Data Theorem introduced today the industry’s first automated API discovery and security inspection solution aimed at addressing API security threats introduced by today’s enterprise serverless and microservices applications, including Shadow APIs. With today’s launch, users can automate API discovery and security inspection seamlessly into their DevOps practices and continuous integration/continuous delivery (CI/CD) processes to protect any modern application.
The industry is seeing a rapid rise of new applications built with modern tools such as Amazon Lambda, Google Cloud Functions and Azure Functions, which allow developers to build applications at scale with less infrastructure complexity and lower costs. However, these new apps often have API services such as mobile SDK access for analysis and information retrieval that enable unintended data loss due to outdated TLS encryption support and lack of proper authentication. These services also allow for rogue APIs to be used without proper enterprise security vetting, called Shadow APIs, that go undetected by today’s legacy security models.
“Data Theorem uniquely addresses threat models related to modern apps, helping us identify issues related to privacy and application-layer attacks and the potential loss of sensitive data,” said Rich Tener, Director of Security for Evernote. “With Data Theorem, we have continuous security testing in place for all of our apps in the app stores. Traditional API security checks are not enough in our environment. The new API discovery and inspection products Data Theorem has delivered are truly differentiated – I haven’t seen anyone else in the industry building automated API security services like this.”
With today’s launch, Data Theorem has delivered two new products called API Discover and API Inspect that do not depend on agents, proxies, or gateways that are common with legacy API security tools. Together they address security concerns such as Shadow APIs, Serverless Applications, and API Gateway cross-check validation by conducting continuous security assessments on API authentication, encryption, source code, and logging. The new API security solutions support Amazon’s Lambda and API Gateway tools to discover modern APIs and to enumerate the specification using standards such as Swagger and Open API 3.0.
“Data Theorem continuously scans and secures our mobile applications and respective backend services, which gives us tremendous peace of mind that our customers are communicating and collaborating in the most secure environment possible,” said Michael Machado, Chief Security Officer for RingCentral. “We greatly anticipate the new Data Theorem security services for API discovery and inspection in our DevOps environment. These new API security services are ground-breaking in the changing developer landscape. We continuously strive to mitigate modern app threats, and Data Theorem has been an essential security automation platform for our mobile and API-centric applications.”
Data Theorem’s new solution will ensure the operational function of users’ APIs matches their respective definitions. As an example, if an API’s authentication and encryption levels do not operationally match the declared specification, users will be alerted of important and critical vulnerabilities caused by insufficient security protection. The ephemeral nature of serverless applications often makes legacy API security tools irrelevant and unusable. The new API solutions from Data Theorem will also alert users of newly created APIs built upon serverless frameworks and deliver continuous, automated security analysis of these newly created APIs.
According to Mark O’Neill, Gartner Senior Director, Analyst, et al, “Protecting web APIs with traditional application security solutions alone is ineffective… New APIs are being added and consumed by organizations on an ongoing basis, meaning that API security is not a one-time exercise… Application and application security leaders responsible for application strategies and governance should adopt a continuous approach to API security with ongoing discovery, monitoring and securing of APIs.”
The rate of change for developers with today’s modern applications has accelerated due to automation, agile development processes, and DevOps efficiency. However, these practices have introduced a new wave of threats unaddressed by today’s security automation tools. Data Theorem has to date been a complementary solution for traditional application security vendors. Now legacy API gateway tools and container-centric security offerings can also benefit from Data Theorem’s new release.
“Data Theorem has a long and successful history focused on Mobile Application Security and adding support for mobile-centric APIs for the past few years,” said Himanshu Dwivedi, Data Theorem founder and CEO. “However, we saw the need for API security independent of mobile applications that was necessary for the growth in secure modern applications beyond mobile, such as serverless applications. Today’s launch uniquely addresses security concerns in today’s modern application era.”