Cequence, a pioneer in API security and bot management, today released new data ahead of Labor Day that found cybercriminals are capitalizing on the travel and hospitality industry’s peak season, using increased traffic as cover for their attacks.

The Cequence CQ Prime Threat Research Team investigated the top 10 travel and hospitality sites with Cequence API Spyder, a SaaS-based discovery tool that provides an attacker’s view into an organization’s public-facing resources to identify externally visible edge, cloud infrastructure, application stack, API hosts, and security vulnerabilities.

Cequence’s threat researchers observed a consistent pattern across industries: increased website traffic during peak seasons, like the travel and hospitality industry’s vacation and holiday periods, coincides with a surge in cyberattacks. Domain name system (DNS) and distributed denial-of-service (DDoS) attack data provided by Vercara (now part of Digitcert) supports this finding, as both increased queries and attacks correlate with periods of heightened online activity.

Key findings include:

• Critical Vulnerabilities Remain Wide Open: All 10 top travel and hospitality companies had serious, public-facing vulnerabilities. Four companies had 91% of the serious vulnerabilities, most of which would allow a man-in-the-middle (MITM) attack, allowing attackers to intercept and manipulate communications between users and the companies.
• Unintentionally Public Servers Lurk in the Shadows: 8 of the 10 companies had public-facing non-production or internal application servers that are typically unmonitored and unmanaged and could provide attackers with a way in. One company had over 300 such servers.
• Cloud Sprawl Creates Perfect Storm for Attacks: Cloud sprawl is often driven by acquisitions, siloed departments, or a lack of a defined cloud strategy. This can lead to a proliferation of public-facing cloud instances, increasing the attack surface. The top travel and hospitality sites utilized between 5 and 21 different hosting providers, highlighting the complexity of managing cloud environments.
• Holiday Rush, Attacker’s Paradise: October begins the winter travel holiday season, and that’s also when the most DNS queries and DDoS attacks were last year. November 2023 showed the highest number of DDoS attacks against the travel industry for the entire year, almost double the second-highest month.

“Travelers are at risk during peak vacation times, with cybercriminals seizing the opportunity to strike,” said William Glazier, Director of Threat Research at Cequence. “Our research highlights severe threats, including financial loss, identity theft, and disrupted travel for consumers, and reputational damage and legal issues for businesses. Frequent attacks can undermine consumer trust in digital platforms. To mitigate these risks, organizations need to prioritize API security, while travelers should stay vigilant and practice robust cybersecurity.”

As companies work to address these vulnerabilities, they must also prepare for the upcoming Payment Card industry Data Security Standard (PCI DSS) Version 4.0, which will become mandatory starting March 31, 2025. Non-compliance with PCI DSS could result in significant fines, penalties and disruptions to card transactions, along with increased risk of data breaches that could damage a business’s reputation and erode customer trust.

Organizations need to prioritize strengthening their API security, adopt proactive measures to mitigate these risks and deploy protection against both manual and automated AI attacks. Travelers should also remain vigilant and employ strong cybersecurity practices to protect their personal and financial information.

Additional Resources:

• Download the infographic to learn more about how threat actors are trying to turn dream trips into nightmares.
• Learn more about our Unified API Protection platform.
• Follow us on LinkedIn and X.

Explore AITechPark for the latest advancements in AI, IOT, Cybersecurity, AITech News, and insightful updates from industry experts!

The post 100% of Top Travel Sites Face Severe Cyber Threats Ahead of Labor Day” first appeared on AI-Tech Park.

Fastly, Inc. (NYSE: FSLY), a leader in global edge cloud platforms, today released the “Fastly Threat Insights Report,” which found 91% of cyberattacks – up from 69% in 2023 – targeted multiple customers using mass scanning techniques to uncover and exploit software vulnerabilities, revealing an alarming trend in attacks spreading across a broader target base. This new report provides the latest attack trends and techniques across the web application and API security landscape.

The Fastly Threat Insights Report builds on the 2023 “Fastly Network Effect Threat Report,” and is based on data collected April 11 to June 30, 2024 from Fastly’s Network Learning Exchange (NLX), the collective threat intelligence feed for Fastly’s Next-Gen WAF, and Out-of-Band (OOB) Domains as well as traffic signaled by Fastly Bot Management from April 1 to June 30, 2024. Fastly’s Next-Gen WAF protects over 90,000 apps and APIs¹ and inspects ~5.5 trillion requests per month² across some of the world’s largest e-commerce, streaming, media and entertainment, financial services, and technology companies.

