42Crunch CEO, Jacques Declas, sat down with Alan Shimel of Digital Anarchist at this year’s RSA APJ show to discuss new trends in API Security, DevSecOps, and what tools you need to keep up!
[Alan Shimel] Hey everyone, it’s Alan Shimel for DevOps.com Security Boulevard. We’re here in Singapore at RSA APJ. We’re right on the edge of the show floor interviewing speakers, attendees, vendors – just getting the temperature and feel for this year’s RSA APJ. It always gets me excited when I can find a new DevSecOps company, and just walking around the floor earlier I came across a company that had DevSecOps all over their stuff and I was like – I never heard of these guys. So I walked over and introduced myself and I met this gentleman here Jacques Declas. He’s the CEO of a company called 42Crunch. Ok, so 42Crunch, what is it – it’s DevSecOps – but what do you guys do? What are you about?
[Jacques Declas] Well, we’re trying to change the way security has been done for 15 years by putting security in the code of applications. You’re going to hear us talk a lot about security as code – like Kubernetes did for the infrastructure – we’re trying to do the same for security. We feel security hasn’t been done the right way, and it’s been a bit of a failure trying to secure applications from the edge of a network – which is disappearing really fast. We created a cloud platform for the customers to use and to put enforcement on security anywhere in the network. And we followed the developers, so we’re putting security into the developers’ hands.
[Alan Shimel] Sounds like DevSecOps to me! A couple of things we’ll jump into. First of all, I got into DevSecOps six/seven years ago for exactly the same reason. I felt that DevOps and the whole shift-left and security as code gave us a chance to right some wrongs that we’ve seen in the past. What I’ve seen over the last six/seven years though is we still have security for what’s called SecOps. We have security through the Ops people. What we’re seeing as part of that shift-left security for developers – let’s call that DevSec. So you have DevSec and SecOps – DevSecOps. And they’re not necessarily mutually exclusive, but that’s just how it’s done. So you’re clearly going for the DevSec element.
[Jacques Declas] Yes, but we also have a good story for the operations people who with DevOps these days – all the Ops have been decimated because it’s kind of done by the developers. Things like Kubernetes, your developers write five lines of code and that’s it – Kubernetes is a mini datacenter on its own taking most of the complex network configuration away from operations.
[Alan Shimel] Kubernetes is shacking the whole DevOps space up – from chef to puppet to…
[Jacques Declas] It’s a revolution
[Alan Shimel] Yeah, it’s changed things.
[Jacques Declas] Through my experience of being in security for a long time – and especially seeing the exponential proliferation of APIs – those thin interfaces that connect everything to anything these days – we saw some real old traditional ways of trying to secure those applications becoming more and more painful – and the more APIs talk to other APIs, outside my data center, out to partners, data I own, data I don’t. It’s just becoming really difficult – more or less impossible. That’s when we had the idea to really try to shift left and put security in the hands of developers – because they build the applications so they know exactly what data in coming in and out, how sensitive a particular data is and so on. So they know and therefore security doesn’t need to guess anymore what the application does.
[Alan Shimel] You got to start it there because if you’re waiting for it to be here…
[Jacques Declas] And that’s why people talk about artificial intelligence. I think it’s great, but what it means – it means we’re still trying to understand what the developers did because we still don’t know. So what we’re doing is going back to them and say we’re not asking you to do security as such in your code, we’re asking you to define properly what you do. Let security help you to put the right things in place for the whole DevOps cycles and CI/CD – because what we found is those API through agile development and competition and bringing those mobile app in the last 10 years as fast as possible – those APIs were changing weekly. Before you contacted security to secure it, there was a new version coming out, so it never happened. So we’re putting it in the code, it goes to the CI/CD, we’re integrating with all the Jenkins and pipelines and GitHub and GitLab.
[Alan Shimel] Jenkins is another thing being disrupted by Kubernetes. In talking to some of your team I stopped by the booth and I watched – and you’re really focusing on the APIs that are being used here.
[Jacques Declas] That’s right. There’s a particular reason for that. First, I’ve been involved in the API before they were called API – they were SOAP, before that XML and EDI. I could tell they were going to really take over the world. I don’t know if you saw it, there was a research published by Akamai, The State of the Internet in 2018, and it said that JSON API traffic in 2010 was 2% of web traffic, and it went up to 83% last year! I mean it’s just everywhere. So for us, API security is quickly replacing the web application security, it’s just everywhere.
