API Security Evaluation Guide

Read the guide

When Gartner Realizes How “Cool” You Are

Roey EliyahuRoey Eliyahu
May 18, 2020

You always think the tech you’re working on is cool, but when Gartner names you a Cool Vendor, you know you’ve delivered a powerful solution.

I started Salt Security with the mission to make it safe for companies to innovate with API-based apps. We are truly honored to be recognized for the power our technology provides in helping our customers protect all their modern apps, be they mobile, SaaS, IoT or otherwise.  The opening statement in the Gartner report sets the stage for why I started building this technology.

“Explosive demand for APIs and innovative use cases require application leaders to have an effective API strategy in place.”

In creating cyber security solutions for the Israel Defense Forces, I saw how critical APIs were to innovation and increasing the speed of development. At the same time, I also saw how APIs were creating a new attack vector that existing security tools could not help.

From Gartner: “By 2022, API abuses will move from an infrequent to the most-frequent attack vector, resulting in data breaches for enterprise web applications. Already APIs have become the entry point of choice for attackers looking for valuable data to steal from enterprises.”

For the past several years Gartner has reinforced what I saw coming with APIs. By naming us Cool Vendor, the firm has  validated the importance of the Salt Security approach. Here’s a little more context on why we’re so “cool.”

See the top findings from the industry's first State of API Security report

Focus On Top API Threats
“Salt Security addresses the OWASP API Security Top 10 by combining traditional protocol analysis with behavior analytics based on attack signatures and machine learning.”

The OWASP API Security Top 10 was released at the end of 2019, and I see an increasing number of companies using the API Top 10 to frame their API security strategy and define how they evaluate API security solutions.

The API Security Top 10 differs from the well-known Web App Security Top 10 in outlining new threats, and how those attacks unfold has significant implications on which tools to use to secure API-based applications.

We have focused on ensuring the Salt Security API Protection Platform addresses each of the threats in the API Security Top 10 list, and the list has been an important tool in educating customers on how API attacks are different from typical application attacks. To protect against API attacks, you need to understand the context of the API – the business logic, the typical flows, the content of the requests and responses – and WAFs and API Gateways simply have no way of seeing that context.

Early Attack Detection
“Salt Security’s focus on the “reconnaissance” phase of API security is designed to detect potential attacks on APIs before they result in a breach.”

Early attack detection is something that Salt Security is uniquely positioned to offer, based on our big data architecture and patented AI approach. This architecture enables our platform to collect and analyze large amounts of API data and uncover the early indicators of attackers during reconnaissance. These indicators include attacker activities as they map out the API structure, understand the unique logic and look for vulnerable points to exploit.

As Mark O’Neill points out:

“This approach is intended to provide early detection of attack attempts and to discover API vulnerabilities in the reconnaissance phase of API security. In this way, potential attackers can be detected as they probe the API for weaknesses.”

WAFs and API gateways are incapable of early detection because their proxy-based solutions can see only transactions in isolation. The proxy approach can identify a single malicious transaction, such as an injection attack, but it will not understand the subtle probes of an attacker, and it cannot stitch together and correlate multiple activities of a single bad actor to identify and block an attacker.

Another important point that Mark makes is that

“[The Salt Security Solution] contrasts with many other API management solutions that require manual configuration, such as API throttling limits, thus providing protection of APIs only after an attack has already been mounted — which is too late.”

Early detection with Salt Security doesn’t tell you that you’re being attacked – instead, it tells you that you’re about to be attacked and stops the attacker.

Remediation Insights for Developers

API security is not a task for just one IT group. API security requires a coordinated effort across security and development teams to cover each stage of the API lifecycle and apply security to both pre-production and production APIs.

Mark calls out the Salt Security ability to “[turn]  attackers into penetration testers,” which enables our customers to harness the activity of attackers during reconnaissance. As attackers find gaps in production APIs, our platform shares those insights with security teams and developers. These insights improve security posture by providing the details of security gaps so developers can prioritize and eliminate vulnerabilities.  As a byproduct, developers also get smarter about how to write more secure APIs in the future.

Salt Security makes it easy for security and development teams to leverage these remediation insights by integrating with tools such as Jira and ServiceNow, automatically routing details to the right team and tracing them through to resolution.

Non-intrusive Deployment
“Salt Security’s solution favors non intrusive deployment options with out-of-band models, such as traffic mirroring from a load balancer, API gateway or infrastructure component, a lightweight software sensor, or containerized image.”

Our philosophy has always been: Do not sacrifice development velocity in favor of security.  In short, we created a solution that would not get in the way of rapid development practices like CI/CD and that would deploy without disruption.  We don’t require any code changes and have a number of options to seamlessly integrate with existing infrastructure.

Our out-of-band model brings the additional runtime benefits of not increasing latency and not impacting application functionality.

“An optional Salt Security server, deployed on-premises, can communicate with the vendor’s cloud service to receive updated threat models and to send analytics.”

The primary delivery model for our solution is cloud-based but we know some customers have strong requirements to keep all data in their own environment.  To address this need, we offer a hybrid option where all sensitive data stays in the customer’s environment.  

“Remediation methods use integration with in-line controls, such as web application firewalls or API gateways.”

Another important philosophy for Salt Security is to integrate with existing infrastructure to enable customers to utilize their current workflows and tools.  With this integration a customer can automate blocking through their existing WAF or API gateway, send alerts to SOC teams through their SIEM, and route remediation insights to development teams using ticketing systems.

Learn More About Salt Security

We continue to focus on our mission to make it safe for companies to innovate by helping to secure the APIs at the core of all digital platforms.  I would love the opportunity to share my insights on API security, what I’m hearing from other customers, and how the Salt Security solution can help to protect your APIs. Please reach out here to connect with us.

Go back to blog