Cequence Security Lands $60 Million to Protect APIs, ‘A New Attack Vector’
… API that is leaking customer information through responses to valid API requests made by malicious actors.
CF: This seems like a niche area where the channel may lack awareness compared to, say, XDR and zero trust. Please talk about how you’re working to educate partners and why that’s important.
LL: Cequence Security has protected many large institutions from bot attacks for over five years, and this is important because during this time, bots have evolved to bypass incumbent solutions by targeting APIs directly. These attacks have become increasingly sophisticated, and our direct experience identifying and defending against them helps us bring more ‘real-world’ impact to our partners.
We also tailor our education based on the partner’s practice focus. For advisory partners, we can help educate them on the challenges of delivering API security in a multicloud, multichannel world. For DevOps partners, we focus on how we integrate into a pipeline or service mesh and provide security guardrails and protection without affecting developer velocity. And for partners who resell WAFs or firewalls, we focus on new application security requirements tied to OWASP API Security Top 10 and OWASP Automated Threats for Web Applications, as many of these partners are already familiar with the OWASP Top 10 Web Application Security Risks.
CF: What do you see coming in 2022 that MSSPs need to know?
LL: In the past two years, many organizations have accelerated their digital transformation efforts. They are using more microservices and APIs to offer a better customer experience, integrate with their supply chain and improve service reliability and updating of core business applications.
At the same time, attackers have developed more tools to find and target these APIs using automation, and as a result, there are a lot of attack types that fall under the umbrella of API security: Application DDoS, account takeovers and credential stuffing, access to PII or error logs to help attackers deconstruct the application, and attacks targeting private APIs that are publicly available (Shadow APIs).
MSSPs not only need the right tools to protect their customers from these attacks without creating more friction for legitimate users, they will also need to be able to proactively engage as a trusted adviser to educate customers on their entire API attack surface and implement controls and security tools to identify non-conformant and risky APIs before they are pushed to production.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Kelly Teal or connect with her on LinkedIn. |
- Page 1
- Page 2