Skip to Primary Menu Skip to Utility Menu Skip to Main Content Skip to Footer
Noname Security enters into agreement to be acquired by Akamai
Learn more
Noname Security Logo
What is API Discovery?

What is API Discovery?

Harold Bell
Share this article

Key Takeaways

API discovery is crucial in modern software development, where hidden or forgotten APIs often pose security risks. It involves identifying all APIs, including rogue, zombie, and shadow APIs, to create a complete and accurate inventory. While you can manually discover APIs, automated tools can streamline this process and help detect misconfigurations and vulnerabilities in a fraction of the time.

Application Programming Interfaces, or APIs, have transformed the world of software development, enabling applications and services to communicate with each other. One serious problem has emerged with the adoption of APIs, however. And that’s the tendency for some APIs to be in production without anyone knowing they exist.

Though very common, this lack of API visibility exposes organizations to a range of security risks and business disruptions. With that said, security teams need tools that can ensure these shadow, or rogue APIs, are identified before they are exploited. And the process of finding such APIs is what’s known as API discovery. It is the only way to create a complete and accurate inventory of the APIs you have.

The importance of API discovery

API discovery is important because it helps developers to quickly find their APIs, especially those best suited for use in their apps or websites. It also helps them to mitigate risks by uncovering hidden vulnerabilities, like shadow APIs that are utilizing sensitive data like credit card info, social security numbers, and other personally identifiable information (PII). The importance of API discovery is rapidly increasing as more companies are using APIs to build their products and services

What are zombie and rogue APIs?

There are a variety of ways an API can “go rogue.” A rogue API might be an old version of an API that never got uninstalled. What can happen is that v1 of an API gets replaced by v2. Some applications are still calling v1, however, even after v2 has been deployed.

A person on the team is told to monitor v1 and take it offline once usage declines. Unfortunately, what often occurs is that this person leaves the company, gets reassigned, or simply forgets to shut down v1. On a small scale, this may not be terribly risky. But considering that organizations are managing and updating thousands of APIs, they are leaving themselves considerably vulnerable to threats.

In another scenario, an API that was decommissioned but stayed in operation can turn rogue. This honestly happens a lot. Usually the person who created the API has quit or moved to another role, forgetting all about that API they built. These are sometimes called “zombie APIs.”

What are shadow APIs?

Alternatively, someone might develop an API, but the right people don’t know about it. For instance, developers who report to a line of business (LOB) instead of IT, could be tasked with creating APIs. These are known as “shadow APIs.” No one except the shadow API developers knows it’s there.

Why do shadow APIs remain hidden?

One reason is that many in IT believe API gateways and web application firewalls (WAFs) can see all active APIs. This is not always the case. API gateways are a vital API management tool and do provide some visibility since they serve as a central point for API traffic and policy enforcement. However, not all API calls go through the gateway.

Oftentimes we encounter organizations who deployed APIs before they started taking API security seriously. To make matters worse, the employees who were responsible are likely no longer with the company. So if the call doesn’t use the gateway, the API is effectively invisible. Which means if you don’t invest in an API discovery tool, you’ll likely have several shadow APIs causing chaos from the depths of the ether.

Security risks from hidden APIs

APIs operating without any security controls is bad enough. Then add that you can’t find these APIs, it’s safe to say that they are just waiting to be exploited. This is an ideal scenario for hackers because they can access data without anyone knowing. Which means they have time to not only extract data, but also time to explore new attack vectors.

To make matters worse, you also won’t know what type of data these shadow APIs are sending and receiving. Many APIs transmit sensitive data like phone numbers, addresses, credit card information, health records, etc. So if one day you’re the unfortunate victim of a breach, you could be looking at some pretty hefty regulatory fines.

Manual vs automatic API discovery

The manual approach is the most common way of discovering APIs. The manual approach involves searching for APIs on the internet and then using tools like cURL to make API calls. This process has been around for a long time and can take a lot of time and effort. The general rule of thumb is 40 hours to find and document each API. It’s also unfortunately the most frequently used tactic by many companies.

