API Security — Why API Discovery Matters

David Thomason
Post Featured Image

The proliferation of APIs has begun.

Businesses rely on APIs more than ever before, and API usage continues to accelerate. The sheer scale of API usage is staggering. Essentially, every application and device connects or communicates with an API, which is why it shouldn’t be surprising that API calls represent 83% of all web traffic. (Okay, that actually is surprising).

APIs are also the new cybersecurity battlefield. As more and more companies publish their APIs and connect them to the open web, cyber attackers have increased their exploitation of this attack vector. What’s more, APIs have been in use for decades — pre-dating AppSec teams, API gateways, and the OWASP API Top 10. It’s only a matter of time for bad actors to sniff out legacy or shadow APIs that don’t comply with your current processes and standards.

Today, businesses need to reduce the risk of their growing API vulnerabilities. To support the needs of businesses, Noname Security developed the D.A.R.T. API Security Strategy, which stands for:

  • Discover: Find and inventory all APIs, including legacy and shadow APIs

  • Analyze: Detect suspicious behavior, misconfigurations, and attackers to ensure APIs are only used as intended

  • Remediate: Prevent attacks, address anomalies, and resolve misconfigurations

  • Test: Actively test APIs to verify the integrity before and after deployment

The first component of the D.A.R.T. API Security Methodology — Discover — is the most critical because, if done poorly, precludes Analyze, Remediate, and Test.  For example, if you haven’t discovered the full depth and breadth of your APIs, the value and effectiveness of Analyze,  Remediate, and Test are significantly diminished.

What is API Discovery?

API discovery refers to finding and inventorying APIs, as well as gathering rich data from the API. Simply knowing that an API exists doesn’t improve your security posture. Who or what is accessing each API? And what data is each API sending? This information can be derived from the API header and body.

The “header” refers to meta-data associated with the delivery of API requests and responses. And the “body” refers to the data being sent to and from the API.

An effective API security platform discovers all of this information so you have the visibility and understanding necessary to analyze and remediate potential vulnerabilities.

Why is API Discovery Important?

“Hope is not a strategy.”

Today, businesses do not have a complete inventory of all of their APIs. This poses a significant risk. Misconfigurations, suspicious behavior, and cyber attacks can occur unabated without the business’s knowledge. And once an API issue is found, it can take a substantial amount of time to investigate the incident to determine severity and conduct root cause analysis.

The lack of visibility isn’t just due to legacy APIs that pre-date API management or security solutions. The demands of the business often force dev teams to choose speed over security. A culture that revolves around velocity can incentivize shortcuts where APIs may be routed through a simple proxy. Enterprises won’t have deep insights into these “rogue” APIs and, in some cases, won’t have any visibility at all.

A good API security platform requires strong API discovery features. Enterprises need a way to automatically find and inventory all APIs, including legacy and rogue APIs, as well as catalogue all the data and meta-data of the APIs.

API discovery is the critical first step in the D.A.R.T. API Security Strategy, and a prerequisite for any enterprise looking to reduce risks.

The Noname API Security Platform offers industry-leading API discovery with a solution that runs completely out-of-band. No agents, no network modifications, no friction. Let’s discover all your APIs.

API Security eBook