AppSentinels: Ensuring Adherence to SEBI’s CSCRF API Security Standards

1. CSCRF Section Identify: Asset Management (AM.S1, ID.AM.S4) Page 90

• Requirement in CSCRF: All REs shall maintain an up-to-date inventory of their (including but not limited to) hardware and systems, software, digital assets (such as URLs, domain names, application, APIs, etc.), shared resources (including cloud assets), interfacing systems (internal and external), details of its network resources, connections to its network and data flows.
• AppSentinels Coverage: AppSentinels Discovers all APIs in real-time including shadow, orphan, unused, authenticated & unauthenticated, APIs accessed from public & private IPs, new or modified APIs; It also discovers PII/Sensitive data in the APIs as well as provide real-time risk score of the APIs.
  
  

2. CSCRF Section Protect: Identity Management, Authentication and Access Control (PR.AA.S16 and PR.AA.S17) Page 101

• Requirement in CSCRF: API security protects against vulnerabilities and misconfigurations in the APIs and prevents their misuse. Thus, effective API security strategies like rate limiting, throttling, etc. shall be used while developing APIs to prevent overuse or abuse. If APIs have been provided by MIIs and consumed by REs then the onus of ensuring API security shall be on MIIs. MIIs shall have API security solutions in place for securing services and data transmitted through APIs.
• AppSentinels Coverage: AppSentinels perform stateful API testing, covering business logic flaws, OWASP API Top-10 and OWASP Top-10 suites – providing the most comprehensive test coverage. This brings complete visibility into API misconfigurations, vulnerabilities and governance issues. Further, AppSentinels also provides run-time protection against known, unknown API attacks and API abuses thereby protecting organizations from breaches, frauds and data-loss.
  
  

• Requirement in CSCRF: Proper access management, and effective authentication and authorization shall be done to ensure that only the desired entities have access to the APIs

• AppSentinels Coverage: AppSentinels detects authentication mechanisms used for every API. Further, it builds deep understanding of applications business logic, workflows and user-journeys, thereby building a comprehensive understanding into fine-grained authorization controls required by the APIs – preventing unauthorized access to data and functionality in the application.
  
  

• Requirement in CSCRF: OWASP documentation for developing APIs shall be followed and OWASP top 10 API security risks shall be mitigated.
• AppSentinels Coverage: AppSentinels provides the most comprehensive coverage for OWASP API Top-10 and beyond. It provides continuous API discovery and posture management, continuous automated pen-testing of APIs, runtime protection and remediation. It helps finds OWASP API Top-10 & OWASP Top-10 issues early in the development cycle as well as protect application against runtime attacks.
  
  

• Requirement in CSCRF: Connecting to entities via APIs shall be strictly on a whitelist-based approach.
• AppSentinels Coverage: AppSentinels provides insights into fine-grained access and authorization controls and enforces them. The platform also provides whitelisting controls, rate limiting, DDOS Protection, geo-fencing, IP filtering, aligning with security best practices outlined in the guidelines​​. 

3. CSCRF Section – Information Protection Processes and Procedures – PR.IP.S15 – Page 113 & 114

• Requirement in CSCRF: All the categories of software solutions/ applications/ products for critical systems used by REs shall mandatorily pass-through the following tests/ audits and compliances:
  
  

1. Application security testing:
   • Dynamic Application Security Testing (DAST) for scanning software applications in real-time against leading vulnerability sources, such as OWASP Top 10, SANS Top 25 CWE, etc. to find security flaws or open vulnerabilities.
   • Static Application Security Testing (SAST) for analyzing program source code to identify security vulnerabilities such as SQL injection, buffer overflows, XML external entity (XXE) attacks, OWASP Top 10 security risks, etc.
2. Functional audit
3. Tests/ audits stated above at point 1 (a-b) shall be limited to cybersecurity aspects. Application security testing shall also include API security and API discovery. Scope of functional audit shall cover data integrity, report integrity, transaction integrity, etc.
   
   

• AppSentinels Coverage: AppSentinels performs stateful API testing, covering business logic flaws, OWASP API Top-10 and OWASP Top-10 suites and beyond – providing the most comprehensive test coverage. The platform performs continuous automated API-pen-testing like an army of pen-testers finding security flaws continuously and greatly enhances security testing capabilities of the organization. It covers entire application workflows and various scenarios with synthetic and stateful API testing​​.

About AppSentinels: 

AppSentinels is a development to production full-life cycle API security platform that helps organizations DISCOVER APIs, helps in SHIFT-LEFT by helping developers build secure APIs faster _AND_ PROTECT-RIGHT by helping security teams protect applications against run-time business-logic API attacks. The platform builds deep white-box understanding of the Application behavior including various user journeys and business logic graphs and uses this insight to protect APIs. Below is additional details about the capabilities:

1. Discovery: API Discovery & Posture Management:
   1. Gain unparalleled visibility and ensure no blind spots – cover all your API paths & application architectures
   2. Discover Shadow, Orphan, Unused, Un-Authenticated, Sensitive, Privilege, Public or Internal, New or Changed APIs
   3. Discover sensitive data exposure due to APIs
   4. Get OpenAPI documentation for all APIs
   5. Discover API Governance issues & Misconfigurations
   6. Real time API Risk Score
      
      
2. Shift Left – Help Developers build Secure APIs Faster
   1. Automatically creates and runs application workflow specific test-cases to offer PROACTIVE security
   2. Tests APIs for Business Logic, OWASP API Top-10, OWASP Top-10, DoS/Rate-limit, fuzzing and many more variety of tests
   3. Stateful testing of complete user-journeys or workflows automatically
   4. Augments security-testing capability. Acts like 24×7 Pen-Tester or a bug-bounty hunter
   5. Prioritize issues that hackers can exploit
      
      
3. Protect Right – Runtime Protection against business logic attacks & API abuses
   1. Run-time Protection against business-logic exploits, OWASP API Top-10, OWASP Top-10 etc
   2. API Schema conformance validation
   3. Fraud & bot protection – Scrapping, Carding, Credential stuffing etc
   4. Attack Progression analytics with threat-actors mapped to MITRE tactic
   5. Manual OR fully automated enforcement
   6. Block via inline sensors OR via integration with other devices
   7. True DevSecOps – automatic triaging of malicious issues in Production
      
      

The platform can be used as a SaaS service or hosted ON-Prem in an air-gapped fashion. It supports all kind of applications and onboards with minimal effort.