API Protection for DevSecOps

No cyber defender prefers to shift right on the security spectrum. They all understand that threat prevention is far superior to incident response for so many obvious reasons. The practical reality, however, is that preventive controls simply cannot stop the most capable offensive actors, especially ones sponsored by nation-states. And so, we watch as our CISOs lead the collective cyber parade mostly to the right.

This directional shift was on my mind during a recent discussion with Dmitry Sotnikov of 42Crunch. The company offers an attractive suite of tools designed to reduce API cyber risk, and that appears to include (dare I say) a shift-left component. API security is particular area of 2020 focus for our team at TAG Cyber, so I wanted to learn more about the 42Crunch approach to this important industry issue. Let me share what I learned:

“At 42Crunch, we provide world class runtime protections that can be deployed at scale to a wide range of environments, including Kubernetes and Docker,” explained Sotnikov. “But we also include strong API security controls that integrate with DevSecOps to help prevent vulnerabilities from being introduced in the first place. This is an important differentiator for our solution.”

The 42Crunch suite includes support for the following prevention (and yes, response also) activities: API security audits based on the OpenAPI specification, API conformance scanning to detect vulnerabilities, and API protection using a low-latency API-native firewall. These solutions operate with respect to the API Contract, which serves as the core of the overall security configuration, and as a reference base for detecting discrepancies.

“Our customers use our platform to push their OpenAPI definition to their CI/CD pipeline,” said Sotnikov, “and this enables automated risk reduction during DevSecOps.” He continued, explaining that in addition to operations and security teams, the platform is designed for use by software developers. This represents the shift-left that is so useful to prevent API threats from entering the ecosystem.

One important advance that came up during the discussion was 42Crunch’s recent decision to make its platform more accessible to a wider range of smaller customers through a lower-cost, self-service option. This was introduced at the 2020 RSA Conference in February and is designed to maintain full support for security audit as well as automated security testing and runtime control.

From an analyst perspective, emphasis on API security is both necessary and welcome. 42Crunch appears to have a deeply technical culture, which will be important, because buyers of API security solutions are hardly Luddites. But the competition here is growing, so 42Crunch will have to decide whether to focus on larger enterprise customers (with bigger budgets) or on a more democratized base through its self-service offer.

In the end, one should expect to see good things from this company. They have an interested geographic footprint, with principals located in a variety of countries – and this might just be a strength for 42Crunch in the coming years. If you work in application security and have responsibility for API risk reduction, then you would be wise to check in with 42Crunch to hear their story. As usual, please share your learnings with us afterward.

I look forward to hearing from you.