>>Mhm Yes. Welcome to this cube conversation. I'm john Kerry host of the cube here in Palo alto California. We've got two great guests all the way from Ohio and here in the bay area with sequence securities is our focus on cloud growth companies. Sri and met a co founder and CTO of sequence security and Jason Kent hacker in residence at sequence security. We're gonna find out what that actually means in the second but this is a really important company in the sense of A P. I. S. As they are starting to be the connective tissue between systems and and data. Um you're starting to see more vulnerabilities, more risk but also more upside. So risk, reward is high. And anyone who's doing things in the cloud obviously deals with the A. P. I. So Trey and Jason. Thanks for let's keep conversation. >>Happy to be here >>guys. Let's let's talk about A P. I. Security. And but first before we get there trans what does sequence security do? What do you guys specifically build? And what do you sell >>sequences in the business protecting your web and um A P. I. S from various kinds of attacks? Uh We protect from business logic attacks, A P. I. Uh do your api inventory, uh also the detect and defend against things like a town taker. Where's fake account creation, scraping pretty much anything and everything. An application on a PDA is exposed to from from the Attackers. >>Jason. What do you what do you do there as hacker and residents? I also want to get your perspective on api security from the point of view of, you know, uh attack standpoint from a vector. How are people doing it? So first explain what you do and uh love the title hacker and residents. But also what does that actually mean from a security standpoint? >>Yeah. So we can't be in the business that we're in without having an adversarial approach to where our customers are deployed and how we look at them. So a lot of times I spend my time trying to be on the client's backdoors and and try to hit their A. P. I. S. With as many kinds of attacks that I can. It helps us understand how an attacker is going to approach a specific client as well as helps us tune for our machine learning models to make sure that we can defend against those kinds of things. Um as a hacker and residents, my mostly my position is client facing. But I do spend an awful lot of time being research and looking for the next api threat that's out there. >>You gotta stay ahead of the bad guys. But let's bring up some kind of cutting edge relevant topics. One is all over the news cycle. You heard peloton, very highly visible company, It represents that new breed of digital companies that have a new approach and it's absolutely doing very, very well. The new consumers like this product and you're seeing a lot more peloton, like companies out there that are leveraging technology, so they're fully integrated, they had an A. P. I. Issue recently. Um what does it mean? Is that, is that something we're gonna see more of these kind of leaks in these kind of vulnerabilities? What do you guys think about this political thing, >>You know, from an attacker's perspective as a really boring attack? Um, but it led to a huge amount of data leaking out. Same with, you know, the news has been been right with this lately, right, john Deere got hit. Um We've seen yet another credit bureau got hit right. Um and these attacks are coming off as fairly simple attacks that are dumping huge amounts of data, just proving that the FBI attack surface is really a great place to get a rich amount of data, but you have to have a good understanding of how the application works so you can spend a little bit of time on it. But once you've taken a look at how the data flows, you end up with, you know, pretty rich data set as an attacker. I go after them just by simply utilizing their products, utilizing the programs and understanding how they work. And then I drag out all the pieces that I think are going to be interesting and start plucking away at it. If I see a like a profile, for instance, that I can edit, I wonder can I edit someone else's profile. And this is how the peloton attack work. I'm logged in, I'm allowed to see my things, what other things can I see? And it turns out they can see everything. >>So we also saw a hack with clubhouse, which is the hot app now I think just opened up to android users, but they were simply calling it back and Agora, which is, you know, I've seen china, but once you've understood that the tokens work, once you understood what they were doing, you could essentially go in and figure things out. There seems to be like pretty like trivial stuff, but it gets exposed. No one kind of thinks it through. How does someone protect themselves against these things? Because that's the real issue, like just make it less secure. Our Api is gonna be more secure in the future. What can customers do about what do you guys to think about this? >>Yeah, but the reality is, I mean that's just uh too many babies out there. I mean if you see the transition that is happening and that is the transformation where it used to be like a one app or two apps before and now there are like hundreds and thousands of applications driven by the devops world, a child development and and what matters is, I mean the starting point really is you cannot protect what, you cannot see what used to be. Uh an up hosted in your data center is now being hosted in the cloud environments, in the virtual environments, in several less environments and coordinators, you name it, they're out there. So the key is really to understand your attack surface, that's your starting point. So you're you're tooling your applications need to uh I need to be able to provide that visibility that that that is needed to protect these applications and you can't rely just on your developers to do this for you. So you need a right tool that can secure these applications, >>Jason what's the steps that an attacker takes to uncover vulnerabilities? What goes through the mind of the attacker? Um I mean the old days you used to just do port scans and try to penetrate you get through the perimeter. Now with this no perimeter mindset, the surface area Schramm was talking about is huge. What what's going on the mind of the attacker here and the A P I S and vulnerabilities. >>So the very first thing that we do is we sign up for an account, we use the thing, right? We look at all the different