Data Theorem: API Security from Mobile to Serverless
Meanwhile, Gartner reports a growing concern with API security, noting a 30% year-on-year increase in client inquiries on the topic. It has predicted that by 2022, API abuses will be the most-frequent attack vector for breaches to enterprise web applications.
Palo Alto, California-based Data Theorem is taking on the issues with API security, taking a DevOps approach. The company originally focused on API security for mobile apps, but in the past year has been building out capabilities to secure serverless APIs.
“Our business is about preventing data breaches at the application level,” said Doug Dooley, chief operating officer at Data Theorem.
“Our mission is to help the security team have a seat at the table of the DevOps team and not throw wet blankets on big ideas and capabilities that allow DevOps to run really fast, but provide the protection and guardrails to build even faster. …Adding security automation without burdening the system and slowing down their progress.”
Research the company commissioned from the Enterprise Strategy Group found organizations moving to implement security into DevOps practices, with automation becoming the standard approach. However, in a survey of 371 IT and cybersecurity professionals, only 8% report their organizations secure 75% or more of their cloud native applications via DevSecOps practices and only 39% of respondents report that members of their cybersecurity team are involved with more than half of cloud native application projects today.
“If you have an Agile environment, we believe you need a continuous monitoring and security analysis system that’s hooked into your DevOps process to not only find security issues quickly, but to provide clear guidance and even auto-remediation functions to correct those issues,” Dooley said.
Automated Analyzer Engine
The company has one core technology, a proprietary analyzer engine, with its products on top built around different use cases. It’s a pure SaaS offering.
- App Secure: Continuous scanning and monitoring for vulnerabilities and data privacy issues within iOS and Android applications.
- App Search: An automated app tracking service.
- API Inspect: An automated continuous security service that finds authentication and encryption vulnerabilities in internet-facing APIs.
- API Discover: An automated continuous discovery service that finds new APIs, changes to known APIs and related cloud services in public cloud environments.
- Brand Protect: An automated crawler that finds unauthorized cloned mobile applications published to third-party app stores.
Last September it unveiled an automated discovery and continuous dynamic runtime vulnerability inspection tool purpose-built for web single-page applications (SPAs). It supports GraphQL and REST API services as a component of API Discover and API Inspect.
It also developed TrustKit, an open source framework for deploying SSL public key pinning and reporting in mobile applications.
Preventing Data Extraction
With mobile, the analyzer engine looks at production versions of apps in all the various app stores — authorized versions as well as unauthorized, Dooley said, then looks for vulnerabilities through binary analysis, runtime analysis, dynamic analysis and static analysis.
“We’re looking for all the ways an attacker would come after your application,” he said.
Once it goes through all the applications, “we consolidate the results and try to lay out those results in a way that’s human-readable. When you log into the portal, these are all your applications, all the things that could go wrong, then we auto-triage the most important things,” he said.
It doesn’t get into calculating risk, he said — that’s a business decision. It’s merely focused on preventing the extraction of data from applications.
“Sometimes the customer says the data is public anyway, so even if the data is being breached, the data is not sensitive and they’re OK with it,” he said.
It’s similar with the cloud.
“We look for all your domains, look for all the APIs associated with your domains, we often look at your mobile apps, web apps to find embedded APIs or shadow APIs the business often doesn’t realize is moving data within the application.
“We show them all the APIs that they have and the potential attacks that can be taken advantage of to extract data. In some situations, when we find leaky APIs, we can pull the data out and do our own analysis to determine if there’s any PII (personally identifiable information) that could represent a compliance violation. Then we present that back to the customer,” he said.
Analyzing a customer’s data requires a level of trust that it builds through analyzing its production apps first, then clients often decide to integrate Data Theorem into pre-production as part of Jenkins or other CI/CD pipelines, Dooley said.
The company has experienced the benefits of serverless infrastructure in-house, with developers building out capabilities faster, using some machine learning techniques, and with about 1/10th the code, he said.
But with serverless, much of the underlying tech becomes ephemeral. Where is the virtual machine? Where is the operating system? Where’s the container? It’s all hidden to you as a developer, but then, you don’t really care about that.
But the negative for the security team is that if you’re hoping to hook the container or install an agent on the operating system or enforce a proxy gateway for the traffic to go through, the cloud vendor now has hidden all that, making it autoscale behind the scenes so you can’t even see it or hook it.
“When we started building our API tech two years ago, we knew we had to be committed to an agent-less and gateway proxy-less architecture. So we started looking at new techniques of how do you secure an API and secure that data flow — or at least analyze that data flow without enforcing agent hooks or operating system hooks or network proxies,” he said.
It decided on a technique that the cloud provider provides: audit roles. Using a role-based access control, it can look at APIs that the cloud provider provides as well as the customers’, to constantly monitor them to ensure they stay within their functional specs.
Gartner notes a growing number API security vendors with various approaches, including 42Crunch; Areca Bay, renamed CloudVector; IMvision; Salt Security; and Elastic Beam, acquired by Ping Identity and now called PingIntelligence for APIs.
Data Theorem touts having detected more than 300 million application eavesdropping incidents while securing more than 4,000 applications for customers including Netflix, Evernote, Verizon and Etsy.
Most recently the company has been warning of new attacks such as Denial of Wallet (DoW), in which so many requests are submitted that the underlying infrastructure keeps scaling up until costs balloon out of control.