Bring visibility to shadow APIs and ensure that security standards are being met

Last week Data Theorem introduced the industry’s first automated API discovery and security inspection solution aimed at addressing API security threats introduced by today’s enterprise serverless and microservices applications. We took this opportunity to talk about API security as well as the new offering with Doug Dooley, COO at Data Theorem.

How does rapid development with modern applications introduce potential security threats?

Agile develop processes allow software teams to make smaller incremental changes at a rapid pace. When we combine Agile with Serverless application frameworks such as Amazon Lambda, Google Cloud Functions, and Azure Functions, developers can create and deploy modern applications faster and cheaper with less guidance from architects.

As empowering as modern app development has become, it has significantly lowered the skills necessary to build new apps with global scale. These newer apps share data broadly via application programming interfaces (APIs). The explosion of new APIs is fueled heavily by mobile apps, modern SDKs, and IoT apps. Further, this combination of rapid development for modern apps has created significant problems for security teams by making it more difficult to quickly discover backend APIs and continuously analyze their security posture.

How can API security threats impact modern enterprises? What should CISOs be worried about?

In 2018, there have been more than a half dozen headlines of data breaches where APIs were listed as the exploited mechanism to illegally extract data. Shadow APIs are a category of backend APIs often hidden from the views of traditional security tools and API gateways. These undiscovered APIs often run on ephemeral infrastructure in the public cloud.

CISOs should be worried about any API built by their development teams that contain critical business data yet operate on ephemeral app frameworks. These APIs can be hard to find and legacy security tools don’t provide insight nor protection.

Data Theorem API Discover

Traditional API security checks are obviously not enough. However, what are the biggest challenges related to automated API discovery? How do API Discover and API Inspect help continuously secure applications?

For many years coming out of the web services era of SOAP and XML, gateway appliances were the tool of choice to manage the security of APIs. In the public cloud, developers can build new API-driven apps within seconds and have them disappear just as fast. The newly announced API Discover offering can be added to your public cloud accounts within AWS today and Google and Azure coming in future releases. API Discover will continuously find new APIs and changes to existing APIs. The service will generate a Swagger or OpenAPI 3.0 specification if one does not exist.

API Inspect provides a continuous and automated security verification service to ensure the real-world operation of your APIs always match their intended specifications. If any discrepancies are found between the API spec versus its operation, a policy-based alert will be triggered to notify customers of potential security violations. Depending on the severity of the API issue found, an urgent, important, or proactive security task will be created to guide customers on how to best remedy the problem.

What makes Data Theorem’s API solutions stand out in the marketplace? What makes them indispensable?

Data Theorem has created a unique offering for modern APIs without using any legacy techniques like adding agents or hooks to an operating system (Linux, Windows) nor Container (Docker). The offering requires no network choke points like a web application firewall (WAF) nor a 3rd party API gateway.

These new API security services are built for a modern application architecture and function well even if the underlying infrastructure is ephemeral like Serverless (Amazon Lambda, Google Cloud Functions, Azure Functions). Data Theorem’s new API products continuously detect and alert organizations of mistakes made to their APIs in their rapidly changing app environments. Data Theorem’s ability to find shadow APIs makes these new products uniquely valuable.

Data Theorem API Inspect

Who are your most notable customers? Can you give us a rundown on pricing?

Data Theorem is fortunate to call some of the most innovative and forward thinking companies in the world their customers. A subset of our customers who can speak publicly about their use of Data Theorem in their production environments include Evernote, Netflix, RingCentral, and WildFlower Health.

API Inspect pricing starts at $300 per API Operation per year. API Discover is free upon initial scan to find and enumerate all of the cloud hosted APIs with a Swagger or OpenAPI 3.0 specification and can be licensed on a continuous basis per cloud account.