Learn Data Theorem’s approach to securing cloud-native applications and APIs in an exclusive interview covered by AI-TechPark.
Give us a brief background of Data Theorem.
Data Theorem was founded back in 2013 by Himanshu Dwivedi, who is a 25+ year veteran in the security industry going back to his days as a security researcher at @stake. He is one of the co-founders of iSEC Partners, and is an author of six security hacking books. Data Theorem was founded to analyze and secure any modern application, first starting with mobile applications, APIs, SPAs, and serverless and cloud apps. We started by building our Analyzer Engine which was the industry’s only solution that allowed customers to build safer apps that protected data better by applying dynamic run-time analysis on a continuous basis in search of security flaws and data privacy gaps. Today, we are the company that analyzes and secures any modern application – anytime and anywhere – with our advanced AppSec functionality, including the industry’s first automated API discovery and security inspection solution aimed at addressing API security threats introduced by today’s cloud-native application architectures.
What are the biggest challenges organizations face when trying to secure their APIs?
Organizations’ shift to the cloud has introduced new security challenges for application security. If an attacker gains access to your APIs, they can easily bypass security measures and gain access to your cloud-based applications, which can result in data breaches, financial losses, and reputational damage.
API security is critical because APIs are often one of the weakest links in the security chain. Developers often prioritize speed, features, functionality, and ease of use over security, which can leave APIs vulnerable to attacks. Additionally, cloud-native APIs are often exposed directly to the internet, making them accessible to anyone. This can make it easier for hackers to exploit vulnerabilities in your APIs and gain access to your cloud-based applications.
Why has software supply chain security become such an issue these days? What can organizations do about it?
The software supply chain has become increasingly complex and dynamic with the rise of cloud computing, open-source software, and third-party software components and APIs. Widespread damage can occur for organizations if third-party APIs, cloud services, SDKs, and open-source software have security flaws. The use of software bill of materials (SBOMs) has emerged to address some of these issues. SBOMs are a standardized inventory of software components used in a particular product or system, including their versions, dependencies and sources.
However, SBOMs are only as good as the data they contain, and the quality of data can vary depending on the source and the method of collection, particularly around the application software stack of APIs, cloud services, and SDKs. SBOM inventory is constantly changing, and being able to leverage their up-to-date data requires continuous runtime analysis and dynamic inventory.
Coupled with SBOMs, organizations can benefit from a full-stack attack path analysis software supply chain solution that delivers continuous third-party application asset discovery and dynamic tracking of third-party vendors. Organizations can automatically categorize assets under known vendors, allow customers to add additional new vendors, curate individual assets under any vendor, and alert on increases in policy violations and high embed rates of third-party vendors within key applications.
What is the difference between Shadow APIs and Zombie APIs, and how do they threaten organizations’ attack surface?
Shadow APIs are APIs that are used by developers or business units without the knowledge or approval of IT security teams. These APIs can be created by anyone with the technical knowledge to build them, and because they are not managed by the IT department they are often not subject to the same security controls and governance policies as officially sanctioned APIs. These APIs are not properly vetted, tested and secured, and they can pose a significant risk to the organization.
Zombie APIs are APIs that are no longer in use but are still active on the network and running in the cloud. These APIs can be left over from legacy systems, previous versions of the API, or retired applications; or they may have been created by developers who have since left the organization. Zombie APIs can be particularly dangerous because they may not be monitored or secured, making them vulnerable to exploitation. Attackers can use these APIs to gain unauthorized access to sensitive data, bypass security controls, and launch lateral movement attacks against other systems on the network.
Describe briefly Data Theorem’s approach to securing cloud-native applications and APIs.
Data Theorem’s broad AppSec portfolio protects organizations from data breaches with application security testing and protection for modern web frameworks, API-driven microservices and cloud resources. Our solutions are powered by our award-winning Analyzer Engine which leverages a new type of dynamic and runtime analysis that is fully integrated into the CI/CD process, and enables organizations to conduct continuous, automated security inspection and remediation. Data Theorem is one of the first vendors to provide a full stack application security analyzer that connects attack surfaces of applications starting at the client layers found in mobile and web, the network layers found in APIs, and the infrastructure layers found in cloud services.