Among the report’s key findings:

• Adversaries performing mass scanning: 91% of attacks originating from NLX sources targeted multiple customers; 19% targeted over 100 different customers. This is a significant increase from Q2 2023 insights, where 69% of NLX sources targeted multiple customers.
• Bots comprise more than one-third of Internet traffic: A significant amount of global internet traffic is attributed to requests generated by automation tools; approximately 36% of traffic originated from bots, while the remaining 64% came from human users.
• Dramatic increase in usage of out-of-band domains to actively exploit three WordPress Plugin CVEs (CVE-2024-2194, CVE-2023-6961, and CVE-2023-40000). Seven out-of-band domains were used to inject malicious content, install backdoors, and track infected applications.
• Short-lived IP addresses help attackers evade detection: 49% of IP addresses added to NLX were listed for just one day, with the average duration being 3.5 days. Attackers use IPs for a short period to avoid detection, highlighting the importance of adaptive security controls that can mitigate varied threats.
• High Tech remains top industry targeted, accounting for 37% of attacks, although slightly down from last year at 46%. Other top industries for 2024 include Media & Entertainment (21%) and Financial Services (17%).

“By performing mass scanning, attackers increase the likelihood of discovering vulnerable systems. The more targets scanned, the higher the probability of finding at least one exploitable weakness,” said Fastly Staff Security Researcher Simran Khalsa. “It’s not enough to respond to attacks. We must anticipate them, continuously adapt, and stay one step ahead. Based on trillions of requests across our global customer base, this new report provides an overview of the current threat landscape and actionable insights for security teams to help protect their valuable assets.”

Explore AITechPark for the latest advancements in AI, IOT, Cybersecurity, AITech News, and insightful updates from industry experts!

The post Fastly released the “Fastly Threat Insights Report first appeared on AI-Tech Park.

Cequence, a pioneer in API security and bot management, is proud to introduce revolutionary advancements to its Unified API Protection (UAP) platform at Black Hat USA. These enhancements mark a significant milestone in API security, specifically tailored to support the secure use of AI applications like Generative AI and Large Language Models (LLMs). Cequence’s solutions protect applications deployed in the cloud, on-premises, and hybrid environments, and also support serverless environments, ensuring an uncompromised security posture.

“API security and bot management are more important than ever as AI technology grows,” said Ameya Talwalkar, CEO of Cequence. “As Generative AI and Large Language Models become more common, organizations face new types of attacks. While many cybersecurity companies use AI to protect against threats, Cequence is focusing on using AI to defend specifically against attacks targeting AI applications. This approach, called ‘Cyber for AI,’ aims to set new standards in AI security and enhance overall cybersecurity.”

In today’s digital landscape, APIs serve as the backbone of countless applications, necessitating robust security measures. Cequence’s upgraded UAP platform introduces unparalleled capabilities for proactive threat detection, streamlined security testing, and autonomous threat mitigation, empowering organizations to fortify their API infrastructure with confidence.

Key enhancements to Cequence’s UAP platform include:

Testing LLM Applications for OWASP LLM Top 10 Threats

• Cequence pioneers the industry’s first test suite to evaluate applications using Large Language Models (LLMs) against the OWASP LLM Top 10 threats.
• Enables organizations to proactively test LLM applications using synthetic traffic to identify vulnerabilities and ensure security prior to deployment.
• Provides specific findings and recommendations to developers for corrective actions.

Detecting and Blocking Automated AI Bot Activity

• Cequence enhances capabilities to automatically identify and block AI bot activity without user configuration.
• Automatically refreshes UAP’s global AI bot list, ensuring all customer deployments are continuously protected against the latest AI bot threats without requiring manual updates.
• Enables security teams to effectively manage and mitigate AI bot-driven threats against exposed content.

Introducing the Cequence Flow Graph

• Cequence launches a new graphing capability within the UAP platform, known as the Flow Graph.
• Unlike other tools that provide a simple “read-only” view, the Flow Graph visualizes end-to-end API flow, enabling personnel to take instant action on malicious flows.
• Enhances security team visibility by distinguishing between normal and malicious traffic volumes.