[Alan Shimel] So CA Technologies, right, since the acquisition they’re a little bit different – but before the acquisition they really had it, right? They said we live – I remember interviewing their CEO – who said we’re living in an API driven economy – it’s the APIs that are driving it. Yes there’s great applications, but every single application we use – well first of all it’s 85% open source components, right, and then behind the scenes all these applications a lot of what they do is make API calls out to dependencies or they’re dependent on these other apps and functions and so forth. I’m reminded of a company I knew in Boulder Colorado, SendGrid, I don’t know if you ever heard of them. This company went for a couple of billion dollars, they got sold, but all they were was the e-mail piece that went into your app when you had to fire an email off, so everyone used that, but in the background what was really happening is…
[Jacques Declas] …the API made a visit. I mean I’ll give you another example. If you look at Netflix, they were really the first one to say hey we’ve got this streaming media type of technology – how are we going to become a media company? They just wrote a really nice API, really well documented, and said it’s opening up – everybody can use it – come on in, and they had thousands. And suddenly through their API program they took over the world.
[Alan Shimel] Slack is another one. Otherwise Slack is just AOL instant messenger without the API to integrate all these things.
[Jacques Declas] Exactly, but the problem is an API calls another API that calls 5 other APIs – it starts to become too complex to handle…
[Alan Shimel] and insecure!
[Jacques Declas] …which data is coming in from where, authentication, authorization, what’s it allowed to do, how do you filter all this traffic and make sure the right API talks to the right API and more importantly than the API is not compromise.
[Alan Shimel] There’s another piece to it too Jacques, and that’s this: As a developer you want to get your stuff done. You want it to work and want to get it done. You’ve got an API for me that means I don’t have to reinvent the wheel. Hey man give it to me. Great. But I don’t check it. How do I know that API is secure? How do I know – the same way when I bring an open source component into my app – how do I know that component’s not a vulnerable edition or version of that. It’s the same thing with this API…
[Jacques Declas] …What kind of library is calling in the back, who’s done it, and who’s maintaining…
[Alan Shimel] But I think – you know developers want to get stuff done, and they don’t necessarily check that. Is that part of what you guys are doing?
[Jacques Declas] Yes. What we do is we’ve got an out of the box static analysis of the API, sort of a SAST. The good news between API and web application is that in the API world you have a contract. That’s where we concentrate. It’s a standard where you can define your data. We help developers define it properly in the contract. So you can’t just say this is a string. We say “well, hang on a minute, I can put all kinds of garbage in a string”. Tell me if it’s an integer if it’s a credit card – what is it? Email address? We really give them the tool to have a correct description of the contract and then we automatically apply about 250 rules statically on this. We give them an automatic report and help them by giving code snippets. They don’t even need to come to our platform – we integrate with VS Code – so they stay in their environment. It’s free because they don’t like to spend any money – the developers. So that’s how we are helping them to scan and go all the way to effectively producing firewall functionality across their API and connection.
[Alan Shimel] Because then there’s that real time element you have as well.
[Jacques Declas] So, because we try to integrate our firewall technology and our protection into the CI/CD pipeline. If a developer use GitHub for example, they push a new version of the API into GitHub we’ll pick it up automatically through our integration, and then we’ll launch our scan, our security audit assessment, recheck the policies and tell the developer “oh hang on a minute you score has gone down to 55 because of this – fix it” and then everything gets deployed in the developer pipeline including the generation of our firewall rules. It’s truly real time with what they do – because otherwise if you do it somewhere else it’s not integrated, it’s too late, it’s too difficult – and some of our customers have thousands of APIs. It’s incredible.
[Alan Shimel] I know we were talking at your booth, you know the average enterprise, from the surveys I saw, is running somewhere between 1,000 and 1500 internally developed applications, and I don’t mean commercial cards off the shelf. Each one of those is integrating with multiple APIs. You can see real quick how it goes to 5,000 to 10,000.
[Jacques Declas] Yeah, and that’s why we think the old model of web application firewalls needs to do east/west traffic and any to any traffic. That’s why you need to be everywhere. We’re putting our micro-firewall right next to the API, so in a Kubernetes world right into the same pod which contain the API itself so that you can get as close to the API as you can.
[Alan Shimel] How can people get more information?
[Jacques Declas] Just come to 42crunch.com or visit our community APIsecurity.io. There is a free API audit tool that everyone can try out – no information necessary.
For news on all things API – visit APIsecurity.io and sign up for the weekly newsletter.