endpoints. Um I've got scripts running in my attack tools that do things like show me comments uh in case the developer left some comments in there to tell me where things are. Um I basically I'm just going to poke around using it like a regular user, but in that I'm going to look for places. That makes sense to try to do an attack. So the login screen is a really easy thing. Everybody understands that you put in a user name, you put in a password, you can't go. What I'm gonna do is put in a bad username and a bad password. I'm gonna put in a good user name and a bad password and I'm gonna see what changes, what are the different things that your application is telling me. And so when we look at an application for flaws and ways to get to the data on the back end, all we're doing is seeing what data do you present me on standard use. And then I'm going to look at, well, how can I change these parameters or what are the things that I can change in my requests to get a different response? So in the early phases of an attack, Attackers are very difficult to a seat. Right. They just look like a regular user just doing regular things. It's when we decide. All right. I've found something that starts to get actually interesting and we start to try to pull data out. >>What are some of the common vulnerabilities and risks that you guys see in the A. P. I is when you look when you poke at them that people are are doing is that they're not really doing their homework. Doing good. Security designers are just more of tech risk. What's the most common vulnerabilities and risks? >>Well, so for me, I I've noticed a lot of the OAS KPI top 10, the first couple of things you see them on almost all applications, so broken object level authorization is the first one. It's mouthful. Um but basically all it is is I log onto the platform, I'm authorized to be there, but I can see someone else's stuff and that's exactly what happened in peloton. Um that and what we call insecure direct object reference where I don't have to be logged in, I can just make the request without any authentication and get information back. So those are pretty common areas um that you know people need to focus on, but there's a few others that are outside the top 10 that really make a lot more sense as a defender strains probably has a little better answer to me. >>Yeah. So um I'm like like we said um creating that inventories is key, but where are they being hostess? Another another aspect of things. So so when when Jason spoke about um like hackers are actually probing, trying to figure out what are the different entry points? It could be your production environment, it could be your QA environment staging environment and you're not even aware of, but once you've actually figured out those entry points, the next step of attack was like at peloton and and other places is really eggs filtering. Exfiltrate ng that that information. Right. Is it, is it the O P II information, ph I information um and and you don't want to exfiltrate as a hacker, just one person's information. You you're automating that business logic that is behind it ability to protect and defend against those kinds of attacks, giving that visibility, even though you might not have instrumented that application for for that kind of visibility is key. Once you are bubbling up those behaviors, then you can go ahead and and and protect from these kinds of attacks. And it could be about just simply enumerating through I. D. S. Uh that paladin might have or uh experience might have and just enumerate through that and exfiltrate the information behind it. So the tools need to be able to protect from those kinds of attacks out there. >>Yeah, I think I was actually on clubhouse when um that went down that hole enumerating through the I. D. S. Room I. D. S. And then the people just querying once they got an I. D. They essentially just sucked all the content out because they were just calling the back end. It was just like the most dumbest thing I've ever seen, but they didn't think about, I mean, you know, they were just rushing really fast. So So the question I have for transit and on a defense basis, people are going first party um with a P. I. S. A. P. I. First strategies because it's just some benefits there as we were talking about what do I need to do to protect myself? So I don't have that clubhouse problem or the pelton problem. Is there a Is there a playbook or is their software tools that I could use? How do I build? My apologies from day one and my principles around it to be good hygiene or good design? What's the what's the >>yeah. So aPI security is sort of a looking uh less known given that it's constantly evolving and changing. And the adoption of A P. S. Have gone up significantly. So what you need to start with effectively is the runtime security aspect of things. When a an aPI is live, how do I actually protected? And it ranges from simple syntactic protection things around people. Can can go ahead and break these ap is by providing sort of uh going after endpoints that you don't think exist anymore or going after certain functions by giving large values that they're not sort of coded to accept and so on so forth. Once you've done that runtime protection from a syntactic aspect, you also need to protect from a business logic aspect. I mean, mps will will expose uh information, interact with the customers and partners, what what business logic are they actually exposing and how can it be abused? Understanding that is another big aspects and then you can go ahead and protect from a runtime uh from a long time security perspective, once you've done that and understood that, well then you can start shifting lap things, invest in your uh sort of uh Dass tools or static analysis tools which can catch these things early so that they don't bubble up all the way, but none of them are actually silver bullets, right? So that you have a good uh time security tools, so I don't need to invest in dust or assessed whatever I have invested in my shift left aspect of things and uh and nothing will flow through. So you you need to start shifting left uh but covered all your bases properly, >>you can't shift left, there's nothing to shift from. I mean if you don't have that baseline foundation, what does that even mean to shift left and get that built into the Ci cd pipeline? So that's a great point. How does how does