New Integrations Enhance Discovery of Third-Party APIs

• Expands integrations with F5 High Speed Logging (HSL), Citrix ADC Content Inspection, and WSO2 API Gateway for comprehensive API discovery.

Offloading API Analytics Intelligence to the Edge

• Processes API traffic on-premises, optimizing traffic flow to reduce costs and enhance efficiency while aligning with your API security needs, whether for discovery, governance or full protection.
• Reduces bandwidth usage and enhances privacy by processing sensitive data closer to the edge.
• Enables quicker, low-latency processing of API traffic for improved detection and response times.

Attack Surface Detection of API Gateways and Infrastructure

• Automatically discovers and maps all API gateways and infrastructure, including those on cloud providers like AWS and Azure, ensuring comprehensive coverage.
• Identifies and addresses hidden APIs operating in non-sanctioned environments to prevent security gaps.
• Tailors detection algorithms to reduce false positives and enhance accuracy, aligning with your specific security needs.

Additional Resources

• Visit the Cequence team at Black Hat USA 2024 August 7-8 at Mandalay Bay in Las Vegas, Booth #2614
• Learn more about the latest advancements to the Cequence Unified API Protection platform
• Follow us on LinkedIn and X

Explore AITechPark for the latest advancements in AI, IOT, Cybersecurity, AITech News, and insightful updates from industry experts!

The post Cequence Unveils API Security Testing Suite for GenAI Applications first appeared on AI-Tech Park.

Salt Security, the leading API security company, today announced the launch of new enhancements to the Salt Security API Protection Platform that enhance API discovery, posture governance, and threat protection across organizations. These latest innovations empower organizations to proactively govern their API posture, gain unprecedented visibility into encrypted and unencrypted API traffic, and outsmart sophisticated bad actors with quick, AI-powered insights.

According to the Salt Labs State of API Security Report 2024, API security incidents more than doubled within the past 12 months. The research also found that API usage is rapidly accelerating, with two-thirds now managing over 100 APIs every day. Organizations continue to struggle to keep pace with the threats associated with expanding API ecosystems, along with trying to accurately comprehend their complex behavioral attributes.

Earlier this year, Salt became the first API security vendor to launch a posture governance engine, designed to deliver operationalized API governance and threat detection across organizations at scale. These innovative capabilities marked a revolutionary change for API security, enabling organizations to establish, educate and enforce API posture standards throughout the application and API lifecycle. Building on such innovation, Salt has further enhanced its capabilities in the posture governance domain and today introduces several new advanced features that are redefining next-generation application security. This includes the launch of:

• Panoramic Discovery with eBPF and Salt Surface: This extends governance visibility by improving the discovery of API traffic, vulnerabilities, and sensitive data, even in encrypted and complex environments.
• Salt Posture Governance Policy Hub: This allows organizations to establish and enforce API posture standards across the application lifecycle. It ensures that next-generation apps and GenAI initiatives comply with the best security practices.
• Full Lifecycle Posture Governance: Salt Security has updated its platform to help organizations extend API posture governance “left.” The platform now enables organizations to more easily capture security posture noncompliance and establish posture validation gates beyond production into an API’s design and test phases. This is achieved through new ecosystem enrichments, integrations, and enhanced in-platform posture validation functionality. This comprehensive approach ensures that Salt’s Posture Governance Engine empowers risk reduction at all stages of an API’s lifecycle.
• LLM-Powered Attacker Insights for Rapid Response: Salt’s custom-built Large Language Model (LLM) to translate complex attack patterns into clear, concise, actionable insights. This enables security teams to quickly understand the attacker’s identity, tactics, and intent, thus speeding up incident response and remediation efforts significantly.
• Novel Detection of Malicious Scanners, Bots, and Human Attackers: Salt Security employs innovative detection methods to differentiate traffic abnormalities originating from automated scanners, bots, and human attackers, accurately identifying whether traffic from these sources is malicious. This capability provides a comprehensive understanding of attack motivations, enabling security teams to prioritize and mitigate the most significant threats.

