..

because
business must
go on as usual
About AppSentinels.ai
• An Innovation Driven Security Technology Company in the next generation Application & API Security technology space, founded after many
years of deep research in the Application Security technologies

• Revenue generating company with many of the largest API consumers are it’s customers

• Globally Acclaimed Founding Team of experienced engineers and scientist who have built many Industry key cyber security technologies and
products

• AppSentinels Intelligent API Security Platform is world’s most compressive

purpose-built security platform for protection of next generations of cloud native
applications.

• Winner of Forbes 2023 DGEMS Select 200 Startups

• Winner of NASSCOM Emerge 50 Top-Startups in India 2023

• Member of prestigious NASSCOM Deep Tech Club 2022

• Winner of globally acclaimed ISPM Excellence Award 2022

• Winner of “Most Innovative Startup” NetApp Accelerator Program 2023

• Member of DSCI CoE Club

• Member of Nvidia, Salesforce, NetApp, Cisco, Microsoft, Auth0 Startup Programs

Proprietary and confidential Information, ©2024, AppSentinels.ai 2

Learnings from API Breaches
Nov’21 – Alissa Knight reported she was able to access API’s of Unsecured API access to Firebase cloud storage used by 24000 android
55 Banks and was able to change PIN numbers of debit cards applications.
and moved money between various accounts without user’s
authorizations.
17-year-old boy found BOLA and enumeration attacks – could modify
Coinbase had to suspend trading as a researcher reported API tickets booked by others and change crucial parameters of booked
business logic flaw that allowed someone to sell crypto’s even tickets.
without owning them.
Got access to 50 million users of the site including their personal
information.
Extract names, IDs, hardware info of virtual machines via Azure
Stack APIs
Login with Facebook feature allowed actors to steal token allowing actor
Used an unauthenticated API to get screenshots, memory copy to take over user’s account and also other third-party accounts like
and gain system admin rights of live virtual machines belonging Netflix, Tinder, Spotify etc.
to other tenants.

An attacker managed to VPN into Tesla’s internal network from his car
Researchers at Unit-42 found that 22 APIs across 16 different
and take over their main backend server that controlled entire Tesla car
AWS services could be exploited to leak Identity and Access
fleet. He can further invoke unprotected API for any car, start it or even
Management (IAM) users, roles and tokens
move it.

Broken authorization check in an API allowed unauthorized user

to access account and other info.
Attacker was able to access non-production (shadow) Google
Cloud Deployment Manager API’s and other internal Google
services including LB’s etc.

Proprietary and confidential Information, ©2024, AppSentinels.ai 6

Current AppSec Solutions are Not Effective

WAF (or DAST) doesn’t know if it’s protecting a Bank, Fintech,

Healthcare or E-commerce application

Hackers are targeting Application’s business logic that are blind spots
of current gen security platforms
Proprietary and confidential Information, ©2024, AppSentinels.ai 7
Why Hackers love APIs?

APIs start at Most Untrusted Land directly on Crown APIs deal with organization’s IP
Places Jewels of the Organization and sensitive/PII data

Reasons behind Surge in API Threats?

APIs transition significant Role based authorization
Micro-services significantly
control of business logic to control inside the application
increased the number of APIs
clients are exposed due to APIs

What Industry is saying about API as Security Threats?

As per Gartner, since 2022 APIs Forrester and Verizon reports OWASP came up dedicated
are the most-frequent attack around 40% of ALL breaches API-Top10 list in 2019; Revision
vector start via applications/APIs in 2023

Proprietary and confidential Information, ©2024, AppSentinels.ai 8

OWASP Web Top-10 and OWASP API Top-10 (2023)
App
A1: Injection API1: Broken Object Level Authorization
Specific

A2: Broken Authentication API2: Broken Authentication

OWASP API Top-10

A3: Sensitive Data Exposure API3: Broken Object Property Level Authorization
OWASP Top-10

