and  mitigated.  Unfortunately,  the  fragmented  API  management  space,  along  with  an  increase  in
            decentralized development, has created a situation where most enterprises lack even the most basic
            understanding of their API landscape. According to Aite Group, the organizations have an average of
            620 APIs – do you know where they all are, who owns them and what they do?


            Gaining  visibility  into  your  API  footprint  in  the  form  of  inventory,  usage,  potential  vulnerabilities  and
            specification conformance is vitally important to understand the overall exposure and compliance impact
            created by APIs in use. Some questions that every organization should be able to answer (but rarely can)
            include the following:

               •  How many APIs do we have? What applications are these APIs used by or associated with?
               •  How many were sanctioned by security and how many are “shadow” or unknown APIs?
               •  Are they all necessary for operations or were deployed inadvertently or forgotten about after they
                   were no longer necessary?
               •  Which ones are not actively managed or monitored? Do they have traffic? Is the traffic expected,
                   or do patterns suggest misuse?
               •  How many APIs have vulnerabilities or don’t conform to approved API specifications? Do we have
                   any hidden API headers, parameters or response codes?
               •  Is there PII or sensitive data being transmitted through APIs unencrypted? Is access regulated
                   data limited in a way that will keep us in compliance?

            Unfortunately, too many organizations get answers to these questions the hard way  – when they are
            breached. For example, an API might expose too much information when a request is made providing
            attackers with insights, they can use to further breach a system. Or, an API might completely lack proper
            access authentication or inadvertently grant users with elevated privileges (like giving them Admin rights)
            which could be used to exfiltrate or change the data.

            "The  hallmark  of  cyber  attackers  is  they  are  always  searching  for  a  path  of  least  resistance.    The
            expanding use of public facing APIs, especially those that are unknown, coupled with the lack of security
            associated  with those APIs  make them  a prime target,"  says  Charles  Kolodgy, Principal  at Security
            Mindsets LLC.  "It is important for organizations to know what APIs are used by the website, especially
            shadow APIs, in order to secure them thus making it more difficult for cyber criminals to achieve their end
            goal."

            While there are security tools that address some aspects of API security, this problem of visibility needs
            to be solved.

            “If your organization delivers APIs to external parties, such as your customers or partners, you need a
            centralized place to help monitor the security posture and compliance of all your published APIs, detect
            any risks immediately, and respond proactively to mitigate risks of data exfiltration,” says Subbu Iyer, VP
            of product for Cequence Security.  “The first step in developing a mature API security and compliance
            program is to discover all the APIs your organization delivers to external parties and analyze their risk
            postures.”











            Cyber Defense eMagazine – August 2020 Edition                                                                                                                                                                                                                        103
            Copyright © 2020, Cyber Defense Magazine.  All rights reserved worldwide.