“Growing API ecosystems are making it increasingly challenging for companies to effectively monitor and track all activity within their API ecosystems, and quickly identify malicious intent,” said Roey Eliyahu, CEO of Salt Security. “At Salt, our mission is to provide organizations with the most comprehensive API security. An offering that not only provides rapid threat detection but also provides organizations with the means to proactively improve their posture to plug security gaps before they can be exploited. Our latest platform innovations build on this, providing customers with additional visibility into their API traffic and the AI-powered insights required to quickly mitigate threats.”

To learn more about Salt’s latest capabilities, a detailed blog can be found here. Salt will also be hosting a webinar, “Redefining API Security: Unveiling Salt’s Latest Innovations,” which will explore the company’s new innovations, on Tuesday, August 27 at 9am PT/12pm ET. Click here to register.

Explore AITechPark for the latest advancements in AI, IOT, Cybersecurity, AITech News, and insightful updates from industry experts!

The post Salt Security Expands Leading API Platform first appeared on AI-Tech Park.

StackHawk, the company making web application and API security testing part of software delivery, today announced API Discovery Powered by HawkAI, an AI driven feature, that gives security teams a more efficient way to understand their organization’s attack surface. HawkAI not only uncovers and recommends which APIs and applications to bring under test, but also boosts teamwork between security and developer teams, giving businesses the critical insights they need.

Security leaders are grappling with a critical concern: understanding and accurately identifying their API and application attack surfaces. Achieving sufficient security testing coverage is the number one priority. According to market insights from research analyst Melinda Marks, Practice Director, Cybersecurity, for Enterprise Strategy Group, “87% of respondents are concerned about shadow and undiscovered APIs, with 38% considering it a significant concern and 49% viewing it as a moderate concern”, as shared in The Urgency of Addressing API Security in an Application Security Program.

“Identifying all APIs and managing them has been a challenge. This feature will automate and improve our process.” Lake Setser, Information Security Lead, CommunityAmerica Credit Union

StackHawk’s unique approach to API discovery leverages source code as the source of truth to obtain the full scope of an organization’s APIs and applications. This offers a level of visibility, previously unavailable for AppSec teams to understand their organization’s attack surface. StackHawk provides a prioritized view on which APIs and applications to bring under test to boost overall operational efficiency of your AppSec testing program while fostering improved workflows with development teams.

“Many security teams are struggling to keep pace with the rapid development of APIs,” said Joni Klippert, CEO of StackHawk. “Our internal analysis reveals that a significant portion of APIs go untested simply because they are undiscovered. API Discovery powered by HawkAI solves this problem by automatically identifying all APIs within an organization’s code repositories, giving security teams a complete picture of their attack surface.”

Security teams benefit from API Discovery layered with HawkAI’s comprehensive suite of features, including:

• Effortless Discovery and Attack Surface Definition: API Discovery powered by HawkAI integrates seamlessly with existing code repositories to automatically identify repositories containing running applications and APIs. This AI-powered solution uncovers previously unknown APIs, providing a comprehensive view of an organization’s attack surface. Security teams can then monitor progress toward achieving complete API coverage.
• Continuous Oversight and Alignment with Security Policies: Once API assets are identified, HawkAI helps ensure that security processes keep pace with the constant stream of code changes. HawkAI tracks how often code is deployed to API assets and compares it to testing frequency. This enables security teams to identify discrepancies between security policies and actual testing coverage.
• Collaboration and Streamlined Security Testing: HawkAI goes beyond just discovery. It provides valuable insights to foster collaboration with development teams. When a previously untested asset is discovered, HawkAI identifies the last developer who committed code, allowing for easy communication and a deeper understanding of the asset’s purpose. This streamlines the process of bringing the asset under security testing.

API Discovery powered by HawkAI ensures comprehensive testing coverage by prioritizing the identification of the API attack surface. The source code serves as the definitive source of truth for understanding this attack surface, providing a holistic view of APIs and applications. StackHawk’s solution not only excels in discovering vulnerabilities but also enhances collaboration between security and developer teams. It simplifies the process of subjecting APIs and applications to thorough security testing, thereby fortifying your defenses effectively.

Availability

StackHawk is offering API Discovery powered by HawkAI to all Enterprise and trial customers. To sign up for access and try it free for 14 days, please visit www.stackhawk.com.

