vectorfusionart - stock.adobe.co
Machine learning software that detects anomalous use of APIs helped a real estate company reinforce its API security as it conducts more transactions on the web.
Houwzer Inc., a real estate brokerage, title and mortgage services firm in Philadelphia, is a relatively small company with 150 employees, but it has conducted $1 billion in real estate transactions since it was founded in 2015. For the last three years, it has begun to perform more of these transactions through a set of APIs hosted on AWS, which initially focused on real estate listings but began to include sales to home buyers in 2020.
That transition, along with a general increase in high-profile data breaches in the industry over the last year, prompted Houwzer's CTO to seek a tool that would make managing API security more manageable for a small IT staff.
"The real estate industry is constantly under attack by cyber criminals trying to intervene in ongoing transactions to intercept a large check or wire transfer," said Gregory Phillips, CTO at Houwzer. "We're a big target for a relatively small company, because we have high-value transactions relative to our size."
Navigating the API security frontier
Most of Houwzer's employees are real estate professionals, and most of its IT operations are outsourced to a managed services provider. Given how critical API security is to Houwzer's online operations, however, Phillips wanted to manage it in-house. But he needed a tool that wouldn't require him to manually search through log files or hire another person to do so.
"API security is an emerging area and there's just not as much prior art there, and because we're constantly building new stuff into our API, that's where I spend a lot of time," Phillips said.
In the meantime, an API security startup emerging from stealth in 2020 happened to send Phillips an email pitch, and he responded. The startup, Traceable Inc., combines distributed tracing that tracks user behavior throughout API transactions and machine learning that identifies anomalous and potentially malicious behavior.
"I very seldom respond to cold emails," Phillips said. "But it was at a time when I was concerned with [having] more and more value to protect here ... and there weren't a lot of great options ... that would proactively surface threats."
Traceable does have direct competitors in API security automation for cloud-based and cloud-native applications, but most are also startups -- including 42Crunch, CloudVector (acquired by Imperva in May), Imvision and Salt Security. Established API management vendors also offer security features in products such as API gateways.
Industry analysts have seen a dramatic increase in interest in such products recently.
Arun ChandrasekaranAnalyst, Gartner
"In the past year, there have been many API security incidents, particularly in the form of data leaks," said Arun Chandrasekaran, an analyst at Gartner. "These incidents have raised awareness of API vulnerabilities -- in the past 12 months, Gartner has seen a 30% year-on-year increase in client inquiries related to API security."
API security is both an art and a science
Traceable's AI features helped Phillips prioritize his company's responses to API security threats, and automated a significant portion of those responses. But some manual effort has still been required to use the product, especially in its early versions.
"At the beginning, we were still filtering out a lot of false positives, but we had feedback sessions with Traceable that cut down on them a lot," Phillips said. "They really set you up to handle the last mile."
The Traceable approach was still, at least, 100 times faster than inspecting log data reports manually, Phillips estimated. Since it deployed Traceable, Houwzer has automatically blocked hundreds of API security threats, where, before, it didn't have that ability.
As it evolves, Traceable also plans to add CI/CD integrations that tie in with the trend toward DevSecOps and companies' desire to tie security in with application development pipelines, according to its website.
This will be especially crucial for companies with a large number of microservices applications, which Houwzer doesn't have yet. But "shift left" features from Traceable would still be welcome, Phillips said.
"It's part of how I'm using it already, not tied directly into the [continuous integration] server, but I'll look at Traceable alerts and then add a story for developers," he said. "It would be nice to see that more automated."
An unexpected benefit of Traceable, in the meantime, lies in the way its API behavior tracking informs Houwzer's application development.
"Even in a controlled environment, where a lot of users are internal to our company, you don't always know how stuff is going to be used in the wild," Phillips said. "It's important to see the uptake and reception [for new features], even outside of security."
Beth Pariseau, senior news writer at TechTarget, is an award-winning veteran of IT journalism. She can be reached at [email protected] or on Twitter @PariseauTT.