According to Gartner, there are as many as 40 vendors in the (fragmented) API security space. Many take the approach of targeting development with new variations of testing tools or ways to fix/augment shift left efforts. API Sentinel takes a different approach, beginning on the “right” with complete visibility of all APIs at runtime. Once discovered, the APIs can be analyzed, gaps remediated and threats prevented, augmenting shift left efforts.
API Security: A CISO Led Initiative
With a firm belief that you need to shield right in order to shift left, runtime visibility first approach was how a large multi-national cosmetics customer chose to pursue their API security initiative. The customer is a heavy producer and user of APIs with development teams distributed around the world, augmented by a small group of third-party organizations. As happens with many organizations, their long-time use of APIs, the distributed nature of their development and lack of well-documented processes meant that they lost track of their APIs. The CISO told the team that 2021 was the year they would regain control of their API footprint in order to avoid any potential security incidents.
Easy and Straightforward Deployment
The team began their API security quest with four API security vendors that ranged from developer/testing tools focus to runtime security. Two of the four were quickly eliminated because of their primary focus on the development side and the team felt they needed to first gain a better understanding of what their API footprint really was (at runtime).
For the final Proof of Value (PoV), API Sentinel was deployed as SaaS-public cloud hybrid to analyze a small set of both external and internal APIs. A configuration change to redirect their external APIs to the API Sentinel SaaS instance and a Defender deployed in Azure Kubernetes Service to capture internal API traffic was completed in a matter of hours. Initial feedback from the customer team was positive – the other solution was cumbersome to deploy, requiring more time and effort.
API Discovery and Visibility Surprises
No one really likes surprises, particularly security professionals, unless the surprise is discovered before an attacker. In this case, API Sentinel discovered all of the APIs, complete with usage and geolocation statistics. The next level of visibility was the risk analysis, where API Sentinel discovered a few security gaps that development quickly remediated. The discoveries included:
- Internal APIs that had been inadvertently exposed to the public.
- Authentication errors and inconsistencies including no authentication, API token proliferation and non-null value auth tokens in use.
- A few APIs were exposing sensitive data in the form of (too much) user information.
Lastly, API Sentinel discovered anomalous traffic from an unknown organization scanning the customers’ API specification framework. Further investigation found it to be an API scanning tool, a new class of API testing tools that, like other tools, can also be used for malicious purposes. In this case, the tool was using a non-standard browser routed through a set of known bad IPs. The goal of the bad actor was to find all the API endpoints to then determine how they work and uncover exploitable gaps. The tool was quickly blocked to prevent further reconnaissance.
API Sentinel addressed the critical visibility requirement with flying colors. Not only was API Sentinel fast and easy to deploy, but it also discovered the APIs and some security gaps that were closed before they could become incidents. Using API Sentinel is driving collaboration between security and development, strengthening shift left efforts by uncovering inconsistencies in API coding and specification conformance without adding more work to the development team.