If attending Black Hat, visit the StackHawk booth #2904 to see a live demo.

Explore AITechPark for the latest advancements in AI, IOT, Cybersecurity, AITech News, and insightful updates from industry experts!

The post StackHawk Enhances API Discovery With HawkAI first appeared on AI-Tech Park.

Invicti, the leading provider of application security testing solutions, today announced Invicti API Security, merging comprehensive API discovery with proactive security testing into a single solution.

The growth of service-based architectures has driven an explosion in APIs, creating yet another expanding attack surface for security teams to address. As development teams embrace the productivity benefits of AI code assistants, API creation accelerates further. But while AI code assistants are boosting developer productivity, they cannot yet generate secure application code or secure APIs consistently, propagating the risk from vulnerable APIs deployed into today’s web services.

According to ESG’s report Securing The API Attack Surface, 76% of organizations report having an average of 26 APIs per application deployed. Many of these APIs are undocumented and unmonitored, so the security challenge is now about confidently and quickly finding APIs, testing them for vulnerabilities, and performing remediation. With Invicti API Security, organizations can realize comprehensive API discovery alongside proactive API security testing.

Invicti API Security includes multiple discovery methods to enable comprehensive identification of known and undocumented APIs, including:

• Zero-configuration discovery to identify API specifications, scanning cloud environments for accessible paths
• API management system integrations to fetch and sync accurate and latest API specifications into inventory
• Network API traffic analysis to identify and reconstruct API calls into API definition files based on observed traffic

“With the Invicti Platform’s extensive API discovery capabilities, we are able to deliver a tool consolidation option, combining web application and API security into a single solution,” said Neil Roseman, CEO at Invicti. “As tool sprawl and budgetary constraints grow, CISOs can rely on the Invicti solution to address the growing API security concerns in addition to reducing their team’s tool complexity.”

For decades, Invicti has provided the advantage of web application security testing coverage, accuracy, speed, and scale. The combination of continuous automated discovery, proof-based scanning to verify critical vulnerabilities for developers, and recently added Predictive Risk Scoring to advance prioritization efforts provide customers with a unique set of benefits. These web application security benefits can be deployed together with API discovery and security testing.

“Our research shows that security leaders are increasingly concerned with API security and their ability to secure their customers’ sensitive data. This is because as developers build feature-rich applications with integrations and communications to resources, the APIs, especially unknown shadow APIs, create rapidly proliferating attack surfaces,” said Melinda Marks, Practice Director, Cybersecurity at ESG. “The Invicti approach applies a multi-layer discovery method to thoroughly identify APIs, helping organizations deliver secure applications.”

Invicti API Security is available to Invicti customers across both Acunetix and Invicti (formerly Netsparker) product lines to extend their use of the Invicti platform. New customers can purchase the product as a web application and API security combination, or a standalone API Security option.

Explore AITechPark for the latest advancements in AI, IOT, Cybersecurity, AITech News, and insightful updates from industry experts!

The post Invicti Expands App Security Platform with Comprehensive API Security first appeared on AI-Tech Park.

Cequence, a pioneer in API security and bot management, today announced it has been recognized as a winner in the API Security category by the 2024 Cybersecurity Excellence Awards. The award hails Cequence’s cutting-edge Unified API Protection (UAP) platform, praising its ability to eliminate unknown and unmitigated API security risks that lead to data loss, fraud, and business disruption.

Cequence’s UAP platform empowers organizations with unmatched visibility, enabling them to fortify their defenses and reap the business advantages of secure applications and ubiquitous API connectivity. This industry-leading solution achieves this through autonomous threat discovery, native inline response, and eliminating reliance on third-party tools for seamless protection.

“This recognition from the Cybersecurity Excellence Awards fuels our passion for pioneering API security solutions,” said Varun Kohli, CMO at Cequence Security. “With over 8 billion daily API calls secured and 3 billion user accounts protected, Cequence empowers organizations to embrace the future of secure APIs. Our UAP platform represents more than a solution—it signifies a paradigm shift in API security.”

Cequence’s Unified API Protection platform comprises three functional pillars: attack surface discovery, security compliance and security testing, and bot management and fraud prevention.

