Published on: October 1, 2024
It’s hard for everyday people like me and you to remain on top of new cybersecurity threats and complex concepts while trying to protect our data and digital rights without giving up the convenience of our favorite apps and technologies.
In this interview series by Safety Detectives, I speak with cybersecurity experts who share actionable tips, insider knowledge, and predictions for the future, helping you understand what’s really happening with your data and how you can protect your digital life more effectively—without losing your sanity.
Carlo De Micheli is the Director of Product Marketing at Equixly, an Italian startup redefining API security through an innovative platform that identifies vulnerabilities during the software development lifecycle. Equixly has already secured €1.5 million in seed funding, and it’s preparing for the release of its stable version 1.0.
Is there a particular cyber threat or vulnerability that you think is underestimated in your industry? What makes it particularly dangerous, and why is it overlooked?
Broken authorization controls in APIs are often underestimated. Many focus on authentication, assuming that once a user is verified, the system is secure. Attackers, though, can exploit weak permission checks to access data or perform actions they shouldn’t.
📈 According to FireTail’s API data breach tracker, in 2023 alone, approximately 1.6 billion records were exposed due to API breaches, with the average breach compromising over 32 million records.
This is dangerous because even after proper authentication, attackers can manipulate requests to gain unauthorized access. It’s often overlooked because many assume that being authenticated means being fully secured.
Equixly uses AI and patent-pending technology to detect these types of vulnerabilities, commonly known as BOLA (Broken Object Level Authorization), among many others.
How do you help address these potential risks, and what proactive steps should consumers and organizations take to stay ahead of these threats?
We address them by conducting thorough API security testing, focusing on verifying that each endpoint properly restricts user actions. For organizations, implementing continuous testing is critical. We promote a shift-left approach, empowering developers and internal security teams with the right solution to find vulnerabilities early, before they make it into production code.
On a more general note, cybersecurity is seen as a constantly evolving battle against attackers. Who is winning?
Attackers seem to have an edge, largely due to their ability to quickly adapt and exploit new vulnerabilities before they’re patched. However, defenders are catching up with automated security solutions and AI-driven tools, which help identify bugs quicker than traditional methods. But for now, attackers still find ways to exploit gaps, especially in APIs that are not managed well from a security perspective.
Are there any myths or misconceptions in cybersecurity that need to be dispelled ASAP? How do they impact businesses or individuals?
One major misconception is that client-side controls are enough to secure an API. Businesses often assume users only interact with the system through the intended front-end interface. However, attackers can manipulate API calls directly, bypassing those client-side controls. This leads to business logic flaws and unauthorized actions, severely impacting data security.
At Equixly, we’ve recently been awarded bug bounties by companies such as Microsoft and OpenAI, specifically regarding API vulnerabilities in their systems. If even big tech-savvy corporations are vulnerable, you can imagine the vulnerabilities that other companies that don’t have enormous security budgets have. Banking, automotive, insurance, and healthcare companies would especially benefit from AI solutions to help patch any vulnerabilities before attackers find them.
Where do you see the biggest challenges in the next few years, and how can companies and people in your industry prepare for them? What are you doing in this regard?
The biggest challenge will be managing the complexity of interconnected systems and the growing number of APIs in use. As businesses scale or merge, APIs get difficult to track, and securing every endpoint becomes an uphill battle. At Equixly, we also provide an API inventory, which is always updated based on the findings of our AI-powered algorithms. This ensures visibility into all active APIs, even any previously considered “shadow APIs.” For companies, adopting real-time API inventories and regular security audits will be crucial to stay ahead of attackers and abide by regulations.
If there was one key takeaway you wish our readers could bring home from our conversation, what would it be?
Visibility is essential. You can’t secure what you can’t see, so ensuring full visibility into all API endpoints and running continuous scans should be top priorities for any organization looking to improve its cybersecurity posture.
How can our readers connect with you?
Website: https://equixly.com/
Blog: https://equixly.com/blog/
LinkedIn: https://www.linkedin.com/company/equixly/
X: https://x.com/equixly