August 23, 2022

Last Updated on January 15, 2024

Communication among APIs now accounts for more than 80% of all internet traffic, according to Akamai. API hacks and misconfigurations are paving the way to more and bigger data breaches, such as the June 2021 LinkedIn scraping and the recent Experian breach that exposed the credit data of millions of Americans.

With API security emerging as a top challenge, what verticals and companies are investing in leading-edge API security solutions, such as scanning API traffic at runtime for threats and active attacks?

To share the latest on API vulnerabilities and security options, Rob Dickinson, CTO at Resurface Labs, joined a recent episode of The Virtual CISO Podcast. Hosting the podcast as always is John Verry, Pivot Point Security CISO and Managing Partner.

APIs on the front lines

According to Rob, the people getting most excited about Resurface are in industries like financial services or cryptocurrency, or others who see APIs as “the front lines of their business and that really being their interface to the world.”

Rob likens Resurfaces “continuous API security” solution to the old days of trading stocks by calling your broker. By law, the conversation had to be recorded as a record of the transaction. By capturing and scanning all API calls, the Resurface solution provides durable business transaction data for what has generally been operations happening “in the ether.”

Critically, Resurface keeps everything on the customer’s systems, so there’s no need to pass the data back to the vendor or other third party. This eliminates many compliance concerns.

“We see ourselves as really being the Easy button for what OWASP has talked about for a long time—sufficient logging and monitoring of your APIs that goes beyond just intrusion detection, but is actually about auditing the activity that’s there,” offers Rob. “That’s not a new idea. We’re just trying to deliver that without an army of Hadoop engineers and all the people it would take to do something like this with the other technologies that are out there now.”

Continuous improvement

Continuous API monitoring not only provides a transaction record, but also an opportunity to continuously improve API security. Further, Resurface API data can support compliance assessment and automate continuous compliance activities by generating audit evidence.

“We want to be an ‘analyst-in-a-box,’” relates Rob. “We want to cut through all that noise. Our mission is not just gathering this data, but helping people get to the place where those insights and those improvements can happen quickly. And everyone that we talk to, they don’t have enough help in this area. We’re not making enough security analysts, SREs, advanced QA and escalations people even to satisfy the current demand, let alone where the demand is going to go in the future.”

The goal is for continuous API intelligence to fit into the automated workflows that teams already have, so that you don’t need human analysts to do the detecting and alerting. It’s about accelerating security activities, integrating with current tools, and eliminating guesswork through observability.

What’s next?

If you’re ready to listen to the complete episode with Rob Dickinson, click here.

Where does API security fit within your overall application security strategy? Check out this podcast for inspiration: EP#19 – Jim Manico – Why Application Security is a Team Sport and How Your Team Will Win



Free OWASP ASVS Testing Guide

If you are just learning about OWASP’s testing standard or are considering the best way to prove the security of an application, this guide is meant for you!