A4: XML External Entities (XXE) API4: Unrestricted Resource Consumption

A5: Broken Access Control API5: Broken Function-Level Authorization

A6: Security Misconfiguration API6: Unrestricted Access to Sensitive Business Flows

A7: Cross Site Scripting (XSS) API7: Server Side Request Forgery

A8: Insecure Deserialization API8: Security Misconfiguration

A9: Known Vulnerabilities API9: Improper Inventory Management

A10: Insufficient Logging & Monitoring API10: Unsafe Consumption of APIs

Proprietary and confidential Information, ©2024, AppSentinels.ai 9

Builds Deep Understanding of Application’s Business Logic

Discover APIs and

Understand User Track API
API’s structure, Learn Context &
Sessions and its interactions and
Discover Sensitive Intent of every API
life-cycle sequences
data

Learn Happy & Maps Objects, Discover Roles

Stitch together
Exception Path their life-scopes, and understand
‘Business Logic’
Workflows CRUD relations user-behaviors

POST /search/products

POST /cart/add/{product-id}

GET /cart GET /payment/methods

POST /login

{token}
GET /profile
POST /cart/checkout/{cart-id}

PUT /payment/method
GET /browse/products

Proprietary and confidential Information, ©2024, AppSentinels.ai 10

AppSentinels Platform Architecture

Three Tier Architecture – Sensors,

Controller & Server

Use as SaaS Service OR deploy On-Prem

in air-gapped mode

Deploy Sensors in OOB OR Service-

Chaining (Inline) mode

Support all kind of application

architectures – K8, API-GWs, Serverless,
API Mgmt. etc.
Onboards any application in mins. No
instrumentation or heavy agents

Proprietary and confidential Information, ©2024, AppSentinels.ai 11

Development to Production Full Life-Cycle Security

Continuous
Continuous Automatic
Discovery &
Stateful API Pen-Testing
Posture Management

Remediation for Multi-Layer Runtime

Developers & Sec-Ops Protection

Proprietary and confidential Information, ©2024, AppSentinels.ai 12

 Product SKUs
Deploy Prod & Deploy in Pre-Prod Deploy in Prod
Pre-Prod

Discovery Shift-Left Protect-Right

API Discovery & Posture Help Developers build Secure Runtime Protection against business
Management APIs Faster logic attacks & API abuses

• Gain unparalleled visibility. No blind • Automatically creates and runs • Run-time Protection against business-
spots – cover all your API paths & application workflow specific test- logic exploits, OWASP API Top-10,
application architectures cases to offer PROACTIVE security OWASP Top-10 etc
• Discover Shadow, Orphan, Unused, • Tests APIs for Business Logic, OWASP • API Schema conformance validation
UnAuth, Sensitive, Privilege, Public or API Top-10, OWASP Top-10, • Fraud & bot protection - Scrapping,
Internal, New or Changed APIs etc DoS/Rate-limit, fuzzing and many Carding, Credential stuffing etc
• Discover sensitive data exposure due more variety of tests
• Stateful testing of complete user- • Attack Progression analytics with
to APIs threat-actors mapped to MITRE tactic
journeys or workflows automatically
• Get OpenAPI documentation • Augments security-testing capability. • Manual OR fully automated
• Discover API Governance issues & Acts like 24x7 Pen-Tester or a bug- enforcement
Misconfigurations bounty hunter • Block via inline sensors OR via
• Real time Risk Score • Prioritize issues that hackers can integration with other devices
exploit • True DevSecOps – automatic triaging
of malicious issues in Production
Proprietary and confidential Information, ©2024, AppSentinels.ai 13
Deployment Flexibility: Up and running in minutes
Support SaaS OR On-Prem (air-gapped) Hosting options

Various Dev-ops friendly deployment for all application architectures

• Artifacts available as Containers, VMs, Bare-metal images

• Support Monolithic, Micro-services or Serverless Applications
• Support Applications in single Cloud, Hybrid Cloud, On-Prem OR a Mix

