API discovery is the practice of finding all your APIs, regardless of location or type – internal, external, third-party, managed, unmanaged, zombie and shadow. API discovery is the most critical aspect of a strong API security posture because APIs are now an integral component of every organization’s digital ecosystem. They proliferate across your organization, driving seamless data transfers to improve operational efficiencies, customer experiences and business growth. Organizations need to be able to manage and secure their APIs effectively. Still, for that to happen, they must know the extent of their API usage and find and create an inventory of APIs used across the organization. API discovery offers granular visibility into your apps, their spread, availability, accessibility and whether they are protected or unprotected. This process allows you to secure APIs to help you achieve your governance and compliance goals.
What API Security Insights Does the Right Discovery Approach Offer?
A Cequence Security and ESG survey provided some interesting results around the topic of API visibility with 37% of organizations find getting visibility into their API usage difficult. This significantly impacts their API security initiatives. Two critical problems that API discovery seeks to address are shadow and zombie APIs. Shadow APIs are those APIs that are undocumented, and which do not come under an organization’s governance and security processes. Zombie APIs are those that are outdated, have been deprecated or abandoned, yet are still publicly accessible, and unknown to the organization. Such APIs may have vulnerabilities that criminals exploit, which puts critical organizational data at risk. While organizations know that shadow and zombie APIs may exist in their environment, the extent of usage of these APIs can only be understood through API discovery. Without continuous API discovery, organizations will continue to suffer from the triple threat of API proliferation, lack of visibility, and continuously evolving attacks.
What are the Limitations of Existing API Discovery Approaches?
While there is no doubt about the importance of API discovery from the API management and security perspective, organizations typically leverage a traditional inside-out discovery approach. The inside-out approach involves continuously identifying and tracking APIs sprawl from within. The challenge with an inside-out only view is that it does not show you what an attacker may see as they scan your site for possible attack targets.
An outside-in approach performs a complete analysis of your organization’s public domain to understand the API attack surface, effectively seeing what the attacker sees. Armed with outside-in results, security teams can apply attack surface management principles to secure and protect the previously unprotected APIs and resources.
The problem with an increased attack surface (due to API proliferation) and the progressive nature of threats is that you cannot use a singular approach that offers limited visibility into API usage and associated vulnerabilities. Instead, the right approach towards API discovery would be to leverage both an inside-out and outside-in approach to comprehensively understand how your data is moving through all your APIs.
What Security Insights Does the Right Discovery Approach Offer?
Security is only as good as visibility into your organization’s assets, including your APIs. You cannot protect what you cannot see; let’s rephrase that, you cannot ‘confidently’ protect the assets you do not have visibility into, and this can become a weak link in the security chain. When you discover all managed and unmanaged APIs across your application environment, you will gain meaningful and actionable security insights that will improve your security posture. The top five discovery insights include:
- Lack of Authentication: Authentication is an essential requirement for securing APIs, but many APIs have no authentication mechanism in place or have very weak authentication; in both cases, this is a huge security gap that attackers easily exploit.
- Lack of Encryption or Masking: Many organizational APIs handle sensitive data fields whose values should be hidden through the proper security controls. Attackers attempting to infiltrate requests and responses find their job even more complicated if the values in these requests and responses are encrypted or masked. Unfortunately, this is not the case across many APIs, as sensitive data remains unmasked or unencrypted, which can be easily exposed. However, API discovery can identify such APIs, and the issue can be addressed with alacrity.
- Information Exposure: APIs should share information as per their specification; not more, not less, just enough. Still, certain APIs go above and beyond their remit and expose more data than they are supposed to, which causes a security issue. This usually happens because developers forget to minimize fields to those essential for the process. API discovery throws light on such APIs.
- The Shadow API Problem: Shadow APIs offer a way for cybercriminals to infiltrate your enterprise network and are problematical as security teams may be unaware of them and potential vulnerabilities that exist. Only through API discovery can you unearth shadow APIs that remain hidden from view and unsecured. Uncovering these substantial blind spots ensures these backdoors can be shut with proper security controls in place.
- API Misuse: Suspicious use of APIs is another problem unearthed in the API discovery phase. An increase or excessive traffic or sudden burst of traffic on APIs can be a red flag for security teams and warrants more analysis of the reasons behind the traffic spurt. Traffic from countries where a company does not have a business operation is another suspicious scenario which must be investigated and addressed.
What is an Ideal Process?
An ideal API discovery process must include an outside-in and inside-out perspective that helps organizations comprehensively discover APIs, continuously refresh their API inventory, and assess their risk profile. But it’s not enough that the APIs must be discovered and classified; the results of the API sweep must be delivered through an easy-to-understand and interpret dashboard. Anyone looking at this dashboard must be able to get the insights they are looking for regarding the extent of API usage, associated threats and corrective action.
With Cequence API Spyder, you can conduct an API sweep from an outside-in perspective, helping organizations discover and categorize publicly accessible API endpoints, find their hosting providers and deliver the needed remediation notifications and reports to the security teams in a timely manner.
Cequence API Sentinel drives API discovery from the inside-out by integrating with the entire API lifecycle to deliver 360-degree visibility into the length and breadth of your APIs, both public and internal facing. This helps IT security teams leverage various metrics to understand threats, violations, and risks and take corrective steps.
With a complete, 360 degree view of your API inventory, you can then conduct a thorough risk assessment and remediation effort that will allow you to begin eliminating API risk at every phase of your API protection.
Never miss an update!