A smart and scalable API security strategy has many factors. But even the most sophisticated API security approach needs a full and current API inventory. This might not sound difficult, particularly with mature API processes, governance, and documentation. But as with most aspects of security, planning for the unexpected is critical. In the case of APIs, this means implementing broad and continuous API discovery across your on-premises and cloud environments.
APIs are a moving target
One of the most challenging aspects of securing APIs is that APIs themselves – and the infrastructure foundation they sit on top of – seem to be constantly changing. Modern applications are deployed and changed daily through fast-moving DevOps processes. Meanwhile, IT infrastructure is continuously evolving as organizations shift to hybrid-cloud architectures and embrace new application deployment models like microservices.
Organizational adoption of principles like DevSecOps that make security integral to the application lifecycle might still result in overlooking APIs since they straddle the line between software development and security.
Meanwhile, API risk may differ significantly from one organization to the next — or based on the type of API. For example, many organizations place most of their emphasis on protecting north-south APIs that communicate with outside parties. But east-west APIs that expose more sensitive data and business workflows to internal users and systems may pose similar risks given the inevitability of infrastructure breaches and other factors like insider threats.
Even well-intentioned teams have process lapses
Development teams face daily trade-offs between perfect and fast, and APIs are not an exception. Even with mature and well-defined API practices, developers may occasionally implement workarounds to address an emergency fix or meet time-to-market pressure, with an intention to revisit and refactor later to bring into compliance. But these situations can easily slip through the cracks and be left unaddressed and undocumented.
Rogue APIs pose hidden risks
Many organizations are lulled into a false sense of security by sound API deployment and documentation practices, even as they have rogue APIs in their environments.
Rogue, sometimes called shadow, APIs aren’t typically created with malicious intent. But that doesn’t mean that a threat actor with malicious intent won’t try to exploit them. And because they are unknown to the security team – and potentially lacking best API deployment practices and operating outside the view of API security monitoring tools— attacks on rogue APIs on may go undetected long enough to cause severe business impact.
Zombie APIs are another common pitfall
Zombie APIs are a close relative of shadow APIs and present many of the same risks. “Zombie” refers to APIs that may have served a purpose, but as applications are decommissioned, APIs that offer access to data and business logic might be overlooked. Like rogues, zombie APIs can fly under security team radar and tools of security teams and tools, and are as susceptible to abuse and exploitation.
Broad and continuous discovery yields good API hygiene
While it is always advisable to implement robust protections for business-critical, sanctioned APIs, broad and continuous API discovery must be included in your API security strategy.
Consider breadth. Even with basic monitoring in place for sanctioned APIs, it’s essential to augment this with inspection of all activity in your environments for signs of unexpected API activity. This may be accomplished with the capture and analysis of log and traffic data from sources such as:
- API gateways
- Content delivery networks
- Cloud provider logs
- Log management systems
- Orchestration tools
Once you have this more complete picture, it’s also important to refresh it continuously. Continuous API discovery will future-proof your API risk posture against newly created rogue APIs. It will also spotlight zombie APIs created as your applications evolve or as new technology is introduced to your environments through mergers and acquisitions.
Put a spotlight on your rogue and zombie APIs today
While implementing a broad and continuous API discovery capability may seem like a complex and time-consuming proposition, it doesn’t have to be. We’ve created a 100 percent SaaS-based approach to API discovery and protection that you can have up and running in minutes.