Hand Sanitizer Samples, Face Masks and API Security: An RSA 2020 Recap

RSA 2020 wrapped up last week, bringing to an end countless networking events, customer and prospect meetings, and a series of great sessions and keynotes on cybersecurity. Outside of the meetings we had, RSA 2020 will be remembered for the ubiquitous face masks in the city and hand sanitizer samples given away at almost every nook and corner of the conference for obvious
reasons.

A few of the more notable technology trends observed at the conference include an expansion of how AI and ML are being used to accomplish a wider range of security use-cases; tighter integration between security management and analytics solutions and the arrival of Privacy Ops as a major cybersecurity requirement.

In our conversations with customers, prospects and analysts, the topic that garnered the greatest interest and was top of mind for CISOs was API Security. For years, securing APIs has been talked about as a cool technology use-case, though what “securing” means has been ambiguous, to say the least – depending upon whether you spoke to an Identity Provider or WAF or API Management vendors.

In our meetings, CISOs cited the following reasons for prioritizing API security as one of their top 2020 initiatives:

• Enterprises are at the point where they have at least one or more digitally transformed applications developed with an API-first approach. In many cases, they are distributed globally, hosted on multiple data centers and are serving their customers, partners as well as internal teams.
• Enterprises have maintained a multi-cloud strategy for years to avoid getting locked into a single vendor. This has gotten them to a situation where they now have crown-jewel applications (and the supporting APIs) spread across AWS, Azure and GCP, as well as Alibaba for organizations that do business in China.
• APIs have been developed organically by application development teams to serve other internal teams, partners and customers. The lack of visibility into these APIs and their usage patterns is now a critical concern for CISOs due to the growing frequency of API breaches.

The CISOs we talked to have evaluated WAFs, API management vendors and a host of specialist API security vendors.
Here’s a list of what they need in API security:

1. Continuous Visibility and Alerting: Monitor the entire API attack surface of customer-facing, B2B and internal APIs and alert security teams of anomalies or threats detected in real-time.
2. Vulnerability Protection: Protect APIs from vulnerability attacks that may target the underlying application layer (e.g. SQL injection or XSS), or vulnerabilities in the Swagger/OpenAPI specifications.
3. Business Logic Abuse Protection: Protect APIs from attackers who commonly use automated toolkits and botnets to find and exploit business logic vulnerabilities. Recent API breaches have originated from exploiting hidden parameters, sensitive data leakage in error messages or responses, and weak access control in API implementations.
4. Threat Prevention: Prevent threats such as the OWASP API Top 10, Web Top 10, or sensitive data leakage from APIs.

Cequence protects APIs and web applications from business logic abuse like account takeovers, credential stuffing and content scraping. Our financial services, retail and social media customers are processing billions of requests each day, including large 5-10X spikes in traffic on Black Friday and other holidays. Our discussions at RSA are consistent with what we’re finding at each of our deployments where we’ve been seeing a steady increase in usage of APIs and attacks against them.

We’re also thrilled and honored that this week, Cequence received the 2020 SC Magazine Trust Award for Best Application Security Product. This is a testament to our growing product leadership in the Application Security market.