which shifts API security left within the organization, so risky code doesn’t go live.

Unified API Protection is different from fragmented or incomplete API security offerings because it’s a methodology designed to account for multiple types of risk, across every phase of the API protection lifecycle.

Ready to learn more? Get a personalized Unified API Protection demo now.

Varun Kohli


Varun Kohli


Additional Resources