• Attack Surface Discovery: Reveals an organization’s API attack surface and the vulnerabilities they represent by discovering external APIs across managed and unmanaged API infrastructure, identifying those APIs having issues.
• Security Compliance & Security Testing: Enables security and development teams to work collaboratively to address surfaced security issues for both pre- and post-production APIs that could lead to exploits.
• Bot Management & Fraud Prevention: Safeguards organizations against a broad spectrum of bot attacks to prevent data loss, theft, and fraud.

In May, Cequence set a new standard for API security solutions with the announcement of its industry-leading ML-based security features. These product updates revolutionized how organizations defend their digital assets in the AI era. By integrating generative AI automation into its API security testing, Cequence enables no-code workflows, streamlines deployment, and has made a significant leap in security automation.

“We congratulate Cequence Security on being recognized as an award winner in the API Security category of the 2024 Cybersecurity Excellence Awards,” said Holger Schulze, CEO of Cybersecurity Insiders and founder of the 600,000-member Information Security Community on LinkedIn, which organizes the 9th annual Cybersecurity Excellence Awards. “With over 600 entries across more than 300 categories, the awards are highly competitive. Your achievement reflects outstanding commitment to the core principles of excellence, innovation, and leadership in cybersecurity.”

Additional Resources:

• Learn more about the latest advancements to the Cequence Unified API Protection (UAP) platform
• Follow us on LinkedIn and Twitter

Explore AITechPark for the latest advancements in AI, IOT, Cybersecurity, AITech News, and insightful updates from industry experts!

The post Cequence named an API Security Leader by Cybersecurity Excellence Awards first appeared on AI-Tech Park.

Cequence, a pioneer in API security and bot management, today announced a new partnership with IG Technologies, a premier cybersecurity provider with a robust global presence in the U.S., Caribbean, and Latin America. IG Technologies delivers top-tier security solutions that address today’s dynamic security challenges. This strategic collaboration empowers IG Technologies’ customers to seamlessly integrate with Cequence’s industry-leading Unified API Protection Platform (UAP) to ensure comprehensive defense against attacks, safeguarding APIs on all fronts.

The cybersecurity community has long championed the power of APIs for their versatility, unlocking a multitude of advantages like enhanced efficiency and unparalleled flexibility in developing modern applications. However, a critical gap remains. Security teams often lack the visibility and defense capabilities needed to protect APIs from sophisticated attacks. These attacks can target both flawlessly coded APIs and those weakened by coding errors released into production.

“The double-edged sword of APIs – their growing popularity and vulnerability to attacks – necessitates a proactive approach for companies. Prioritizing a comprehensive discovery of their entire API footprint is the first crucial step,” said Ameya Talwalkar, CEO of Cequence. “Through this partnership, expanding reach through IG Technologies’ network empowers businesses of all sizes in the Caribbean and Latin America to fortify their APIs and combat evolving threats.”

With Cequence, IG Technologies’ customers and resellers gain a powerful, all-in-one solution that replaces disjointed tools for API testing, bot management, and managed services. Customers will not only streamline API discovery and protection but also unlock advanced attack surface management capabilities, enabling proactive threat detection and defense. The result is a simplified yet vastly strengthened API security posture.

Cequence Security’s UAP platform is unparalleled in addressing all phases of the API security lifecycle. It provides:

• Attack Surface Discovery: Unmasks threat actor tactics with the latest attack surface view, prioritizing risks for zero-friction security.
• API Security Posture Management: Safeguards APIs by assessing risk across the entire inventory, ensuring compliance, and actively detecting and remediating coding errors.
• API Threat Detection and Response: Protects against the full range of bot attacks, preventing data loss, theft, and fraud, eliminating downtime, brand damage, skewed sales analytics, and increased infrastructure costs.

“Our partnership with Cequence will transform how we approach API security, offering unparalleled protection and streamlined integration for our customers and resellers,” said Iris Garcia, CEO at IG Technologies. “Robust API security is paramount in these regions, where unique cybersecurity threats and a growing reliance on APIs for digital interactions intersect. Our integration with Cequence’s UAP will empower businesses to continuously safeguard their critical assets.”

Explore AITechPark for the latest advancements in AI, IOT, Cybersecurity, AITech News, and insightful updates from industry experts!

