CloudVector today launched a namesake platform designed from the ground up to make it easier to discover application programming interfaces (APIs) and then secure them.
The company formerly known as ArecaBay also announced it has appointed Ravi Khatod to be its CEO after raising an additional $5 million in financing.
Khatod said the CloudVector API threat protection platform makes use of API Inspection Modules (AIM) based on microsensor modules that scan the IT environment continuously to discover new APIs. This capability is especially critical because in the age of microservices, new APIs are being created by developers faster than cybersecurity professionals can keep pace.
Once those APIs are discovered, separate Deep API Risk Trackers (DART) use machine learning algorithms to monitor specific classes of API blueprints, identify risk and detect in real-time any reconnaissance attempts by unknown third parties against those APIs.
Finally, an API Response Modules (ARM) makes it possible to enforce policies to secure APIs by addressing the top 10 common API attack vectors defined by the Open Web Application Security Project (OWASP).
While developers are getting better at securing APIs using best DevSecOps processes, Khatod said it’s still primarily the responsibility of cybersecurity teams to make sure APIs running in production environments remain secure. The challenge they face is that the existing API management platforms in place don’t provide the tools needed to discover APIs and then classify them in a way that makes it possible to secure them automatically.
Khatod said one of the biggest challenges cybersecurity teams now face is the rate at which new APIs are being created. Thanks to the rise of DevOps, developers are building and deploying microservices at unprecedented rates. In most cases, organizations are telling cybersecurity teams they can’t slow down the rate at which those APIs are being developed, which means cybersecurity teams need to find tools that will allow them to secure APIs without getting in the way of the development process.
In general, most organizations have relied on web application firewalls and API gateways to secure the web application firewall and associated APIs. While that approach can work when applied to legacy monolithic applications, Khatod said the shift to microservices-based applications will require cybersecurity teams to find a new approach to keep pace with the rate at which developers are now building applications.
There’s no doubt that cybercriminals are becoming more adept at exploiting weaknesses in APIs to launch attacks and exfiltrate data. Rather than simply treating APIs as an extension of an application, organizations that have adopted best DevOps practices tend to manage APIs as a separate artifact. The code surrounding that API may change all the time. However, the more stable and secure the API is, the easier it becomes to update applications dynamically without impacting all the other applications that are dependent on those APIs.
Of course, the relationship between cybersecurity and developers is still evolving in this new age of microservices. The one thing that everyone can agree on is that securing all the APIs in the environment is now a shared responsibility across the entire IT organization.