Discover Public API Attack Surface with new API Spyder

June 7, 2022 | by Subbu Iyer

API Spyder

Today, we are proud to announce the availability of API Spyder, the newest addition to the Cequence Unified API Protection (UAP) solution. The Cequence UAP is the only offering on the market today that protects your APIs from attackers and eliminates unknown and unmitigated API security risks that can lead to data loss, fraud, and business disruption.

Agentless API Attack Surface Discovery

Most organizations lack visibility into their public-facing API attack surface. Attack surface management products discover public-facing assets like exposed ElasticSearch servers, S3 buckets and IP address ranges. However, they do not discover API servers or endpoints hosted on them, like login and authentication endpoints or health monitoring endpoints . Runtime API security products like Cequence API Sentinel discover and catalog the runtime API inventory once applications have been onboarded. leveraging traffic data from those applications.

API Spyder complements the runtime discovery of API Sentinel by discovering public-facing API servers without requiring any changes or deployments in the organization. It is a multi-tenant SaaS service that only requires the user to enter a top-level domain name (TLD) and then crawls that domain to find API assets that are visible under that TLD. This may include GraphQL servers, REST servers, assets hosted on various IaaS/cloud providers and those behind a content delivery network (CDN) or a web application firewall (WAF). All at the user’s fingertips, in minutes.

Predictive Crawling to Uncover Public API Assets

API Spyder uses the TLD provided by the user to discover API servers publicly exposed under that domain. It crawls each such server with an intelligent crawling technology that can uncover common API paths exposed, including login/auth endpoints, health metrics, exposed files, and other common implementations of API servers. Regular web crawling, like what bots like Google Bot do, does not uncover API servers or endpoints. It is incredibly hard to find the API endpoints using merely a server name without knowing the API specification (as defined by OpenAPI/Swagger). API Spyder overcomes this hurdle with an intelligent crawling technology called Predictive Crawling that uncovers API endpoints under each server, with zero-knowledge about that API server.

API Spyder uncovers the following information about an organization’s API attack surface:

  • API Hosting Providers – providing data on CDNs, infrastructure as a service (IaaS) providers, and software as a service (SaaS) solutions, where APIs are found to be hosted.
  • API Servers – providing the names of servers that are found to host APIs along with the API endpoints that they’re found to be hosting.
  • Security Issues – including vulnerabilities such as Log4j, LoNg4j, and exposed non-production APIs that are then classified as High, Medium, and Low severity issues.

API Spyder report summary

Automated Crawls and Notifications

One certain thing about attack surfaces is that they are never constant. Application teams are constantly onboarding new applications in different environments – on-premises or in the cloud. As a security leader, it is hard to keep track of these new applications that come up daily.

API Spyder alleviates this issue by automatically crawling the organization’s domains and determining if new API servers, hosting providers, or security issues like Log4j vulnerabilities are discovered. If found, notifications are sent to the admin users automatically to alert them of the new findings.

This proactively brings attack surface discovery changes to the user’s fingertips instead of having to search for changes manually.

API Spyder notifications

Summarizing Findings in Reports

Findings can be summarized in an easy-to-generate exec summary report for senior security leaders to analyze where their API servers are hosted, and any immediate steps they need to take to remediate security issues. This helps enterprises prioritize the remediation of urgent security issues like Log4j vulnerabilities.

API Spyder findings

Getting Started

API Spyder is the newest offering in the Cequence Unified API Protection solution. The Cequence Unified API Protection solution is the only offering on the market today that protects your APIs from attackers and eliminates unknown and unmitigated API security risks that can lead to data loss, fraud, and business disruption.

You can get started with API Spyder by requesting a free 10-day trial

Subbu Iyer

Subbu Iyer

Vice President of Product Management

Additional Resources

Get an attacker’s view of your API attack surface now. Free, no obligation API assessment Arrow icon