Blog

Cequence Unveils Groundbreaking API Protection with Generative AI and No-code Security Automation

June 26, 2023 | 8 MIN READ

by Subbu Iyer

API Security Testing with Generative AI

Enriches Unified API Protection with Advanced Fraud Prevention & Enhanced Testing Capabilities

APIs are the currency of business exchange driving innovation and commerce. In fact, IDC estimates that up to 50% of enterprises’ revenues are enabled over APIs, translating for example to over $161 BILLION in Telecom revenues year before last. This has resulted in API Security quickly becoming a top three business initiative among the CISO community. The only way to defend is to outpace the adversary. We are pleased to announce several new capabilities that strengthen customers’ ability to discover, manage risk and protect their APIs. With the latest Unified API Protection platform updates, organizations can now protect their users from online fraud, operationalize security findings with low-code/no-code API SOAR like workflows, and rapidly deploy API Security Testing with built-in Generative AI automation. These capabilities continue to set us apart from other point API security, bot management, anti-fraud and WAF vendors by having the industry’s first and only Unified API Protection platform that covers the entire API lifecycle.

API Security Testing with Generative AI

Given the enormous potential of Generative AI tools like ChatGPT and Bard, Cequence added several new capabilities to our API Security Testing module to use Generative AI for Test Plan generation with a new feature called Intelligent Mode. Several other enhancements include detailed insights and remediation workflows into test failures, and out-of-the-box integrations with several CI/CD systems such as GitLab, Jenkins, Harness, and BitBucket.

One of the pain points with any Application Security Testing plan is to generate test cases customized for the apps being tested so that their relevant business functionality can be tested before releasing them to production. This problem is exacerbated with API Security Testing due to the varied nature of APIs, which vary by technology (GraphQL/REST/etc.), or by business functionality (sensitive or non-sensitive data exposure), besides other aspects.

Cequence now supports Intelligent Mode which helps automate the generation of API Security Test Plans using plain English extending the low-code/no-code approach to test case generation. For example, security analysts can state in plain English to “Generate a test plan for my Payments API to ensure PCI data compliance”. Cequence would then automatically introspect their Payments API endpoints, their payload characteristics and associate the appropriate test cases to test those endpoints for the compliance need. The resulting test plan would be exportable as a Postman collection that the analyst could integrate right into their CI/CD pipeline or use Cequence to test their pre-production API directly. For APIs that do not have any existing OpenAPI/Swagger specifications, Cequence can dynamically generate specifications based on the runtime traffic observed for their production API.

This is vastly superior to manual approaches to generate test plans, which are error-prone and require developers to be security-savvy about security test cases that they need to associate with their APIs. This accelerates the generation and adoption of API Security Testing by not requiring the security analyst to manually associate test cases for their API endpoints or the application developer from having to figure out which security tests they are required to run prior to pushing code from development to higher environments.

Cequence now also supports detailed insights into test failures, allowing the results to be exported to 3rd-party systems for remediation, including providing the details into the causes of the test failure. These can be integrated into several commercial CI/CD systems that are available out-of-the-box.

API Security Testing with Generative AI

API Security Testing showing detailed actionable test failure insights

New Fraud Prevention Capabilities

To enable organizations to protect their public-facing APIs against online fraud, such as payment or money transfer fraud, Cequence has now introduced a new module called Fraud Prevention in API Spartan. The new Fraud Prevention module enables organizations to protect their users from online fraud and instantly take actions, including blocking transactions involving suspected fraud and generating notifications to internal fraud teams to take note of an active fraud incident. Protecting applications and users against online fraud complements the existing capabilities of Cequence to detect and block business logic abuse, Account Takeover (ATO) attempts, common OWASP API security risks, and automated malicious traffic.

According to the FTC’s Fraud Reports, financial organizations reported over $1.5B in online bank transfer or payment fraud in 2022, making it one of the most active channels in online fraud. Now, financial organizations can use Cequence to detect and prevent online fraud in real-time and inform their targeted users or customers, as well as alert their internal fraud teams.

