Innovating on Application Protection

Over the last ten years, consumer demand has ratcheted up enterprises’ application development in an unprecedented way. From shopping to banking to dating to eating, it seems like every viable business needs consumer-facing apps. Then there are business-focused apps on which employees depend 24x7, and without which businesses would struggle to deliver the products and services that keep them viable.

As a result, application security is front and center—at least for security professionals and anyone focused on keeping proprietary data secure. However, security can be at odds with functionality, and application development teams are under tight deadlines to build and deploy apps that keep customers happy. As crazy as it might sound to a security professional whose goal is ensuring secure data and data transactions, the reality is that an unusable app, even if its security is top-notch, will drive consumers to investigate the sea of competitors in any given space. That potential is unacceptable to most business executives, hence developers’ focus on fast and functional.

Though security teams have tried to nose their way into DevOps to improve software security—and create DevSecOps—security tools often don’t integrate well with development processes, and the result is bolted-on security controls, some of which might be incompatible with app functionality or usability.

There have been many attempts by the security vendor community to remedy application security. Given the amount of data contained in and the criticality of enterprise applications, the attention is warranted. But the actual mechanisms for securing applications—of guaranteeing code flaws don't turn into gaping vulnerabilities, that “app speak” translates into “network speak,” and app updates don’t render security control useless—remained stale for a long time. Based on what they saw as a lack of innovation in the space, industry veterans Ameya Talwalker and Shreyans Mehta from Symantec teamed up to shake up AppSec.

Shaking up AppSec

Founded in 2015, Cequence offers an application security platform (ASP) that tackles the problem of protecting public-facing web and mobile apps, as well as apps connected through application programming interfaces (APIs), which accounts for more than 80% of web traffic. Most APIs are supplied by third parties, whose security rigor can vary. This problem wouldn't be dire if companies had a few APIs here and there. However, the average enterprise has hundreds of APIs on its networks, and if they’re insecure or incorrectly configured, they exponentially increase a company’s attack surface.

Speaking with Chief Marketing Officer, Franklyn Jones, he told me and Ed, “These types of applications are essential to connect businesses to customers, partners, and suppliers across their digital ecosystems. But they are also targets for a growing number of cyber attacks that include malicious, automated bot attacks and application vulnerability exploits. Cequence was founded by practitioners dealing with these issues; Ameya and Shreyans cherry-picked talent from their days at Symantec, and our now-CEO, Larry Link, brought in great people from Palo Alto to complement the rest of the team. We’ve all seen firsthand what traditional network and endpoint security tools can do and we wanted to reinvent the market.”

Cequence’s platform protects against automated bot attacks and application vulnerability exploits targeting web, mobile, and APIs. When considering high volume bot attacks, one common result of these attacks is application denial of service (AppDoS) attacks. Though DoS can be harmful enough, attackers more likely use bots for API abuse, site scraping, credential stuffing, brute force, false account creation and more. In other words, bots can be the initiation point of a larger attack on a company, its network, its data, and its customers.

The second attack vector—application vulnerability exploits—is well-known to security pros, and many organizations have implemented web application firewalls (WAFs) for detection and prevention. But Jones points to weaknesses in organizational communication that lead to inefficiencies in WAF technology, “DevOps teams have accelerated application deployment but, unfortunately, security teams are often out of the loop on when and what apps are deployed. Security teams then have to protect these apps with legacy WAFs, which are often implemented for compliance reasons, not to prevent vulnerability exploits.”

Visibility first, then protection

Cequence automatically discovers all web, mobile, and API-based applications deployed across the customer’s organization, then analyzes all client/application transactions and creates a fingerprint. Each fingerprint is comprised of 150+ traits that include heuristic analysis of headers, protocols, and other network traffic, and user and application behavior. Because a fingerprint is a multi-attribute identifier, application changes are automatically captured and applied security policies won’t break DevOps workflows.

From years of experience, the team at Cequence understands that security controls which require application or architecture changes and/or impact speed of deployment are going to be met with resistance from developers and executives. Further, they’re keenly aware that security technologies which adapt only to known threats and network locations isn’t enough to handle today’s hybrid architectures. Cenquence takes a modular approach to application protection so organizations can try various capabilities on for size, starting with discovery, leading to enrichment and integration with 3rd party tools, then defense— all without any changes to any applications, and without development and maintenance of WAF signatures.

If you're in the market for integrated application protection, reach out to Cequence and let us know what you think. Ed and I are always supportive of organizations tackling old problems with innovative approaches.