APIs bring the advantages of ease of use and flexibility to the attacker community, allowing them to easily execute account takeovers, credential stuffing, fake account creation or content scraping. Navigating the API security landscape can be confusing – critical capabilities include visibility, protection from automated attacks and vulnerability exploits.
An example of an API-based attack against a financial services mobile application, bad actors decompiled the mobile application to (1) discover the account login APIs. An automated attack was then executed against the login API (2) and if successful the bad actors attempted to commit financial fraud by transferring funds (3) across the Open Funds Transfer (OFX) API.
Automation allows a bad actor to launch enumeration attacks directly against the application APIs as shown in the Prying-Eye vulnerability where a bot cycles through (enumerates) and discovers valid numeric meeting IDs. If the common user practice of disabling security functionality is followed, then the bad actor would be able to view or listen to an active meeting. Other examples would be using automation to discover valid gift cards, or shipping confirmations.
Researching API security can be confusing with four distinct solution groups, each addressing specific challenges.
In many cases, customers will use multiple offerings from the mix of API security providers.
Agentless, ML-based approach helps you decrease your API attack surface and prevent automated bot attacks and API abuse with speed.
CQAI and Bot Defense automatically discover API-based endpoints for web and mobile applications, building an intuitive site map for visibility and policy-based protection. JavaScript and mobile SDK-based instrumentation cannot be implemented consistently on APIs, exposing security gaps.
Using more than 150 customizable automation indicators, CQAI determines the malicious or benign intent of each API transaction request. The REST API can be used to export CQAI findings to external systems for archiving, additional analysis or an alternative response.
Using over 150 customizable automation indicators, CQAI determines the intent of each transaction request. Customizable mitigation policies provide multiple response options (block, rate limit, geo fence, deception). Deception sends a custom response to the attacker to prevent attack retooling.
As new APIs and public-facing applications are deployed, they are automatically discovered and protected, effectively baking security into your application deployment workflow.
Bot Defense uses a single, consistent security policy to protect your API and web applications so you can unify protection for your public-facing applications and defend against API abuse.
A container-based software architecture allows Bot Defense to be deployed in your data center, the cloud or as a SaaS offering, so you to choose the architecture that best fits your needs.
Eliminate application security gaps by protecting APIs and web applications from automated attacks and vulnerability exploits with a consistent security policy.
Deep behavioral analysis of the user intent by CQAI means fraudulent API activity is detected more quickly and consistently than competitive offerings. More rapid discovery translates into reduced incident response time.
Customizable automation indicators and responses enable you to fine tune and maximize attack prevention policies to eliminate fraud associated with scraping.
With REST APIs and an open architecture, you can ensure information is shared between third party sites and other IT infrastructure like SIEMs and SOC systems.
Every day, Cequence Security analyzes and protects billions of application transactions for customers in the financial services, retail, and social media industries.
Browse our library of datasheets, research reports, blogs, and archived webinars to learn more about our Application Security Platform.
Start preventing fraud caused by account takeovers and API business logic abuse now.
