Page 103 - Cyber Defense Magazine for August 2020
P. 103
and mitigated. Unfortunately, the fragmented API management space, along with an increase in
decentralized development, has created a situation where most enterprises lack even the most basic
understanding of their API landscape. According to Aite Group, the organizations have an average of
620 APIs – do you know where they all are, who owns them and what they do?
Gaining visibility into your API footprint in the form of inventory, usage, potential vulnerabilities and
specification conformance is vitally important to understand the overall exposure and compliance impact
created by APIs in use. Some questions that every organization should be able to answer (but rarely can)
include the following:
• How many APIs do we have? What applications are these APIs used by or associated with?
• How many were sanctioned by security and how many are “shadow” or unknown APIs?
• Are they all necessary for operations or were deployed inadvertently or forgotten about after they
were no longer necessary?
• Which ones are not actively managed or monitored? Do they have traffic? Is the traffic expected,
or do patterns suggest misuse?
• How many APIs have vulnerabilities or don’t conform to approved API specifications? Do we have
any hidden API headers, parameters or response codes?
• Is there PII or sensitive data being transmitted through APIs unencrypted? Is access regulated
data limited in a way that will keep us in compliance?
Unfortunately, too many organizations get answers to these questions the hard way – when they are
breached. For example, an API might expose too much information when a request is made providing
attackers with insights, they can use to further breach a system. Or, an API might completely lack proper
access authentication or inadvertently grant users with elevated privileges (like giving them Admin rights)
which could be used to exfiltrate or change the data.
"The hallmark of cyber attackers is they are always searching for a path of least resistance. The
expanding use of public facing APIs, especially those that are unknown, coupled with the lack of security
associated with those APIs make them a prime target," says Charles Kolodgy, Principal at Security
Mindsets LLC. "It is important for organizations to know what APIs are used by the website, especially
shadow APIs, in order to secure them thus making it more difficult for cyber criminals to achieve their end
goal."
While there are security tools that address some aspects of API security, this problem of visibility needs
to be solved.
“If your organization delivers APIs to external parties, such as your customers or partners, you need a
centralized place to help monitor the security posture and compliance of all your published APIs, detect
any risks immediately, and respond proactively to mitigate risks of data exfiltration,” says Subbu Iyer, VP
of product for Cequence Security. “The first step in developing a mature API security and compliance
program is to discover all the APIs your organization delivers to external parties and analyze their risk
postures.”
Cyber Defense eMagazine – August 2020 Edition 103
Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.