someone and some companies and teams set that foundation with the run time? Do you think it's a critical problem right now or most people are do a good job or they just get get lazy or just lose track of it or you know what, what's what's the common um, use case? Do you see behavior behaviorally inside these enterprises? >>Yeah. So what, what we're seeing is adoption of new technologies and environments um, and they're not um, well suited for the traditional way of doing that time. Security. Like if if you have an app running in your kubernetes environment, if you have an app running in in in a serval less environment, how do you actually protected with the traditional appliance based approach? So I think being able to get that visibility into these environments, understanding the the user behavior, how these applications are interacted with being able to differentiate from that uh, normal human behavior or even sometimes legitimate automation uh from from the malicious intents or or the the probing and the business logic attacks is key to understanding and defending these applications. >>Before we wrap up, I want to just get your expert opinion since you guys are both here around, you know, the next level of of innovation. Also you got cloud public cloud showed us a P. I. S are great. Now you're starting to see cloud operations, they call day two operations or whatever you call it A IOP. There's all kinds of buzz words are for it, but hybrid cloud and multi cloud, Edge five G. These are all basically pointing to distributed computing systems, basically distributed cloud. So that means more A P. I. Is gonna be out there. Um So in a way the surface area of a piece is increasing. What's your what's your view on this as a market? I mean, early days developing fast and what's, what's the, what's the landscape look like? What do you guys see from a attack and defense standpoint? >>Well, just from the attacker's perspective, you know, I see a lot more traffic going, what we call east west traffic, where it's traveling inside the application, it's a P is feeding a ps more data. Um, but what is really happening is we're trying to figure out how to hook third parties into our api is more and more. The john Deere attack was just simply their development api platform that they open up for other organizations to integrate with them. Um, you know, it's, it's very beneficial for John Deere to be able to say I planted this seed at an inch and a half of depth and later, uh, I harvested 280 bushels of corn off that acres. So I know that's perfect. I can feed that back to my seed guy. Well that kind of data flow that's going around from AP to AP means that there's far more attack surface and we're going to see it more and more. I I don't think that we're going to have less Ap is communicating in the near future. I think this is the foundation that we're building for what it's gonna look like for almost every business in the near term. >>I mean this is the plumbing of integration. I mean as people work with each other data transfer, data knowledge format, you mentioned syntax and all these basic things in computer science are coming to A PS which was supposed to be just a dumb pipe or just, you know, rest api those glory days now it's not there. They're basically, it's basically connections. >>Yeah. You're absolutely right. John, I mean like what Jason mentioned earlier, uh, in terms of the way the A. P. I. S are going to grow and the bad guys are going to go after it. You need to think like a bad guy, what are they going to go after? Uh, these assets that are going to be in the cloud, in your hybrid environment, in in your own prem environment. And, and it's, it's a flip of a switch where an internal API can be externally exposed or, or just a new api getting rolled out. So all those things you need to be able to protect, um, and get that visibility first and then being then protect these environments. >>That's awesome. You guys represent the new kind of company that's going to take advantage of the cloud scale and as people shift to the new structural change and people are re factoring security, This is an area that's going to be explosive in development. Obviously the upside is huge. Um Quickly before to end, you guys take a minute to give a plug for the company. Um This is pretty cool. I love love what you guys do. I think it's very relevant and cool at the same time. So sequence security. What are you guys doing funding hiring? What's the plug? Tell folks about it. >>Yeah. So uh we we we started about six years ago but we like starting in the the body defense space by focusing on obscenity ice. And from then we we've grown and we've grown significantly in terms of our customer base, the verticals that we're going after in financial retail social media, you name it, we are there because pretty much all these these uh articles depends on A. P. I. S. To interact with their customers. Uh We've we've raised our cities we last year we've we've grown our customer base. Uh Just in the last year when there was a lockdown people were all these retailers were transforming from brick and mortar to online. Social media also also grew and we grew with them. So >>Jason your thoughts. >>I think that sequence is his ability to scale out to any size environment. We've got a customer that does a billion and a half transactions a month. Um That are ap is from 1000 other clients of theirs. Being able to protect environments that are confusing and cloudy like that. Um Is really it makes what we do shine. We use a lot of machine learning models and ai in order to surface real problems. And we have a lot of great humans behind all of that, making sure that the bad guy maybe they're right now, but they're going away and we're going to keep them away. >>It's super, super awesome. I think it's a combination of more connections, distributed computing at large scale with a data problem. That's, that's playing out. You guys are solving great stuff and hey, you know when the cube studio ap I gets built, we're gonna need to call you guys up to to help us secure the cube data. >>Absolutely right. Absolutely. >>Hey, thanks for coming on the q Great uh, great insight and thanks for sharing about sequence. Appreciate you coming on, >>appreciate the time. >>Okay. It's a cube conversation here in Palo alto with remote guests. I'm john for your host. Thanks for watching. Yeah.