Cequence includes a customizable rules engine that allows fraud analysts to define their custom detection criteria. Cequence also allows fraud detection teams to upload their proprietary datasets of business information, such as lists of known rogue accounts, or high-risk users. Such data can be looked up within the Cequence rules in runtime, and upon matching desired criteria, instant remediation and alerts are generated. When notifications about a suspected fraudulent transaction are triggered, they include detailed information so that fraud detection teams can conduct incident forensics to detect the start and subsequent progress of the entire transaction.

Cequence has further enhanced API Spartan with Proof-of-Work Captcha as a mitigation action, allowing organizations to throw cryptographic challenges that deter automated or malicious clients from targeting their applications. These are different from traditional Captchas which prompt the user to solve a puzzle manually. Those are known to be easily bypassed by malicious bot operators as well as known to turn good users away due to a frictional user experience.

API Security - Notifications View in Cequence’s new Fraud Prevention module

Notifications View in Cequence’s new Fraud Prevention module

Low-code/No-code Security Automation

To operationalize API protection, organizations must integrate security findings with their internal applications to generate alerts, notifications, or other custom workflows to inform their app and operations teams. Security analysts may need to create such workflows for new threat detections, for new security risks detected in either production or CI/CD pipelines, or for the triggering of certain policies that were created to detect incidents of high risk.

Cequence is excited to announce out-of-the-box integrations with over 300 3rd-party apps, including ServiceNow, PagerDuty, JIRA, Slack, and several others. Using off-the-shelf connections to these 3rd party apps, security analysts can make sure that security risks or threats are routed promptly to their business teams for remediation.

Security analysts can use a low-code/no-code approach within Cequence to implement the equivalent of an API Security Orchestration and Response (SOAR) workflow, wiring together multiple 3rd-party connections to achieve their desired outcomes. This enables analysts with no coding experience to create such workflows, test them out, and deploy them in production quickly. An example of a zero-code workflow that can be quickly put together is to log a JIRA ticket when sensitive data exposure is detected from a shadow API, automatically geo-fence access to the offending API to internal applications only, and finally send an email to the developer or business API owner informing them about the detection of the issue.

Using this approach, API protection business owners can operationalize workflows that promptly remediate critical API security risks, such as the discovery of shadow APIs that have access to sensitive data, new security risks of weak authentication or non-conformance to OpenAPI specifications in newly built pre-production CI/CD pipelines, or an active attack on a mission-critical production app.

API Security - Out-of-the-box Integrations with 300+ 3rd-Party Apps for Notification Workflows

Out-of-the-box Integrations with 300+ 3rd-Party Apps for Notification Workflows

Rapidly Integrate with any Network Technology or Cloud Provider with Passive Integrations

Cequence now supports REST API-based passive network integrations, allowing it to be integrated with any network technology, such as a CDN, API gateway, proxy or load balancer with no impact on application latency.

This enables organizations to passively integrate their CDN or API gateway using any natively supported out-of-band integration option, such as Lambda functions (CloudFront), Lua scripts (Kong), Service Callouts (Apigee), Custom Policies (MuleSoft), and Workers (Cloudflare). Cequence already provides detailed integration guides to integrate with popular CDNs and API gateways. Custom integrations can be implemented using the Cequence Traffic Ingestion REST API with any network technology.

The Cequence UAP solution now has the ability to instantly discover runtime inventory of APIs via cloud security posture management integrations such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). Not only does this allow our customers to have a frictionless way to build out their inventory, but it also allows them to realize the benefits of the Unified API Protection platform. New enhancements to API Spyder enable our customers to easily identify APIs that are externally accessible, but not entirely protected by their Cloud Security Posture Management (CSPM) infrastructure. Additionally, this approach offers a seamless compliment to API Sentinel’s deep insights into runtime API inventory and compliance checking using the OWASP API Security Top 10 and other custom risk categories.

All new features above help organizations accelerate their trials as well as production implementations of Cequence into their environments without requiring any changes to their network or applications.

Request a Demo

To learn more about the new capabilities in the Unified API Protection solution v3, request a demo. We would be happy to show you these exciting new capabilities!

Request a demo

Subbu Iyer

Author

Subbu Iyer

Vice President of Product Management

Subbu Iyer is VP of Product Management at Cequence and drives product innovation by bridging customer needs with engineering and data science. With extensive experience at Oracle, Bluebox Security, and Zscaler, Subbu shapes Cequence's API security strategy.

Related Articles