The post Cequence Security and IG Technologies announced partnership first appeared on AI-Tech Park.

Gravitee, the API management platform, launched Federated API Management, which provides a single pane of governance for companies leveraging multiple API gateways and event brokers. Enterprises are often managing tens of thousands of APIs – with different teams each using their own API gateway of choice – creating the problem of API sprawl that until today made it impossible to have governable API security, visibility, and management.

“We built federated API management because we know that various teams across a given organization leverage myriad tools to manage their APIs,” said Rory Blundell, CEO of Gravitee. “Even if a team isn’t using Gravitee as their API Gateway, they can still take advantage of having a central source of truth for visibility, subscription control, governance, and more.”

Federated API Management enables organizations to centrally manage, secure, and publish all of their APIs – no matter what API Gateways and event brokers are being used across the organization. With Gravitee, API and Platform teams can now use a single solution to discover all APIs across the organization, import those APIs into a single subscription control and management layer, and then publish them all in a unified Developer Portal for self-service discovery, documentation, and subscription. This “multi-gateway” approach is a key pillar of modern API Management.

The Three Pillars of Modern API Management (APIM)

1 – Multi-Gateway and Multi-Broker: API Management, as a practice, must support the ability for API publishers to manage, secure, and govern APIs and services from multiple different API Gateways and event brokers.

2 – Event-Native: API Management must treat event streams and event APIs as first-class citizens on par with synchronous APIs, as more and more organizations introduce event streaming. This will enable teams to get more ROI out of their initial investment in streaming.

3 – AI-forward: API Management vendors must find ways to both (1) improve their API Management offerings through AI and (2) better enable organizations to leverage AI as a force-multiplier.

“Federation enables us to feed everybody: our customers, our developers, our support people, our partners – there’s a single pane of glass and a single point of entry,” said Melvin Stephen, VP of Product Development at Blue Yonder. “It doesn’t matter what the API is implemented on and this is going to be a huge advantage.”

Gravitee continues to be acknowledged with industry recognition. The company was the sole vendor positioned in the Customers’ Choice Quadrant in the 2024 Gartner Peer Insights ‘Voice of the Customer’ for API Management Report with a ‘willingness to recommend’ score of 100%¹ — the highest of all vendors recognized in the report. Gravitee was also named as a Visionary in Gartner’s Magic Quadrant for API Management Report.

The company is demonstrating Federated API Management at their flagship event Gravitee Edge 2024. Edge is a premier 3-day virtual conference covering a range of topics related to modern API management, and is free and open to the public. Keynote speakers include Emily Pfeiffer, Principal Analyst at Forrester; Matt Houser, VP of Global Engineering at Tealium; and Mathieu Croissant, Head of API Strategies at Roche.

Explore AITechPark for the latest advancements in AI, IOT, Cybersecurity, AITech News, and insightful updates from industry experts!

The post Gravitee Launches Federated API Management first appeared on AI-Tech Park.

Salt Security, the leading API security company, today unveiled the findings from the Salt Labs State of API Security Report, 2024. The research, which analyzed survey responses from 250 IT and security professionals, combined with anonymized empirical data from Salt customers, highlights a lack of API security maturity and posture governance across organizations, leading to a rise in API security incidents and attack traffic.

The research found that almost all (95%) survey respondents experienced security problems in production APIs, with 23% suffering breaches as a result of API security inadequacies. The volume of APIs within organizations is also accelerating, with Salt customer data showing a 167% increase in API counts over the past 12 months, and nearly two-thirds (66%) of survey respondents indicating that they are managing more than 100 APIs. With increased API usage, comes an expanded API attack surface putting malicious activity on the rise.

The 2024 report also highlights the ongoing lack of API security maturity. Only 7.5% of organizations consider their API security programs to be ‘advanced’ and alarmingly, over one-third (37%) of the respondents, who have APIs running in production, do not have an active API security strategy in place. Despite this, nearly half (46%) of respondents stated that API security is a c-level discussion within their organization.

According to the research, API posture governance strategies, which provide a structured framework for managing and securing the entire API ecosystem from design to deployment, also remain a relatively new phenomenon. Only 10% of organizations currently have an API posture governance strategy in place. However, realizing its critical importance, almost half (47%) plan to implement such a strategy within the next 12 months. By deploying and implementing a robust API posture governance engine, organizations can gain complete visibility into their API landscape, eliminate blind spots, and establish corporate-wide security standards and regulations across their entire API ecosystem.

