Earlier this year, Neosec, a programming security newcomer, came out of stealth. Their mission? According to Giora Engel, Neosec CEO, take a fundamentally different approach to app and Application Programming Interface (API) security without signatures, a predetermined exploit database, or on-premises deployment.
How does it do that? By automatically finding all your APIs, maintaining a complete inventory of them, and then automatically generating missing documentation for previously unknown APIs. Armed with this data, Neosec audits the API’s risk posture. It then identifies those transferring sensitive data, revealing any discrepancies between existing API documentation and the parameters of the API. By automatically learning the baseline behavior of every API, Neosec then, according to Engel, then flags vulnerable or misconfigured APIs.
Finding Questionable APIs
Now, finding questionable APIs isn’t new. Companies such as Noname Security, Salt Security, and Traceable, have been doing it for a while using signatures. But what they don’t do, according to Neosec, is check on what those APIs are actually doing. Their baseline assumption is that known APIs are safe APIs. Maybe that’s true, maybe that’s not.
As Colin Domoney, an API security researcher for 42Crunch, recently pointed out in The New Stack, existing API security testing using Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) simply aren’t equipped to deal properly with API issues. Therefore, we need to shift left and test each individual API. Neosec is one such approach.
It does this by taking a long look at how your applications use their APIs. After analyzing your API dataset over 30 days, the program gets a handline on their baseline behavior. This behavioral analysis approach is used to build dynamic profiles of behavior for every API. With this, your security crew and developers can make better decisions by understanding your API’s context in your programs. This, in turn, prevents abuse and data breaches.
Now, Neosec has partnered with Kong. to integrate its API security platform with their Kong Gateway. This gives you, Neosec, claims, “a complete enterprise-class solution for managing and securing APIs and microservices. Kong provides the world’s most popular API gateway, built for hybrid, multicloud environments optimized for microservices and distributed architectures. Neosec enables Kong customers to easily gain enterprise API security capabilities to protect their critical business processes.”
Neosec continuously watches how old APIs are used and what new APIs are up to. It also monitors their behaviors for abuse. Then, in concert with the Kong API gateway, they automatically orchestrate conditional responses on specific consumer entities into the Kong API gateway.
“As more enterprises embrace digital transformation initiatives and expose APIs, core aspects of business processes are increasingly put at risk. In this modern environment, API security cannot only create alerts for a security team to evaluate, but it must also work with existing API technologies in creating automated responses,” said Engel. “Our strategic partnership with Kong enables the platforms.”
It appears they’ll work well together. Kong Gateway provides an excellent way to manage the complexities of deploying and using APIs, while the Neosec platform augments the security posture with API discovery, risk assessment, and AI-powered behavioral analysis, detection, and response.
Then, as security incidents appear — and they always do — the Neosec integration automatically creates security policies in Kong Gateway and enables automated responses.
Kong Gateway provides API authentication, authorization, logging, traffic control, caching, and administration. Neosec, for its part, ingests access logs from popular technologies like CDNs, web app firewalls, and API gateways. The Neosec platform enables API discovery and automatically flags meaningful anomalous behaviors within them. The combination enables enterprises to minimize risk with no production pipeline changes.
API Attacks on the Rise
“The stakes for API exposure continue to climb as companies rely more heavily on open infrastructure and connecting applications, systems, and data with each other as well as with customers and partners,” said Reza Shafii, Kong’s vice president of products.
Shafii isn’t wrong. According to a Gartner webinar, next year, 2022, API attacks will become the most frequent attack against enterprise web apps. The more we depend on APIs, the more they’ll be attacked.
You may not use Neosec tomorrow. But I can safely say that if you’re smart and you’re building and running cloud native apps, you’ll either be using it or something a lot like it within the next year. The alternative is serious security breaches within the next year or two.
The New Stack is a wholly owned subsidiary of Insight Partners, an investor in the following companies mentioned in this article: Noname Security.
Feature image par mohamed Hassan de Pixabay