Introducing the API Security Workshop Learn More  

What is API Discovery?

Property 1=What is API Discovery

Application Programming Interfaces (APIs) have revolutionized the worlds of IT and software development. They enable higher levels of flexibility in application integration than anyone even thought possible in the era before they became standard. One serious problem has emerged with the adoption of APIs, however. That’s the tendency for some APIs to be in production without anyone knowing they exist. This may sound strange, but it’s a very common situation. One that exposes an organization to a range of cybersecurity risks and operational difficulties. With that said, organizations need tools that can ensure these shadow, or rogue APIs, are identified before they are exploited. API discovery is the process of finding such APIs, creating a useful API inventory, and determining if they require security remediation or decommissioning. 

How rogue APIs get loose “in the wild”

There are a variety of ways an API can “go rogue.” One cause is admins switching on APIs that come with commercial software packages. These products often contain APIs that can be activated if someone wants to connect the application with another application or data source. Or, the commercial software’s API might have the ability to serve up data when it’s invoked. 

An unknown API might be an old version of an API that never got uninstalled. What can happen is that v1 of an API gets replaced by v2. Some applications are still calling v1, however, even after v2 has been deployed since they have not reset their API calls to v2. Someone on the team is told to keep an eye on v1 and to take it offline once usage drops to nothing. Often, what occurs, however, is that the person charged with this responsibility leaves the company, gets reassigned, or simply forgets to shut down v1.

In another scenario, an API that was decommissioned but stayed in operation can turn rogue. This happens a lot, and in many cases, the person who created the API has quit or moved on to another role, forgetting all about that API they built. These are sometimes called “zombie APIs.” 

Alternatively, someone might develop an API, but the right people don’t know about it. For instance, people who report to a line of business (LOB), but not IT, could be tasked with creating APIs to meet the needs of that organization. Alternatively, given the accelerated pace of digital transformation, developers could be tasked with spinning up APIs without taking the proper security/inventory processes into consideration. They may be more concerned with execution than procedure.  These are known as “shadow APIs,” a close relative of “shadow IT.” No one except the shadow API creator knows it’s there. 

Why do these APIs remain hidden? One reason is the fallacy held by many IT people that API gateways and Web Application Firewalls (WAFs) will automatically see any APIs that are functioning in the environment. This is not always the case. While API gateways do provide some visibility, serving as a central point for API traffic and policy enforcement, not all API calls go through the gateway. If the call doesn’t use the gateway, the API is effectively invisible. 

 

2022-security-trends-report-whitepaper

Security risks from rogue APIs

So when should you conduct API security testing? The best answer is “as early as possible.” This means testing pre-production. Like other security testing done in software development, API security testing should “shift left,” meaning it should move to the earliest possible stage in the development cycle. That’s the time when developers are most likely to be familiar with the recent code they wrote rather than the code they wrote a month or 6 months ago. This way, testers can catch and remediate security issues before they go into production. 

Once an application is in production, it becomes more expensive and disruptive to fix a security problem. With CI/CD, a new vulnerability can go into production every hour, so it’s really helpful to be on top of API security testing before code reaches the end of the CI/CD pipeline. A further best practice is to follow up with post-production API security testing. This process catches security flaws that arise in production, but which may be difficult to detect in pre-production, such as production configuration issues.

How API discovery works

API discovery, which is available in the Noname Security Posture Management module, is the process of searching an entire environment and finding all APIs it contains. It discovers all rogue, legacy, and shadow APIs. The solution builds a comprehensive inventory of APIs. It is almost guaranteed that the IT department will look at this inventory and say, “Wow, we had no idea that API was there!” or “Wow, that’s still running? Oops!” Well, at least now they know. 

The Posture Management solution works by “listening” to network traffic and detecting API calls. It actually does this listening on a copy of the network traffic, so it doesn’t affect network performance. The solution monitors traffic and flags XML, JSON and other indicators of API calls going through the networks. These invariably relate to APIs. If the API is not known, it gets added to the inventory. 

The Posture Management platform then determines which APIs are critical to the business. Then, for the entire inventory, it identifies misconfigurations and vulnerabilities in the source code, network configuration, and policy. The platform references a broad collection of sources to detect vulnerabilities. These include log files, replays of historical traffic and configuration files, and much more. The Posture Management platform can detect all vulnerabilities in the OWASP API Security Top 10.

The solution also:

  • Discovers what kinds of sensitive data the APIs can access, as well as how many users accessed sensitive data over the APIs in the inventory, e.g., credit card data, phone numbers and social security numbers. 
  • Categorizes APIs by type, e.g., HTTP, RESTful, GraphQL, SOAP, XML-RPC, JSON-RPC, and gRPC. 
  • Identifies which APIs are able to access credit card data, phone numbers, social security, and other sensitive data.

As Posture Management discovers APIs and potential security issues, it enables system owners to prioritize next steps. The platform facilitates manual, semi-automated, or fully automated remediation of API security problems. 

As you can see, APIs tend to proliferate, with more rogue APIs surviving in the wild than most admins might guess. Having undiscovered APIs operating out of sight of security managers is a recipe for cyber disaster. To mitigate this risk, it is essential to conduct API discovery of some kind. Solutions like Noname Security Posture Management provide fast, automated API discovery, along with ways to remediate the security problems it finds in the process.