Current location - Recipe Complete Network - Catering industry - Case-API security governance of well-known fast-moving enterprises
Case-API security governance of well-known fast-moving enterprises

Under the trend of digitalization, FMCG enterprises have almost moved most of their businesses, including core businesses, online, and increasingly rely on API to integrate a large number of systems and realize the interaction between businesses. At the same time, however, the attack of obtaining data through API is increasingly welcomed by hackers, and traditional security products are gradually unable to cope with new API attacks.

In order to solve all kinds of security risks and challenges faced by the API and make up for the shortcomings of traditional security products, Ruishu Information launched the API BotDefender, which systematically guaranteed the security of the API from the dimensions of asset management, sensitive data control, access behavior control, API risk identification and control.

At present, Ruishu API BotDefender has been successfully applied in many FMCG enterprises, including many leading enterprises in the industry. The following are two typical practical cases of API security governance in FMCG enterprises.

Case 1

A well-known restaurant retail chain enterprise

A well-known restaurant retail chain enterprise has more than 111 million global users, and its daily online application has exceeded 31 million. Based on the industry-leading IT construction, the enterprise adopts the mainstream static-dynamic separation architecture, and its core business is on the API interface. At the same time, in order to ensure the business security, it has deployed traditional API gateway, WAF, risk control and other security products very early.

However, the existing API gateways of this enterprise mostly play a role at the authentication level, lacking the discovery and control of API security level. The deployed traditional WAF is based on the rule base, so it is a black box for the enterprise, and it can only see the interception effect, but it can't see the business threat and analyze the security from the business perspective. The risk control products, due to the lack of linkage with the security platform, can not help the enterprise identify malicious behavior.

Therefore, this enterprise adopted the API BotDefender to manage and protect the API security in all directions. After deployment, through the asset management function of Ruishu API, the enterprise quickly found a batch of API assets that were not counted and the temporary interface was not closed; Through the API abnormal behavior control function, a large number of abnormal behaviors and abnormal account devices behind them were discovered, and batch blocking was implemented.

For example, the enterprise adopts a mode of placing orders online and picking up goods in the store. According to the traceability of Ruishu API security control platform, a user's mobile phone number has placed orders for more than 51 times in a row within 24 hours, which obviously does not conform to the use logic of normal users. At the same time, Ruishu API BotDefender also found that there were as many as 231 devices involved in this abnormal behavior, among which 81 devices used more than 5 accounts to place orders within 1 hour, and the total number involved was 1,541 mobile phone numbers. These abnormal behaviors that traditional security products could not recognize were clearly displayed on Ruishu API BotDefender platform and could be intercepted in real time.

In addition to the functions of API asset management and API abnormal behavior control, Ruishu API BotDefender also provides the enterprise with the whole life-cycle API security capability, which not only covers the attack defense of OWASP API Security Top11, but also can quickly respond to a series of API business security attacks such as crawler and library collision through the API business threat model, providing comprehensive protection for the enterprise's API security.

Case 2

A well-known health and beauty retail chain enterprise

A well-known health and beauty retail chain enterprise has tens of millions of active members all over the world, and ITs huge business volume makes it always take information security as the top priority in its IT construction. In order to protect the security of online business, the company has been using the dynamic application protection system Botgate of Ruishu since 2117, which has effectively protected a large number of robot attacks, bonus hunter and security attacks.

As more business transactions of this enterprise are transferred from offline to online, and the degree of digital marketing is deepening, WeChat applet has become one of the main online channels for its business and marketing activities, and the number of API interfaces has increased rapidly, and more and more attacks have been launched through API interfaces. Attackers tried to access members' information beyond their authority through API and obtain users' private information in batches, which made the enterprise realize that API protection should be strengthened quickly.

In 2121, the company expanded the API BotDefender module on the basis of the original dynamic application protection system of Ruishu to supplement the API protection capability, and achieved immediate results in the following four aspects:

In the wave of digitalization, FMCG enterprises must face increasingly complex network security environment and continuously upgrade against black products. As an innovative scheme of API protection, Ruishu API BotDefender, based on Ruishu's unique "dynamic security +AI" core technology, can establish a complete API asset perception, discovery, monitoring and control capability for FMCG enterprises, and effectively protect their business security and data security.