API discovery is the practice of finding all your APIs, regardless of location or type – internal, external, third-party, managed, unmanaged, zombie or shadow. Discovering and inventorying APIs is the first step in the journey to secure APIs and the applications that depend on them. API discovery offers granular visibility into all APIs on the network – where they are, their availability, accessibility, and whether they are protected or unprotected. API discovery is the most critical aspect of a strong API security posture; after all, you can’t secure what you don’t know about.
Why is API Discovery Needed?
Analyst firm ESG found that by 2027, 78% of organizations expect over half of their applications to use APIs while 33% of organizations have experienced multiple API-related security attacks within the past year. As more APIs are deployed, there will naturally be some that are forgotten about or neglected from a security standpoint if regular API discovery and inventory is not performed.
Two security issues that API discovery seeks to address are shadow and zombie APIs.
-
Shadow APIs
are those APIs that are undocumented, and which do not fall under an organization’s governance and security processes.
-
Zombie APIs
are those that are outdated, have been deprecated or abandoned, yet are still publicly accessible, and unknown to the organization.
Such APIs may have vulnerabilities that can be exploited, which can put critical organizational and customer data at risk. While organizations know that shadow and zombie APIs may exist in their environment, the extent the problem can only be understood through API discovery.
Risks of Incomplete API Discovery
Incomplete API discovery causes “blind spots” for the security team, making it difficult to secure applications and APIs. In addition to manual attacks, automated malicious bots can find and exploit unmanaged APIs for nefarious purposes, making API discovery a key initiative for bot management. API attacks are wide-ranging and can include:
- Account takeover (ATO) – Gaining unauthorized access to legitimate user accounts
- Sensitive data exposure – Obtaining sensitive data exposed by applications and APIs
- Credential stuffing – Using stolen credentials to gain access to services
- Content scraping – Harvesting intellectual property for nefarious purposes
- Gift card abuse / loyalty program abuse – Brute-forcing card numbers, PINs, etc., to find valid gift cards or loyalty program details
- Fake account creation – creation of large quantities of accounts from fake or stolen user identity information
What are the Limitations of Legacy API Discovery Approaches?
While there is no doubt about the importance of API discovery from the API management and security perspective, most API security tools use a traditional inside-out discovery approach. Due to the rapid spread in APIs, a unidirectional API discovery approach is insufficient and leads to security blind spots. Instead, the right approach leverages both an inside-out and outside-in approach to comprehensively understand how your data is moving through all your APIs.
Inside-out API discovery
- The inside-out approach involves continuously identifying and tracking APIs from within the organization’s network.
- The challenge with only using an inside-out view is that it does not show you everything an attacker may see as they remotely scan your public-facing network for possible attack targets.
Outside-in API discovery
- Outside-in discovery analyzes an organization’s public-facing network to understand the external API attack surface, effectively seeing what the attacker sees. Armed with outside-in results, security teams can apply attack surface management principles to secure and protect the previously unprotected APIs and resources.
- Outside-in discovery on its own doesn’t provide a complete API inventory since it only provides visibility into internet-facing APIs.
What Security Insights Does API Discovery Offer?
Security is only as good as visibility into your organization’s assets, including your APIs. With complete discovery of all managed and unmanaged APIs in your application environment, you will gain meaningful and actionable security insights that will improve your security posture. The top five discovery insights include:
- Lack of Authentication: Authentication is an essential requirement for securing APIs, but many APIs have no authentication mechanism in place or have very weak authentication; in both cases, this is a huge security gap that attackers easily exploit.
- Lack of Encryption or Data Masking: Many organizational APIs handle sensitive data fields whose values should be hidden through the proper security controls. Attackers attempting to infiltrate requests and responses find their job even more complicated if the values in these requests and responses are encrypted or masked. Unfortunately, this is not the case across many APIs, as sensitive data remains unmasked or unencrypted, which can be easily exposed. However, API discovery can identify such APIs, and the issue can be addressed with alacrity.
- Information Exposure: APIs should share information as per their specification; not more, not less, just enough. Still, certain APIs go above and beyond their remit and expose more data than they are supposed to, which causes security issues. This usually happens because developers forget to minimize fields to those essential for the process. API discovery sheds light on such APIs.
- The Shadow API Problem: Shadow APIs offer a way for cybercriminals to infiltrate your enterprise network and are problematic as security teams may be unaware of them and potential vulnerabilities that exist. Only through API discovery can you unearth shadow APIs that remain hidden from view and unsecured. Uncovering these substantial blind spots ensures these backdoors can be shut with proper security controls in place.
- API Misuse: Suspicious use of APIs is another problem unearthed in the API discovery phase. An increase or excessive traffic or sudden burst of traffic on APIs can be a red flag for security teams and warrants more analysis of the reasons behind the traffic spurt. Traffic from countries where a company does not have a business operation is another suspicious scenario which must be investigated and addressed.
Choosing the Right API Discovery Tool
The right API discovery tool can be a great benefit to a successful API security program. A proper API discovery tool provides both inside-out and outside-in capabilities to ensure comprehensive discovery. The tool should also provide API inventory management and work with or be a part of existing security tools. A current inventory of deployed APIs is critical to protecting applications and APIs from todays’ sophisticated attacks.
Cequence offers inside-out and outside-in API discovery, providing an attacker’s view of the network and a comprehensive, real-time inventory of all APIs, hosting providers, and API-specific security issues. A combination of SaaS-based crawling and sensor-based traffic monitoring ensures all APIs, whether active or dormant, are discovered and inventoried. API discovery is only the beginning of Cequence’s API security capabilities, which includes API security posture management, testing, and bot management. Get a free API Security Assessment and get started on your API security journey.
Sign up for the latest Cequence Security news
By clicking Subscribe, I agree to the use of my personal data in accordance with Cequence Security Privacy Policy. Cequence Security will not sell, trade, lease, or rent your personal data to third parties.