External Attack Surface Management for APIs

September 28, 2022 | by Tony Bailey

API Attack Surface Management

The Attack Surface Has Grown with API Usage

Application programming interfaces (APIs) help ensure a smooth running and engaging experience for mobile and web applications. For example, consumers are leveraging APIs behind the scenes when they use a mobile app to access their video streaming service, or their bank account records. In addition, online business to business (B2B) transactions between partners use APIs to enable their ordering and billing systems to communicate and share data.

The popularity of web and mobile apps for consumers and businesses continues at an astonishing rate. In fact, a recent study reported that there were over 230 billion mobile app downloads to connected devices in 2021. This growth in the use of mobile and web applications has resulted in potentially billions of API-driven transactions taking place every day. Cequence Security reported that of the 21.1 billion transactions analyzed in the last half of 2021, over 14 billion were API transactions.

However, with this growing application use and resulting API transaction activity, the attack surface which consists of all possible points, or attack vectors, where an unauthorized user can access a system and extract data has also grown. And attackers are taking notice of this expanded attack surface and exploiting APIs, resulting in theft, fraud, and business disruption.

According to Gartner, API attacks involving unmanaged, and unsecured APIs will become the most-frequent attack vector, causing a growing number of data breaches for enterprise web applications.

Yet even without the prevalence of APIs, attack surface management is challenging, with multiple facets that include, but are not limited to, asset discovery and management, vulnerability analysis, penetration testing, configuration management, and continuous monitoring. While there are multiple, well-defined categories of solutions from vendors that exist to secure the attack surface such as extended detection and response (EDR or XDR), security information and event management (SIEM) and security orchestration automation and response (SOAR), they do not focus on APIs as much. That’s because these strategies have no way to “know the unknown,” meaning they can’t look for all APIs and API vulnerabilities without knowing where to look. In addition, they fail to uncover and assess security risk into the external APIs that are only discoverable through an edge deployment or outside of the organization’s footprint.

The Challenges of An Effective External Attack Surface Management Program

The problem is that for already stretched applications and IT security teams, the challenge of securing an ever-changing API infrastructure as part of an effective attack surface management (ASM) program, without slowing down API usage and growth is becoming increasingly critical and difficult. This is due to the sheer volume of API transactions and the fact that APIs provide well-defined doorways into the data and business processes of organizations. Attackers are relentless and sophisticated, and they are pulling out all the stops to exploit API-related attack surfaces with successful attacks using vulnerabilities such as those identified in the OWASP API Security Top 10.

In addition, managing the attack surface can be more complicated because while some attacks focus on incorrectly coded or misconfigured APIs, even the most compliant and secure APIs can be exploited by attackers in the form of business logic abuse and automated threats resulting in data loss, fraud, and business disruption. And when APIs lack even the most basic security practice and standards such as weak or absent authentication, sensitive data exposed in clear text, or non-conformance to basic and required API specifications; they become easy targets, creating both security exposure and compliance risk.

When it comes to the external attack surface and protecting APIs, security teams simply lack the visibility and defense capabilities they need to reduce their ever-growing risk profile from APIs and other application connections. These teams often deploy an ASM strategy by extending their existing security tools such as web application firewall (WAF) mitigation and API gateways to manage their known attack surface.

These security efforts to manage, extend, exert and shift fall short by leaving the organization with unknown and unmitigated security and compliance exposure from “shadow” APIs and infrastructure. What’s more, they don’t provide a means to detect and block sophisticated attacks that look like legitimate traffic or transactions but are attempts to evade and commit fraud and theft.

Attack Surface Management and Requirements for Protection of APIs

What can security teams do to ensure their ASM program assists in the effort for protection of APIs?

First, they need visibility into all APIs, including internal-facing and external-facing. An external-facing view of APIs is particularly important as often this is what an attacker sees when they’re trying to figure out what to exploit. In fact, external attack surface management (EASM) can be viewed as an extension of ASM and incorporates the ability to have visibility into internet-facing assets, so that security teams can assess the security posture of the entire internal and external attack surface.

By being able to see exactly what an attacker sees from an outside-in perspective such as sub-domains, the cloud hosting service in use, any associated API endpoints, and the servers that may be exploitable using vulnerabilities such as Log4j, security teams can better continuously assess their organization’s public facing APIs and resources.

Yet while it’s all well and good to have this visibility into the attack surface, security teams then need to inventory all APIs and ensure their compliance with API specifications, to ensure APIs are free of errors, misconfigurations, and vulnerabilities.

Finally, there needs to be a way to protect APIs, even those that are perfectly coded, leveraging real-time, native, and robust inline threat prevention, stealthily blocking attacks without manual intervention or false positives.

Attack Surface Management – Powered by Cequence Unified API Protection

The Cequence Unified API Protection (UAP) solution is the only offering that addresses all phases of the API protection lifecycle to defend APIs from attackers. Used as part of an ASM approach, UAP discovers all external-facing and internal APIs, and eliminates unknown and unmitigated API security risks that can lead to data loss, fraud, and business disruption. UAP uses behavioral fingerprints to track and block threats with unmatched efficacy, regardless of the evasive tactic employed, without relying on 3rd-party tools such as a WAF. Flexible response options include block, rate-limit, geo fence and deception.

The Unified API Protection solution is comprised of:

API Spyder: Discovers public facing APIs and automates monitoring of API attack surface management without installing or configuring anything. API Spyder continuously assesses an organization’s public facing APIs and resources, reporting exactly what an attacker sees from an outside-in perspective. API Spyder discovers an organization’s sub-domains, cloud hosting services in use, any associated API endpoints, and the servers that may be exploitable using vulnerabilities such as Log4j and LoNg4j. Results are visualized in an interactive dashboard, and reports that highlight the API-specific risks that exist in an organization’s externally accessible environment, significantly strengthening its ASM capabilities.

Continuous Attack Surface Monitoring

Cequence UAP provides continuous ASM monitoring with scheduled API security assessments to track progress and ensure no resources are exposed

Spyder Issues

Cequence UAP strengthens ASM capabilities by discovering publicly exposed API domains to help eliminate shadow APIs 

API Sentinel: Provides an inside-out view of APIs by integrating with any network infrastructure element to create an up-to-the-minute catalog of all APIs, managed and unmanaged. Predefined ML-based risk assessment rules help uncover sensitive data handling, weak or missing authentication, and specification conformance coding errors for remediation.

Bot Defense: Detects and prevents the most sophisticated automated API attacks and business logic abuse using hundreds of ML rules that leverage an API threat database with billions of malicious behaviors, IP addresses and organizations. Native, policy-based response options ensure that any detected attack is blocked, in real-time, without reliance on a third-party WAF or other security component.

Get Started Today to See How Cequence Can Help You with Attack Surface Management and API Protection

Get A Free Security Assessment of Your API Attack Surface

Tony Bailey

Author

Tony Bailey

Senior Director of Product Marketing

Additional Resources