The automated API discovery tools offer literally the exact opposite experience. With the right API discovery tool, you can quickly and easily find and inventory all of your APIs in a fraction of the time. And that’s all your APIs – not just the ones your API management platform knows about.

Finding your APIs

As you can see, APIs tend to proliferate, with more rogue APIs surviving in the wild than most admins might guess. Having undiscovered APIs operating out of sight of security managers is a recipe for cyber disaster. It is almost guaranteed that there are more active APIs than the IT department knows about.

To mitigate this risk, it is essential to conduct API discovery of some kind. A good discovery tool should be able to build a complete inventory of your APIs. Solutions like Posture Management provide automated API discovery along with ways to remediate the security problems it finds in the process.

The industry standard for API discovery

The Noname Security offers an industry leading automated API discovery tools that helps you find APIs by “listening” to network traffic and detecting API calls. The tool seamlessly integrates with your existing API infrastructure and runs out of band so network performance isn’t impacted. The solution monitors traffic and flags XML, JSON and other indicators of API calls going through the networks.

Once APIs are found, the platform references a broad collection of sources to identify misconfigurations and vulnerabilities. These include log files, replays of historical traffic and configuration files, and much more. The Posture Management module can detect all vulnerabilities in the OWASP API Security Top 10.

The solution also:

  • Discovers what kinds of sensitive data the APIs can access, like credit card data, phone numbers and social security numbers.
  • Uncover how many users accessed sensitive data over the APIs in the inventory,
  • Groups APIs by type, e.g., HTTP, RESTful, GraphQL, SOAP, XML-RPC, and JSON-RPC.
  • Identifies which APIs are able to access credit card data, phone numbers, social security, and other sensitive data.
  • Enables users to fix API security issues by integrating with their current ITSM and SIEM workflows.

API Discovery FAQs

What is the role of API discovery in creating a comprehensive API strategy?

Effective API management involves looking into API discovery to find new methods that may be more efficient and secure for your organization. API discovery ensures you’re using the best possible authentication methods for your needs because not every network or system requires the same level of security.

API security protocols are implemented to protect and secure important information from being accessed by the wrong people. Each API authentication method has specific protocols that allow for varying degrees of security. Multiple API authentication methods can be used together to create a secure and protected platform.

What are the benefits of using API discovery for API consolidation?

With API discovery, security testing can be implemented to allow for seamless integration and consolidation across various platforms. Different areas on the platform may not need high levels of security, while some departments may require the strictest API authentication protocols.

With API discovery, you can identify duplicate or repetitive APIs while streamlining the portfolio and reducing maintenance requirements. API discovery also helps optimize resource utilization throughout your system, making every process more efficient.

How does API discovery contribute to fostering collaboration?

API discovery gives every team member the tools they need to do their job as efficiently and securely as possible. With the right API discovery tools, you can implement an API posture management solution that allows team members to easily identify and mitigate potential risks. This proactive approach encourages team collaboration, allowing for a more efficient workplace.

Streamlining the collaborative development process allows groups to make the most out of every API authentication method your company has in its toolbox. API discovery ensures that toolbox is always up-to-date and as easy to use as possible.

Can API discovery tools integrate with existing security infrastructure?

API discover tools are designed to work in conjunction with other security protocols your company already has in place. Using APIs offers you the strictest set of protocols in the verification and identification processes. With their real-time monitoring and threat detection capabilities, you’ll always know what is happening with your systems.

Request a demo to see how Noname Security’s comprehensive platform can be used within your existing platform. API discovery tools offer many benefits beyond security and protection. With our API discovery module, you can enhance your reputation for being both innovative and creative when it comes to protecting yourself and your clients.

Harold Bell

Harold Bell was the Director of Content Marketing at Noname Security. He has over a decade of experience in the IT industry with leading organizations such as Cisco, Nutanix, and Rubrik, and has been featured as an executive ghostwriter in Forbes Technology Council and Hacker News.

All Harold Bell posts
Get Started Now (Tab to skip section.)

Get Started Now

Experience the speed, scale, and security that only Noname can provide. You’ll never look at APIs the same way again.