AppSentinels supports various deployment modes

• Inline Mode
• SSL Reverse Proxy OR Forward Proxy Mode
• Tap/OOB Mode
• API Gateway plugin
• NGINX load-balancer plugin
• Kubernetes Ingress
• Kubernetes Service-mesh
• Serverless
• Mirroring
• Apigee API Management
• Mulesoft API Management
• Software AG API Management
• Azure API-M

Sensor deployment option - Tap (OOB) OR Service-chaining (inline)

Proprietary and confidential Information, ©2024, AppSentinels.ai 14

AppSentinels Integrations: Gels in any environment
Multiple APIs available for integrations

AD/SAML/SSO/MFA for Dashboard access

SIEMs & SOARs

• Splunk
• Elastic Search
• Sumologic

Ticketing Systems
• JIRA, Git, ServiceNow, Opsgenie etc

Messaging Systems
• Slack
• MS Teams
• Google Chat

Proprietary and confidential Information, ©2024, AppSentinels.ai 15

Gartner’s PaaS Security: AppSentinels Platform Play

Proprietary and confidential Information, ©2024, AppSentinels.ai 16

Gartner’s DevSecOps Controls: AppSentinels Coverage

AppSentinels covers:
• coverage in 6 out of 8
• 13 Controls

Proprietary and confidential Information, ©2024, AppSentinels.ai 17

Customer Success Stories
Fintech (Discovery)
• Was expecting ‘X’ APIs but had 10 times the number
• Had no insights into sensitive data in the APIs like ITIN/SSN numbers
Large Stock-Broker (Continuous Pen-Testing)
• Identified an issue where a user can modify or cancel other user’s order
• Identified Account Takeover Vulnerability in reset-password API where passwords can be sent to other user’s emails
Large e-Commerce player (Protection against automated attacks)
• Protection against Coupon enumeration attempts
• Protection against Data scraping attempts
Large e-Commerce platform (Protection against Application 0-days)
• Protection against a User seeing other User’s cart and can make changes to it

A Large Bank (Partner misuse)

• Detected Partner API misuse

Proprietary and confidential Information, ©2024, AppSentinels.ai 18

AppSentinels Deployment Architecture

DC -1: Controller(s) & multiple DC -3: Controller(s) & multiple

sensors/apps sensors/apps

DC -2: Controller(s) & multiple

sensors/apps
Proprietary and confidential Information, ©2024, AppSentinels.ai 19
Enterprise Grade Edge-Controller & Sensors
Edge Controllers

• Policy Decision Points

• Horizontal Scalable – multiple edge controllers work for a Server
• Support filters to bypass API traffic based on host, URIs regex OR content-types to reduce API noise
• Support grouping of APIs into applications and further into API groups for easy management
• Intelligent processing to enable/disable payload handling for specific APIs OR use-case

Advance Sensor features include

• Policy Enforcement Points: light weight simple logic

• Multiple sensors work with an Edge Controller
• Option to deploy OOB (Tap) or Service-chaining (Inline) mode – balance security and business
continuity - Minimal impact to application availability or latency
• Support Fail-open/Fail-close configuration
• Support Guaranteed latency options – fail-opens if API latency goes up
• Intelligent ramp-up & back-off to prioritize application traffic during heavy traffic-bursts
• Support filters to bypass API traffic based on host, URIs, content-types to reduce API noise

Proprietary and confidential Information, ©2024, AppSentinels.ai 20

Demo Setup - OWASP Juice Shop Application

Inline Mode

360o Continuous Visibility

Discovery Sensitive Data Exposure

Business Logic Attacks: OWASP API 3: Excessive Data Exposure - Real time sensitive information leak
Multi-Layer Defence
Shield Facebook & Uber Attack - OWASP API 1: Broken Object Level Authorization

Attack Progression; Tactics & Techniques

Threat Actor
Manual & Automated Actions

True DevSecOps
Vulnerability
Attack - Broken Object Level Authorization

Proprietary and confidential Information, ©2024, AppSentinels.ai 21

 Discover More About Your API’s and
Protect your API Breach
Contact:
www.appsentinels.ai
[email protected]

22