“The volume of APIs within organizations are showing no sign of decline, and security teams are struggling to keep pace with the sheer breadth and depth of modern API ecosystems,” said Roey Eliyahu, co-founder and CEO, Salt Security. “As illustrated by the findings of our research, attackers are continuing to take advantage of this, leveraging weak spots within APIs to execute malicious attacks and gain access to company and customer data. With bad actors constantly refining their tactics to discreetly launch API attacks, often through legitimate means, it requires organizations to take a more sophisticated approach to securing APIs. One that encompasses strong API discovery capabilities, a posture governance strategy, and the ability to quickly and efficiently detect active threats and malicious API traffic.”

Additional key findings from the 2024 State of API Security Report include:

The threat of API attacks is growing
The research revealed that API security incidents are on the rise.

• API security incidents more than doubled within the past 12 months, with 37% of respondents experiencing an incident, compared to just 17% in 2023.
• Salt Labs analysis of customer data found that attackers are using a diverse range of tactics, with a significant portion bypassing authentication protocols. Almost two-thirds (61%) of attacks are unauthenticated.
• Internal APIs are also vulnerable, with 13% of attack attempts explicitly targeting them.

Zombie APIs remain a top concern amongst respondents
Respondents expressed high levels of concern about the potential risks associated with “Zombie” APIs -the outdated, forgotten APIs within ecosystems.

• An alarming 70% highlight Zombie APIs as a great or strong concern, up from 54% in 2023.
• Account takeover and denial of service top the second and third concern, respectively.

API discovery remains a challenge
API discovery was highlighted as an ongoing hurdle for many organizations.

• Only 58% of organizations have processes in place to discover APIs across their infrastructure.
• Less than 15% of respondents are very confident that they understand which APIs expose personal identifiable information (PII).

Traditional methods are insufficient for protecting against modern attacks

• Only 21% of respondents believe that their current API security approaches are effective in protecting against API attacks, signaling issues with existing methods.
• API gateways (54%), analyzing log files (45%) and web application firewalls (WAFs) (42%) are the most common tools organizations are leveraging to detect and prevent malicious API activity but remain insufficient and lack user confidence.

API updates take place more frequently and organizations struggle to keep pace with documentation
The rapid change of APIs, combined with the increasing use of AI-generated APIs, has rendered traditional documentation methods obsolete.

• Over a third of organizations update their APIs at least once a week (38%), and a significant portion (13%) make daily updates.
• Only 12% of respondents feel very confident in the accuracy of their API inventory, highlighting a widespread lack of trust in security posture.

Attackers are following OWASP Top 10
A large percentage of API attacks target well-known security weaknesses outlined in the OWASP API Security Top 10 list.

• 80% of attack attempts leverage one or more of the Top 10 methods outlined on the list.
• Despite this established knowledge base, only 58% of organizations prioritize protection against the API threats outlined by OWASP.

The State of API Security Report, 2024, was compiled by researchers from Salt Labs, the research division of Salt Security, utilizing survey data from nearly 250 respondents across a range of job responsibilities, industries, and company sizes, globally. 20% of respondents were executive-level security or IT leaders, and another 18% within platform or DevOps teams. Technology and financial services companies—widely viewed as the forefront of API usage —comprised 37% of respondents. Companies large and small were evenly represented. The report also includes real-world API attack attempt data from the Salt Security API Protection Platform. This customer data is anonymized, aggregated, and then analyzed by Salt’s researchers to identify critical trends that can help educate the broader security industry.

To download a copy of the full report, please visit: https://content.salt.security/state-api-report.html

A comprehensive blog exploring the findings also be found here: https://salt.security/blog/increasing-api-traffic-proliferating-attack-activity-and-lack-of-maturity-key-findings-from-salt-securitys-2024-state-of-api-security-report

Explore AITechPark for the latest advancements in AI, IOT, Cybersecurity, AITech News, and insightful updates from industry experts!

The post 95% Report API Security Issues Due to Increased API Usage first appeared on AI-Tech Park.