In my last blogpost I explained why organizations deem API security as crucial and why current marketed solutions are irrelevant.
However, similarly to COVID, inadequate security solutions can mutate. Nowadays, poor API security solutions sound like a real peach. How? they hand out empty promises, bombard with buzzwords and obfuscate the meaning of what's important.
Here is what you should know:
1. Shadow or Rogue APIs are APIs you are not aware of. If they are routed through your central gateway, they are not Shadow APIs. Solutions that rely only on integrating with your API gateway, by definition, will never be able to find Shadow APIs. If it's on the API gateway, just open the UI and look. Worst case, ask the DevOps to give you a read-only user or to send you an automated list.
2. Shadow or Rogue APIs are not APIs with an outdated OpenAPI specification. Outdated OpenAPI specifications are not a security issue. You're going to have millions of those since developers write code faster than they write docs. It's true that having specs is helpful but for the love of god, don't purchase an API security solution just to get schemas or OpenAPI specifications.
3. Simulated attacks are not actual attacks and prove nothing. If you decide to go ahead and examine an API security solution, never use simulated attacks. It's like testing a bullet proof window with a rock. Let it run on the real-time traffic. Found any actual issues that were proven to be true? Good. Produced noisy false "attackers" that no one would ever bother looking into anyway? Found no actual vulnerability? Throw it out.
4. They said or wrote OWASP top 10 more than ten times? It's a scare tactic. Thanks to COVID you can just lower your Zoom volume to zero and raise it back up when the Boogeyman is gone.