What is API Discovery?
Application Programming Interfaces, or APIs, have transformed the world of software development, enabling applications and services to communicate with each other. One serious problem has emerged with the adoption of APIs, however. And that’s the tendency for some APIs to be in production without anyone knowing they exist.
Though very common, this lack of API visibility exposes organizations to a range of security risks and business disruptions. With that said, security teams need tools that can ensure these shadow, or rogue APIs, are identified before they are exploited. And the process of finding such APIs is what's known as API discovery. It is the only way to create a complete and accurate inventory of the APIs you have.
The importance of API discovery
API discovery is important because it helps developers to quickly find their APIs, especially those best suited for use in their apps or websites. It also helps them to mitigate risks by uncovering hidden vulnerabilities, like shadow APIs that are utilizing sensitive data like credit card info, social security numbers, and other personally identifiable information (PII). The importance of API discovery is rapidly increasing as more companies are using APIs to build their products and services
What are zombie and rogue APIs?
There are a variety of ways an API can “go rogue.” A rogue API might be an old version of an API that never got uninstalled. What can happen is that v1 of an API gets replaced by v2. Some applications are still calling v1, however, even after v2 has been deployed.
A person on the team is told to monitor v1 and take it offline once usage declines. Unfortunately, what often occurs is that this person leaves the company, gets reassigned, or simply forgets to shut down v1. On a small scale, this may not be terribly risky. But considering that organizations are managing and updating thousands of APIs, they are leaving themselves considerably vulnerable to threats.
In another scenario, an API that was decommissioned but stayed in operation can turn rogue. This honestly happens a lot. Usually the person who created the API has quit or moved to another role, forgetting all about that API they built. These are sometimes called “zombie APIs.”
What are shadow APIs?
Alternatively, someone might develop an API, but the right people don’t know about it. For instance, developers who report to a line of business (LOB) instead of IT, could be tasked with creating APIs. These are known as “shadow APIs.” No one except the shadow API developers knows it’s there.
Why do shadow APIs remain hidden?
One reason is that many in IT believe API gateways and web application firewalls (WAFs) can see all active APIs. This is not always the case. API gateways are a vital API management tool and do provide some visibility since they serve as a central point for API traffic and policy enforcement. However, not all API calls go through the gateway.
Oftentimes we encounter organizations who deployed APIs before they started taking API security seriously. To make matters worse, the employees who were responsible are likely no longer with the company. So if the call doesn’t use the gateway, the API is effectively invisible. Which means if you don't invest in an API discovery tool, you'll likely have several shadow APIs causing chaos from the depths of the ether.
Security risks from hidden APIs
APIs operating without any security controls is bad enough. Then add that you can't find these APIs, it's safe to say that they are just waiting to be exploited. This is an ideal scenario for hackers because they can access data without anyone knowing. Which means they have time to not only extract data, but also time to explore new attack vectors.
To make matters worse, you also won't know what type of data these shadow APIs are sending and receiving. Many APIs transmit sensitive data like phone numbers, addresses, credit card information, health records, etc. So if one day you're the unfortunate victim of a breach, you could be looking at some pretty hefty regulatory fines.
Manual vs automatic API discovery
The manual approach is the most common way of discovering APIs. The manual approach involves searching for APIs on the internet and then using tools like cURL to make API calls. This process has been around for a long time and can take a lot of time and effort. The general rule of thumb is 40 hours to find and document each API. It’s also unfortunately the most frequently used tactic by many companies.
The automated API discovery tools offer literally the exact opposite experience. With the right API discovery tool, you can quickly and easily find and inventory all of your APIs in a fraction of the time. And that's all your APIs – not just the ones your API management platform knows about.
Finding your APIs
As you can see, APIs tend to proliferate, with more rogue APIs surviving in the wild than most admins might guess. Having undiscovered APIs operating out of sight of security managers is a recipe for cyber disaster. It is almost guaranteed that there are more active APIs than the IT department knows about.
To mitigate this risk, it is essential to conduct API discovery of some kind. A good discovery tool should be able to build a complete inventory of your APIs. Solutions like Posture Management provide automated API discovery along with ways to remediate the security problems it finds in the process.
The industry standard for API discovery
The Noname Security offers an industry leading automated API discovery tools that helps you find APIs by “listening” to network traffic and detecting API calls. The tool seamlessly integrates with your existing API infrastructure and runs out of band so network performance isn't impacted. The solution monitors traffic and flags XML, JSON and other indicators of API calls going through the networks.
Once APIs are found, the platform references a broad collection of sources to identify misconfigurations and vulnerabilities. These include log files, replays of historical traffic and configuration files, and much more. The Posture Management platform can detect all vulnerabilities in the OWASP API Security Top 10.
The solution also:
- Discovers what kinds of sensitive data the APIs can access, like credit card data, phone numbers and social security numbers.
- Uncover how many users accessed sensitive data over the APIs in the inventory,
- Groups APIs by type, e.g., HTTP, RESTful, GraphQL, SOAP, XML-RPC, JSON-RPC, and gRPC.
- Identifies which APIs are able to access credit card data, phone numbers, social security, and other sensitive data.
- Enables users to fix API security issues by integrating with their current ITSM and SIEM workflows.