Application traffic in JSON or XML form now comprises 83% of web traffic, with only 16% now coming from browsers.

Akamai State of the Internet, 2019

Business risks of APIs

Gartner reports that by 2022, APIs will present the single largest security risk within an organisation.


The explosion of APIs has driven by the rapid adoption of cloud technologies, in which monolithic systems are modularised and distributed into virtual environments within dispersed data-centres.

Almost all Web, SaaS and Mobile applications communicate over the web using JSON or XML. The client sends requests to access digital assets, including Personally Identifiable Information (PII) - which are controlled and released by the application server. 

By nature, APIs expose sensitive and personally identifiable information. This makes the API a valuable target for hackers, and it makes securing it a key business priority. 

Securing APIs are difficult, due to the complexity of their traffic. Incumbent systems such as WAFs that rely on static rule and signature sets are simply not fit for purpose in detecting the latest generations of dynamic application attacks.

Historically, API breaches are detected in months, not minutes, due to the impotence of these systems.

Emerging Application Attacks

Spherical Defense uses unsupervised deep learning to protect your APIs from the sophisticated application-level attacks.


Excessive Data Exposure

Exposing more object-level data than necessary over API endpoints

Malicious Injection

Passing malicious instructions to databases and other services via the API.

Improper Assets Management

Exposing debug, administration and obsolete API endpoints.

Sensitive Information Transmission

Users passing PII into the wrong field, resulting in a GDPR breach.

Mass Assignment

Accepting an unauthorized object update request.

Authorized Stateful Attacks

Authorized users attempting to subvert application state.

ML Attack Tools

Adversarial API fuzzing with Machine Learning algorithms.

Introducing Spherical Defense

Spherical Defense offers an alternative approach to WAFs and first generation API security tools.

Instead of relying on an administrator to define rules and signatures to specify good or bad application traffic, Spherical uses Unsupervised Deep Learning to develop a positive security model of your application in real-time.

Spherical learns continually as new traffic is received, and automatically adapts as your application is developed, and as user behavior changes.

LANGUAGE AGNOSTIC

Learning any structured machine to machine communications flows, including external weblogs, internal application logs and system logs

SESSION LEVEL ANALYSIS

Holistically monitoring entire sequences of interactions between external clients, and your APIs.

UNSUPERVISED

The system operates autonomously, with no intervention required. No historical attack data is required; zero-day attacks are just deviations from normal. Free your team from sifting through false positives communicates.

TREE-BASED DATA

The system is designed for the analysis of complex trees and JSON objects, which results in unparalleled accuracy and minimal false positives.

Application Use Cases

Internal Networks

Internal application-level traffic (L7) within your network


API

Dynamic real-time models of each API and user interactions


System Calls

Kernel system calls and OS queries


Service Mesh

Internal communications through the service mesh or kubernetes