Lack of API visibility undermines basic principle of security

One of the oldest principles of security is that you cannot secure what you cannot see. Visibility has always been the starting place for monitoring and protecting attack surface and valuable resources. Various technical challenges have come to bear over the years—the shift to “let it all in” HTTP back in the late 90s, the subsequent advent and then common usage of encrypted traffic, the rise of shadow IT and groups or employees empowered to incorporate their own applications, devices and data services, and more. Such challenges have necessitated new approaches to visibility.

The new visibility challenge, with so much core business depending on interconnecting processes and data via APIs, requires that companies need to know what APIs they expose externally and internally and how they should behave.

Most organizations are only aware of a portion of their APIs and typically grossly underestimate the actual number. Discovering all APIs eludes nearly all organizations. Most attempt to catalog their APIs and ideally append them with descriptions and details. Even from the onset this is a massive task that manages to identify only a portion of those in use, according to our audits of various enterprises.

To make matters worse, identifying and cataloging APIs is a moving target that requires constant monitoring and vigilance. Many enterprises are adding new APIs or changing existing APIs every week, with most of these coming from an effort not sanctioned or managed by the IT or security organizations.

Most organizations have no way of even knowing how many APIs they have, let alone what they are and how they are used. Traditional tools, such as WAFs and API Gateways were built for a different purpose and lack the ability to discover APIs and provide a complete inventory of them.

Some application developers provide documentation of APIs, but it is impossible to expect that every developer team will always provide the most updated documentation on every change, let alone address older or different APIs that are not documented to start with.

API documentation from application developers is often incomplete and becomes quickly outdated. Updating API details for applications generally lacks any kind of process or scheduled review by the developers, so most do not have a mechanism to keep documentation current. In addition, new APIs are added all the time, so continuous discovery is essential. A one-time discovery process or static documentation is nearly pointless.

Organizations need to be continually discovering to maintain an up-to-date inventory of APIs. Risk audits must be conducted to uncover vulnerabilities, misconfigurations, and data sensitivity.

While just knowing their API inventory eludes most enterprises and organizations, the ability to evaluate the risks in these APIs is completely absent. Questions such as what is going on inside the API interaction, what information is being passed, how should the API typically behave, what is the risk involved, and other important details remain fully unanswered.

In our evaluation of enterprise API traffic and interactions, we routinely find sensitive or regulated data being exchanged without controls or protections they are subject to within other channels. We also see transactions between major business systems, such as customer orders, inventory or supply chain interactions, financial instructions, and more.

It quickly becomes apparent that the lack of API visibility, understanding or evaluation seriously compromises risk management, compliance, and the very heart of the business. Incidents targeting the lack of API visibility are becoming the top security issue facing organizations, and they will become the vast majority within the next several years. The main reason is that organizations need to develop and expose many new APIs as part of their digital transformation, while they no longer invest in data centers and corporate networks. Those APIs expose the core business to the outside by design and are therefore the main target for attackers.

Companies need to – continually and automatically – identify all APIs and understand and assess their behavior. New technology can now provide the visibility with behavioral assessment that security and compliance teams must prioritize the policing of APIs as one of the top vectors for managing risk.

The everything-connected digital business has gained critical agility and efficiencies but also introduced a potent new threat and vulnerability. Companies must be cognizant of the risks in this new frontier and take on the capabilities to properly manage them.

APIs enable faster revenue streams and improved agility to launch new products, features and services. Security cannot be a hindrance to such business growth and revenue generation. APIs are becoming the largest new attack surface and point of risk exposure that businesses must protect in the next few years. If a company already uses APIs to conduct digital business and integrate customers, partners, suppliers and processes or initiatives, API security is now a must-have to protect the business.