New API security startup claims edge over legacy protection capabilities

Vorlon, a SaaS-based security startup, has launched a new offering to help customers with API visibility and associated attack surfaces with a “shift-right” focus that the company claims legacy solutions lack.

The SaaS-based offering, which was available under beta to select customers since August 2023, has been made generally available for purchase on subscription.

“Vorlon’s idea is to expand the definition of API Security to also include the enterprise-as-consumer side, enabling organizations to proactively manage third-party APIs, monitor the data in motion, identifying legitimate versus illegitimate traffic, and quickly remediate issues as they arise — not months after a leak is made public,” said Alex Yakubov, head of marketing at Vorlon.

Vorlon is a cloud application security startup with API security as its first offering. The offering will be available as an annual subscription with access tiers based on the number of third-party applications observed, data storage, and retention.

Shift right approach to API security

Vorlon’s API security is a tool targeted at enabling visibility of an organization’s third-party dependencies and associated APIs, while in operation. This is a step up from the legacy “shift left” approach which focuses on API security during development and integrations, according to Vorlon.

“Historically, API Security tools have focused on ensuring the APIs the organization publishes are safe and secure,” Yakubov said. “The reality is that an organization consumes far more third-party APIs than the number of APIs it publishes.”

The idea of “shit left” was to incorporate security earlier in the development phase, but because of the complexity and the nuanced nature of every API, API Security as a market simply ignores the consumer of the API and has not historically provided a means to manage, monitor, and control the data in motion, according to Yakubov.

In its efforts to bring security to the consumption side, Vorton’s platform will employ tools to take an inventory of an organization’s existing third-party integrations, scan the API used and the data transmitted through them, and visualize the exposure and risks associated with these integrations.

Since November 2023, Vorlon claims to have observed over 50 million API calls and helped its early customers handle critical issues including over-permissive connections, abuse of API secrets, exposed multi-use secrets, malicious IP access, and abnormal activities from third-party applications.

“Vorlon helped us understand not just the APIs we were using but also what systems these APIs were connecting to and the data that was enabled on top of the APIs,” said Avishai Avivi, an early Vorlon user and chief information security officer at SafeBreach. “Vorlon provided me with quite a bit of telemetry and threat intel around our API usage — which is especially game-changing for the third parties that might as well be a black box to us. The biggest takeaway for us is the sheer size of the attack surface generated by third-party vendors connecting to our data both directly and indirectly.”

Machine learning for anomaly detection

Vorlon processes a large amount of API data and analyzes it in “near real time”, and the feat has been made possible through the employment of proprietary machine learning engines.

“Our behavioral analysis leverages machine learning so Vorlon can identify anomalous activity for a customer’s specific instance of an observed third-party app,” Yakubov said. “What might be normal for one organization may not be for another.”

Additionally, Vorlon automates API analysis by running them through existing threat intelligence to identify known malicious API communications. Machine learning further enables handing out custom remediation instructions tailored specifically for the applications involved.

“I think most CISOs already know this, but third-party APIs are right now probably one of the Achilles heels of our world, with a very wide usage and almost no visibility unto them”, said Eric Richard, chief information security officer at Hubspot. “The goal, through a tool like Vorlon, is you can bring that out of the shadows and into the light and can start to put the same sorts of controls in API security that we’ve put on all sorts of other security over the last decades.” Vorlon is currently working on increasing the number of observable applications to add to its catalog, along with tailored remediation insights and capabilities.

APIs, Security Software

Go to Source