SINET16 Innovators Award Validates API Security and Bot Management Belong Together

September 28, 2021 | by Ameya Talwalkar

I am very pleased to see Cequence Security chosen from a field of 190 different vendors as one of the sixteen SINET16 Innovators award winners. The stringent selection process involves an in-depth application that is then put through two rounds of analysis by 100+ tech-savvy judges who look at how the applicant security innovations are solving problems for enterprise-class customers. I cannot speak to why the other vendors were selected as winners, but I believe we were selected because we are addressing the API security challenge with the only platform that unifies API security with bot management. Our approach has been validated in some ways by Gartner as the only vendor mentioned in the Application Security Hype Cycle report for both the API Threat Protection and Bot Management categories. Every day we are analyzing more than 2 billion API transactions for large, Fortune 500 class customers, helping them discover and inventory all of the APIs, analyze and remediate their risks while protecting them from automated attacks.

API Security Starts With Shielding Right

Bad actors love APIs because they are easier to attack than a web app. Further simplifying malicious API abuse are those that are left unprotected (shadow) or have coding errors found in the wild. Our platform is built with the assumption that bad actors know how to make API transactions appear to be legitimate, easily bypassing JavaScript and SDK-based prevention tools and other common security infrastructure tools (e.g., firewalls, IPS, WAFs, Security Gateways, and fraud tools). Our unique ML-based approach to prevent fraud and data loss caused by API-based business logic abuse is founded in CQAI engine, a multi-dimensional, machine learning analytics engine that finds and characterizes your APIs. The CQAI traffic analysis is based on the tools, infrastructure, credentials, and behaviors seen in each transaction, differentiating between human vs. machine interaction and malicious vs. legitimate intent. The result of the analysis is a Behavioral Fingerprint that is used in policy to shield right by preventing API-based attacks.

Shield Right to Strengthen Shift Left

As the use of APIs exploded, we leveraged our API protection expertise to add risk analysis and remediation capabilities to the platform. All APIs are analyzed by API Sentinel – those with specifications and those without – for common errors like poorly implemented or inconsistent authentication; unmasked or unencrypted sensitive data; and specification conformance. Custom risk assessment rules allow our users to create unique criteria that will uncover additional risks which can then generate remediation alerts to help improve shift left efforts – all without placing an added burden on the development teams.

Easy to Deploy, Scalable, and Open Platform

The SINET16 submission included multiple examples of how we help large, enterprise customers protect their APIs. Our ability to help these customers is predicated both on the functionality but also on multiple platform specific factors:

  • Ease of deployment: A modern, Kubernetes-based architecture allows the platform to be deployed in any environment – datacenter, public cloud, SaaS, or hybrid. Most customers are choosing to use the SaaS deployment model which can be enabled in less than an hour by making a few CDN configuration changes to redirect selected traffic.
  • Scalability: The platform architecture is modular, allowing the computationally intensive analysis to be deployed separately, while the enforcement elements are deployed nearer the application. To accommodate traffic spikes caused by high-volume attacks or legitimate users, the platform leverages autoscaling to expand and contract capacity as needed.
  • Open and Easy to Integrate: The platform boasts an easy-to-use management interface for fingertip access to findings and policies. Users have full control over their environment with assistance from Cequence on an as-needed basis. A rich set of REST APIs facilitates integration into existing IT infrastructure elements including inbound threat feeds, CI/CD tools, API management components, and SEIM/SOAR offerings.

The vast majority of the startups in the API security market are approaching the API security challenge by focusing on discovery and testing tools that help dev teams find and remediate security gaps in APIs before they are published. In many ways, they are augmenting the security focus found in the shift left methodology. Although some API security vendors claim shift left is failing (so you should use their tools), we believe shift left is working. However, without a strong protection or shield right posture, a correctly coded API is still susceptible to an automated attack, something we see every day in our customer environments. The SINET16 Innovators award is further validation of our vision that the API threat prevention and bot management market segments will, and should merge.

Ameya Talwalkar

Author

Ameya Talwalkar

President, Chief Executive Officer & Founder

Additional Resources