USE CASE

API Discovery and Risk Classification

APIs have become the connective tissue enabling developers to create effective, feature-rich software solutions. If they are left unattended, APIs can also become a dangerous attack surface, exposing a company to data loss, fraud and business disruption.
The dual nature of APIs — as an increasingly popular tool and a favorite target of threat actors — means companies must prioritize discovering their whole API footprints. Organizations are often using far more APIs than they are aware of, with third-party, deprecated and shadow APIs posing an extra risk.
API footprints today have become so large and varied that they may be impossible to accurately discover through a simple inside-out inspection. Companies should therefore adopt a complementary outside-in API discovery, revealing their complete attack surface, as seen by potential attackers.

The Importance of API Discovery and Classification

Poor API visibility is the No. 1 challenge companies face today. This is because of a simple fact — IT security teams can’t protect their APIs if they don’t even know they’re there. Both external-facing and wholly internal APIs may be unknown or unmanaged, due to the sheer volume of APIs organizations and their developers often end up using.
Organizations that don’t update their API discovery procedures may be inadvertently allowing the publication of hidden APIs, shadow APIs, deprecated APIs, unvetted third-party APIs and APIs that don’t conform with specifications to operate. Risks associated with these APIs include:

Vulnerabilities

that can lead to data theft, fraud and business disruption.

Elevated risk

of business logic abuse or automated bot exploitation.

Susceptibility

to inadvertent data exposure and regulatory noncompliance.
Even a single API related data loss or security incident can be hugely costly to a company’s finances with the Ponemon institute estimating that a single PCI compliance violation can cost as much as 4M per incident. The damage to the company reputation can be immeasurable, making automated API discovery a priority for any organization with a significant API footprint. In today’s API-heavy development environment, the majority of businesses fall into this category.

The Mechanics of API Discovery and Classification

Discovering APIs and classifying them based on their details and relative risk are essential parts of an organization’s overall API protection strategy. Businesses must perform comprehensive sweeps, ideally using both outside-in and inside-out perspectives, and then keep refreshing their view of their API inventory through continuous risk and standards conformance assessments.
The results of the discovery process should be visible through easy-to-interpret dashboards and displays. This clarity ensures IT security teams receive all necessary information about their current risk exposure, as well as what corrective actions to take.
Achieving this level of visibility and monitoring excellence is best accomplished with a combination of technology tools. The Cequence Unified API Protection solution contains both outside-in and inside-out discovery systems, letting businesses take better control of their API footprints and limit potential attack surfaces.
Get Started with Cequence Security
Organizations that rely on APIs to power their business trust Cequence Security to proactively and predictively protect billions of API calls every day—without disruption to existing infrastructure and workflows.
Cequence API Spyder
API Discovery from the Outside-In
Outside-in API discovery is based on a simple yet important concept. To gain a complete picture of their API threat exposure, organizations need to see their APIs the way potential threat actors do. Cequence API Spyder accomplishes this task through cloud-based probing techniques that don’t require companies to deploy any software nor does it require any traffic redirects or network changes.
The solution can:
The solution can:
  • Discover and categorize all publicly accessible API endpoints, even those not present in API catalogs or conforming to an API specification.
  • Find all API hosting providers for publicly accessible APIs.
  • Ensure there are no servers at risk of Log4j, or additional unpatched servers with the Log4j vulnerability hidden within their digital supply chain, labeled LoNg4j or other vulnerabilities.
  • Deliver timely notifications to IT security teams via email when the potential attack surface changes.
  • Generate actionable weekly reports with lists of suggested remediation steps. Listings are categorized by type and level of risk, and help security personnel reign in their API footprint.
With Cequence API Spyder in place, organizations can detect in-depth details about their attack surfaces, including hard-to-detect risk factors such as unpatched Log4j/LoNg4j servers, inadvertent exposure of an API specification in development, a health-monitoring API endpoint or a non-production server listing internal server endpoints.
In today’s sprawling API footprints, it’s easy for such API risks to escape discovery. By taking a unique perspective, Cequence API Spyder makes a major contribution to discovery efforts.
Cequence API Sentinel
API Discovery from the Inside-Out
Effective inside-out API discovery comes from API integration with IT infrastructure components to ensure that even potentially risky API types become visible. Cequence API Sentinel can deliver better performance than siloed API visibility technology or tools for the development team. It does so by becoming a part of the API management infrastructure and the continuous integration and deployment pipeline.
The solution can:
The solution can:
  • Integrate with the whole API lifecycle using a default set of REST APIs.
    • Spec Management pushes new specifications to API Sentinel.
    • Discovery collects API metrics from other sources on the network.
    • Export sends API Sentinel findings to analysis tools.
  • Deliver 360-degree visibility into an organization’s API footprint, showing both public-facing and internal APIs, and enabling IT security teams to drill down into metrics such as risk level, category and even geographic usage.
  • Use built-in and custom parameters to identify APIs that may be exposing sensitive data and putting the business at risk of regulatory compliance violations.
  • Detect potential coding inconsistencies and errors, using either existing risk assessment and OpenAPI specification conformance rules or user-specified custom rules.
  • Automatically generate OpenAPI specifications for those APIs without a specification.
By using Cequence API Sentinel, companies can create more comprehensive maps of their respective API footprints, updated continuously to account for threats. Risk factors can encompass more than just deprecated and shadow API endpoints, but may also include coding errors or a lack of conformance with specifications such as OpenAPI.
In today’s sprawling API footprints, it’s easy for such API risks to escape discovery. By taking a unique perspective, Cequence API Spyder makes a major contribution to discovery efforts.

Get Started on API Discovery and Classification as Part of Unified API Protection

Using the Cequence Unified API Protection solution means going beyond methods of API security that only account for a single part of the security process. In addition to both outside-in and inside-out automated API discovery service offerings, users also gain ongoing API threat detection and prevention capabilities.
Organizations with visibility into their complete API footprints and attack surfaces have a greater awareness of the types of threats they may face and their relative risk of any of each of their APIs. They can then use this knowledge to inform their ongoing efforts to detect advanced threats and prevent attacks from granting threat actors access to their data and networks.
Request a free API Protection Assessment to understand your current API security posture and get started finding your ideal API protection solution.

Get an Attacker’s View
into Your Organization

New Research Discovers More Than 30% of All Malicious Attacks Target Shadow APIs. Learn more Arrow icon