Data Theorem’s API Security product inventories and hacks all APIs so it can remediate security issues within the CI pipeline. Our Cloud Secure is a Cloud-Native Application Protection Platform (CNAPP) with attack surface management (ASM) and a complete AppSec suite all-in-one. Finally, the Mobile Secure platform helps teams find and resolve critical security vulnerabilities across their entire mobile application tech stack by performing continuous dynamic runtime analysis on each release.
How does machine learning (ML) and artificial intelligence (AI) come into play in your solutions to help protect apps and APIs?
AI and ML play a significant role in enhancing the capabilities of Data Theorem’s security products. By leveraging these technologies, Data Theorem can provide more advanced and effective security solutions.
For example, AI and ML algorithms can enhance and help to harden code samples with security best-practices across a variety of modern languages – such as Node.js, Python, Java, Go Lang, Rust, Objective C, Swift, and many more – helping customers apply shift-left security practices early in CI/CD cycle. AI and ML algorithms can also analyze vast amounts of data, identify patterns, and detect anomalies or potential security threats. This enables Data Theorem’s products to detect and mitigate various types of attacks, such as malicious activity or suspicious behavior.
In addition, AI and ML techniques can automate the analysis of software vulnerabilities by examining code patterns, data flows and configurations. This helps Data Theorem’s products identify potential weaknesses and provide insights on how to address them. ML models can also learn from normal user behavior and establish baseline profiles. By continuously monitoring user activities and comparing them against these profiles, Data Theorem’s products can identify deviations that may indicate unauthorized access or compromised accounts.
Can you share any success stories or examples of organizations that have greatly benefited from implementing Data Theorem’s solutions?
There are many customer case studies published on Data Theorem’s website but two success stories that are worth examining closely are related to the benefits of building a strong API security program. First, AppLovin has developed the world’s most accurate ad placement engine based on user behavior and predictive analytics using machine learning. AppLovin’s core technology is delivered through APIs and proprietary SDKs targeted at entertainment and gaming applications on mobile devices. With Data Theorem, AppLovin ensures their first-party APIs across their software stack and their 3rd party APIs across their software supply chains are continuously inventoried, tested for security exploits, and hardened with security best-practices. Second, a Fortune 50 financial services organization has built an API security program along with a Cloud-Native Application Protection Platform (CNAPP) that has won awards for the advanced capabilities it has architected within its CI/CD workflow and hybrid cloud environment. In both cases, these API security programs powered by Data Theorem have discovered and illuminated Shadow APIs, eliminated the wasteful costs of Zombie APIs, and most importantly prevented data breaches from occurring across their cloud-applications running in production.
Are there any plans for future developments or enhancements to Data Theorem’s product offerings that you can share with us?
Data Theorem always has a plethora of innovations slated in its product roadmap. Without disclosing specific details, we are planning to make additional improvements in the way our Analyzer Engine does continuous discovery and inventory, security testing, and runtime observability and protection. These are the core pillars of our underlying engine that powers all five of our products today.
Doug Dooley
Chief Operating Officer at Data Theorem
Doug Dooley is the Chief Operating Officer of Data Theorem. He heads up product strategy, marketing, sales, and customer success teams. Before joining Data Theorem, Dooley worked in venture capital leading investments of cloud-centric security, machine-learning, and infrastructure startups for Venrock. While at Venrock, Dooley served on the boards of Evident.io (Palo Alto Networks), Niara (HPE), and VeloCloud (VMware). Prior to Venrock, Dooley spent almost two decades as an entrepreneur and technology executive at some of the most innovative and market dominant technology infrastructure companies – ranging from large corporations such as Cisco and Intel to security and virtualization startups such as Neoteris, NetScreen, and RingCube. Earlier in his career, he held various management, engineering, sales, and marketing roles at Juniper Networks, Inktomi, and Nortel Networks. Dooley earned a B.S. in Computer Engineering from Virginia Tech.
