API Discover & API Inspect promise to help enterprises combat Shadow APIs
Data Theorem recently launched two new API security products: API Discover, which helps enterprises combat what has been known as Shadow APIs, rogue APIs developers publish without proper enterprise security vetting that go undetected by today’s legacy security tools and API Inspect solution, which provides a continuous and automated security verification service to ensure the real-world operations of APIs always match their intended specs. We talked to Doug Dooley, Data Theorem COO about all this and more.
JAXenter: This is the first time we have spoken. Can you give our readers a brief overview of Data Theorem?
Doug Dooley: Yes, I would be happy to. Data Theorem was founded back in 2013 by Himanshu Dwivedi, who is 20+ year veteran in the security industry going back to his days as a security researcher at @stake, as one of the co-founders of iSEC Partners, and as an author of six security hacking books. Data Theorem was founded to analyze and secure any modern application – anytime and anywhere. We started by building our Analyzer Engine which is the industry’s only solution that allowed companies to build safer apps that protected data better by applying dynamic run-time analysis on a continuous basis in search of security flaws and data privacy gaps. Also, we delivered an open-source SDK called TrustKit in 2015, which enables companies to build safer apps that protect data better from SSL Man-in-the-Middle attacks.
In fact, since TrustKit’s release in 2015, we announced it had identified more than 100 million eavesdropping attempts on iOS and Android applications as of June 28, and when active mode has been turned on TrustKit has blocked 100 percent of those attempts. As an update, TrustKit has now seen more than 300 million eavesdropping attempts with its growth continuing to accelerate at a rapid pace. Today we are the company that analyzes and secures any modern application – anytime and anywhere – with our expanded AppSec functionality expanding beyond mobile apps.
JAXenter: And can you tell us about the solutions you have recently launched?
Doug Dooley: Yes, we just launched two new API security products which are the first of their kinds in the industry.
First, API Discover works with public cloud accounts within AWS today, and with Google Cloud and Azure coming in future releases. API Discover continuously finds new APIs and changes to existing APIs. The service generates a Swagger or OpenAPI 3.0 specification if one does not exist. This helps enterprises combat what has been known as Shadow APIs, rogue APIs developers publish without proper enterprise security vetting that go undetected by today’s legacy security tools.
Also, our new API Inspect solution provides a continuous and automated security verification service to ensure the real-world operations of APIs always match their intended specs. If any discrepancies are found between the API spec and its operation, a policy-based alert is triggered to notify customers of potential security violations. Depending on the severity of the API issue found, a security task is created to guide customers on how to best remedy the problem.
JAXenter: Why is this type of solution important to the industry?
Doug Dooley: Today’s Agile and Serverless application frameworks – such as Amazon Lambda, Google Cloud Functions, and Azure Functions – allow developers to create and deploy modern apps faster and cheaper with less guidance from architects. As empowering as this modern app development has become, it has significantly lowered the skills needed to build new apps with global scale. These newer apps share data broadly using APIs, fueled heavily by mobile apps, modern SDKs, and IoT apps.
API Discover helps enterprises combat what has been known as Shadow APIs, rogue APIs developers publish without proper enterprise security vetting that go undetected by today’s legacy security tools.
But this rapid development has created significant security issues since it is more difficult to quickly discover APIs being published and used especially when built upon serverless application frameworks. These new apps often have API services such as mobile SDK access for analysis and information retrieval that enable unintended data loss due to outdated TLS encryption support and lack of proper authentication. And until our launch, there was no solution available to detect these API security issues.
JAXenter: Aren’t there already solutions out there doing this very thing?
Doug Dooley: Not at all. Just think, this year already there has been more than a half dozen headlines of data breaches where APIs were listed as the exploited mechanism to illegally extract data. This is because Shadow APIs are hidden from the views of traditional security tools and API gateways. These undiscovered APIs often run on ephemeral infrastructure in the public cloud.
These APIs can be hard to find and legacy security tools don’t provide insight or protection. Before this launch, any API built by development teams that contained critical business data and operated on ephemeral app frameworks posed a significant risk.
JAXenter: What are the specific benefits developers can expect in using the new solution?
Doug Dooley: Our API Discover allows security and operations teams to discover Shadow APIs in public cloud environments. API Discover tracks Shadow APIs and engages API Inspect for analysis. Our API Inspect continuously conducts security assessments on API authentication, encryption, source code, and logging. It ensures the operational functions of developers’ APIs match their respective definitions.
API Discover and API Inspect work together to bring visibility to Shadow APIs and ensure that security standards are being met. Now developers have automated API discovery and security assessment seamlessly integrated into their DevOps practices and continuous integration/continuous delivery (CI/CD) processes to protect any modern app. Developers have assurance knowing that the apps they use and develop will be fully vetted and will not cause a security issue for their organizations.
JAXenter: Who is the typical customer for this type of solution?
Doug Dooley: Any organization with a team developing apps using today’s modern infrastructure, and as a result creates the risk for Shadow APIs, will benefit from Data Theorem. As an example, a small snapshot of our customers using of Data Theorem in their production environments includes Evernote, Netflix, RingCentral, and WildFlower Health.
JAXenter: Can you describe a common use case?
Doug Dooley: Here are two common use cases where our customers have asked us for help. The first is the need for security tools that enumerate and inspect APIs used by their mobile applications. The Data Theorem Analyzer Engine has a wealth of information on the security of mobile applications found during dynamic run-time analysis. Our new product called API Inspect leverages our Analyzer Engine to offer deeper inspection, protection, and guidance on how to keep those backend APIs running as intended.
The second use case customers have asked us to help with is to conduct an API gateway cross-check to ensure they have greater visibility in data leaving their organizations without proper security and compliance vetting. Some of our customers use third-party API gateways primarily for legacy apps deployed inside their private datacenters. As the shift in new apps moves to the cloud, CISOs are realizing these legacy gateway products are poorly suited to enforce cloud-published APIs that must connect through them. By default, these modern APIs are published directly to their Internet and/or through a cloud-native API gateway from Amazon, Google, or Microsoft. Therefore, our API Discover product will be granted access to a customers’ AWS environment and discover a variety of APIs and cross-check to see if their third-party API gateways have all of those APIs covered. If their API gateway isn’t aware of it, then we discovered a Shadow API incident that needs to be assessed by our API Inspect product to close the loop on its operation.
JAXenter: What can we expect to see from Data Theorem in the future, say in 2019?
Doug Dooley: Data Theorem is committed to helping customers secure their modern applications and today we see mobile and APIs as a big surface area where our customers look to us for assistance. Serverless apps represent a newer area that will experience some growing pains, but we are bullish in this area because it significantly simplifies scaling apps and lowers the cost by never charging for application idle time.
JAXenter: It has been great chatting with you. Is there anything I should have asked, or anything you want to add before we wrap up?
Doug Dooley: Besides getting the word out to developers, what does Data Theorem want your readers to know? We are growing fast and hope to find talented people who care about AppSec, DevOps, and/or automation. Come to our website and check out the careers area for more information about opportunities to work with our team in our offices in Palo Alto, Paris, or New York.