One of the most significant API security challenges organizations face is API visibility. Organizations struggle to identify exactly how many APIs they currently have. This challenge is brought on by the widely distributed nature of API development and deployment. APIs were historically used internally to connect systems on the back end, and developers often had free reign to deploy as they needed, often with minimal oversight or security involvement. Today, API usage has expanded across the organization and the network, acting as the conduit between public-facing web applications and back-end systems.
Regardless of how the API is used, when deployed without visibility and oversight, they become known as shadow or zombie APIs, categorized as OWASP API9 (Improper Asset Management). These APIs lurk in the background, waiting to be discovered and exploited as shown in the API Protection Report – First Half 2022 where roughly 31%, or 5 billion of the 16.7 billion malicious transactions targeted shadow and zombie APIs. Their unknown, unmanaged, and often unsecured nature make shadow APIs easy for attackers to discover by analyzing an organization’s exposed APIs and then simply fuzzing or modifying the values, enumerating through other API endpoints or different versions, under different hostnames to find other API variants.
Stronger API Security Begins with Complete API Visibility
The dual nature of APIs — as an increasingly popular developer tool and a favorite target of threat actors — means companies must prioritize discovering their entire API footprint. One approach to the API discovery challenge is to try to force all APIs through a single chokepoint. However the widely distributed nature of API development and deployment makes this choice cumbersome to implement and enforce.
An alternative approach is to gain API visibility by observing the traffic as it traverses the different network infrastructure components. Public-facing APIs may traverse a CDN or be managed by an API gateway. In other cases, the APIs may reside within the datacenter or a microservices environment where they might traverse a proxy or a service mesh. As mentioned in previous blogs, the Cequence UAP integrates with leading CDNs, API gateways, and it can integrate with Service and Mesh Proxies to help organizations gain complete API visibility from the edge to the datacenter while minimizing workflow disruptions.
- Service Mesh Integration: Whether they are deployed in the cloud or not, many organizations are using cloud-native development principles to build and deploy new applications more rapidly. Two integral components for cloud-native applications are the use of microservices with APIs acting as the glue so applications can communicate with each other. Service mesh plays a critical role in incorporating DevSecOps principles by adding security and reliability to connect microservices across infrastructures without any additional code.Discovering all the API endpoints exposed by microservices and securing them is difficult due to the rapid pace of development and inherently distributed nature of these applications. Integration with Istio and Tetrate Service Bridge help solve these security challenges with centralized discovery of APIs, detection of security risks and threats, and inline protection against threats.
- Proxy Integration: To enable analysis of API and web application traffic, the Cequence UAP can integrate with Nginx, Envoy and F5 Big-IP Proxies. The versatile nature of a proxy allows it to be deployed almost anywhere within your IT infrastructure – from the datacenter and microservices environments to the cloud. Once deployed, administrators can selectively choose the API and web traffic that needs to be inventoried, analyzed, and protected.
Check out our Growing List of Technology Integrations
Secure All Your APIs with Cequence Unified API Protection
The Cequence Unified API Protection (UAP) solution addresses the challenges with API sprawl with a broad set of technology integrations designed to ensure visibility into all APIs regardless of how and where they may be deployed. Deployed as a SaaS or as a hybrid architecture, the Cequence UAP solution integrates with service mesh and proxies to full coverage for each phase of an API protection lifecycle. Cequence UAP features include:
- Discover Public Facing API Attack Surface: API development and deployment is often distributed across many groups, introducing the risk of APIs deployed as a shadow API. The Cequence UAP solution solves that challenge by continuously assessing your public facing APIs and resources to provide an attackers view of your organization’s attack surface, including cloud hosting services, any associated API endpoints, and servers that may be vulnerable to Log4j and LoNg4j exploits.
- Centralized Inventory Tracking of Known and Unknown APIs: The Cequence UAP solution integrates with a range of infrastructure components to provide centralized API visibility and inventory tracking of all the APIs deployed and managed by the respective API gateways. Unregistered or unknown APIs are also discovered, allowing security and development to migrate those shadow APIs to the respective API gateway to ensure security and governance policy consistency.
- Strengthen Compliance and Data Governance Controls: Cequence helps organizations enforce compliance and governance controls with proactive API risk analysis and remediation. Predefined and custom risk assessment rules based on the OWASP threat list framework helps organizations teams find and remediate coding errors that introduce sensitive data handling and authentication vulnerabilities that can lead to data governance and compliance violations.
- Detect Sophisticated API Attacks: The Cequence UAP solution detects threats in your APIs using ML-based analysis based on a threat database with millions of records and behavioral fingerprinting to detect and continually track sophisticated API attacks as they retool to evade detection.
- Flexible, Real time Mitigation Responses: Real time responses to API attacks range from basic block and rate limiting to HTTP header insertion and deception, all executed in real time, per policy or per app, without reliance on integration with third-party WAFs.
Never miss an update!