API Discovery is identifying all APIs in the environment, both known and unknown APIs, as well as APIs that were never authorized by the organization. This includes shadow, orphan and rogue APIs.
API discovery should give a single pane of glass for all APIs, show all API activity, and immediately show the most important and useful information for the user -- what APIs have been discovered, what APIs pose the highest risk to the organization, and a live feed of all API changes, such as when a new API is released, or when any changes are made.
Typically, the first order of business is to tackle API sprawl. This means having the ability to discover and inventory all external API endpoints and internal APIs in a data-rich catalog for complete visibility and identification of your API estate and sprawl. This includes any shadow and orphaned APIs, and be notified of any API changes.
Having automated and continuous API Discovery is also a requirement in the recently updated FFIEC guidelines that require organizations to inventory all information systems for their security and risk management initiatives.
Perhaps one of the biggest capabilities missing from most API security solutions is the ability to measure and manage the organization's API security risk posture.
In order to successfully measure security posture, risk scores are non-negotiable. You need a security risk score of all APIs, which allows you to understand which of your APIs are most vulnerable to abuse. An API security platform needs to collect data on runtime details such as sensitive data flows, API call maps, API usage behavior, user details, event details, as well as threat activity levels.
Also paramount, is the ability to identify sensitive data exposure.
It's important to prevent sensitive data exposure by identifying API endpoints that handle sensitive data without appropriate authentication or zero-trust policies implemented. This allows your security team and development team to prioritize which of your APIs need greater security controls to protect your organization and data from threats or abuse.
An API security platform needs to be able to handle massive scale. This is especially true for large financial and retail organizations that provide tens of thousands of APIs, and need to handle billions of API calls.
This is why it's crucial to have an API security solution that is designed to process and analyze APIs, application communication, and user behavior data at cloud scale.
In addition, it should have the capability to support very large deployments consisting of thousands of API endpoints, and billion of API calls -- with flexible data collection and deployment options, including agentless or agents, depending on your needs:
1. fully out-of-band via network log analysis of AWS, GCP, and Azure Clouds,
2. Collection by instrumentation within your API gateway, proxies, or service mesh, and
3. in-app data collection through instrumentation by language-specific agents or socket filtering.
For highly regulated industries, look for a solution that can also be deployed 100% on-premise in a fully air-gapped model, without sacrificing protection, speed or scalability.
APIs pose a direct threat to systems, data, and privacy, and are now the top attack vector when it comes to abuse, data loss, and fraud, across nearly every industry.
Therefore, a key capability for API security should be an API security platform with runtime exploit protection, that automatically detects and stops known and unknown API attacks, business logic abuse attacks, as well as API abuse, fraud, and sensitive data exfiltration.
Capabilities should also include:
1. Eliminate API Abuse and Fraud: you need real-time detection and protection against known and unknown API attacks and abuse.
2. Detect and Block API Attacks: Automatically detect and block both known and unknown API vulnerabilities, including the OWASP Web and API Top 10, business logic abuse attacks, and zero days.
3. Stop Sensitive Data Exfiltration: Immediately detect where hackers gain access to sensitive data by exploiting software bugs or CVEs. Understand the flow of transactions through your application, from edge to data store and back, to quickly respond and shut down the attempted theft.
Enable Zero Trust API Access to Improve Enterprise and Data Security.
Today’s cloud-based, API-driven, microservices-based applications all extensively operate using APIs to communicate between users/NPE’s (non-person entities) to applications, and between applications and application components.
API Security solutions are essential to aligning Zero Trust thinking with the realities of today’s application architectures and extending the Zero Trust security model to the full application stack.
However, to date, APIs have been largely neglected by Zero Trust models. In addition, digital transformation demands and DevSecOps processes at organizations have created new gaps and vulnerabilities attackers can exploit.
As you are seeking an API security solution, look for one that is capable of enhancing your Zero Trust Security strategy. We recommend API security that can map to the NIST Zero Trust framework, as it covers reference architecture, data security, as well as compliance measures for defense in depth security.
It would be impossible to have effective API security without robust analytics and threat intelligence capabilities, that power root cause analysis, forensic research, and incident response.
1. API security data lake: you need to ability to collect and analyze the end-to-end path trace of all API calls and service behaviors. An API security data lake allows your SOC team, incident responders, threat hunters, as well as red teams and blue teams to conduct instant security analysis and root cause analysis.
2. Understand API traffic and user attribution: Understand API traffic history of user attributed transactions, sequences, and flows and perform post mortem reviews and analysis for any API security incidents.
3. Threat Hunting to reveal unknown API vulnerabilities: Perform threat hunting to reveal potentially unknown API vulnerabilities and visualize user behavior analytics to uncover fraud and abuse.
This level of security analytics enables SOC teams and threat hunters to optimize APIs and service behaviors to prevent the possibility of any data breach, ransomware, abuse, or data exfiltration.
API security wouldn't be complete if it didn't provide coverage for the entire API lifecycle. It's imperative that an API security platform is able to effectively eliminate the risk of vulnerable APIs in pre-prod, perform rapid scans that maintain speed of innovation, and automatically obtain remediation insights for developers to further secure their APIs.
While runtime protection is important and should be prioritized to reduce risk immediately, it's also equally important that organizations are able to find and stop vulnerabilities before those APIs are deployed to production.
Look for these specific capabilities to start:
1. Eliminate the risk of vulnerable APIs: Extensive coverage for the OWASP API top 10, top CVEs, such as Java, Go, Node JS, AuthN, AuthZ, and many more. Coverage for business logic vulnerabilities and sensitive data exposure.
2. Rapid scans to maintain speed of innovation: Development teams need the ability to perform rapid scans -- with virtually no change in dev-release cadences -- eliminating friction for both dev and security teams.
3. Extensive reporting: your API security solution should produce automated and on-demand reports of vulnerabilities found while testing APIs. The information should include CVSS/CWE scores for overall risk assessment and recommendations for remediation, and be provided to development and security teams, so they can correct the security issues in APIs before those APIs are pushed to production.
One of the biggest risks to organizations is having way too many point tools stacked on top of each other. If a data breach were to happen, having too many solutions can actually make it more difficult to find where that breach originated.
When seeking an API security platform, look for one that reduce or eliminate your existing tools. If you come across one that says it's a platform, but doesn't have these capabilities, it's not a true platform.
Tool consolidation also gives you the opportunity to have a more integrated and automated approach to your security. When information is in one place, and you don't have to constantly hunt for where it is, you can quickly find and resolve potential issues and stop threats.