How to get API discovery right

Application Programming Interfaces (APIs) are everywhere. Companies have increasingly turned to API development to quickly and efficiently create consistent, feature-rich applications. APIs have become the connective tissue of data exchange, but this raises important security questions.

One of the most significant of these questions is: What is the extent of my organization’s API usage? This isn’t as straightforward a query as it may first seem. Businesses are using hundreds and thousands of APIs — new APIs built to meet standards frameworks, third-party APIs, shadow APIs without adequate visibility and documentation, older deprecated APIs and more.

Businesses can’t effectively protect what they don’t know they have. Therefore, API discovery has an essential role to play in keeping sensitive data safe.

The state and importance of API discovery

Unfortunately, from a security perspective, it’s all too normal for organizations to not have visibility into their overall API usage. In fact, 37% of respondents to a Cequence Security and ESG survey confirm that keeping an accurate inventory of API usage is an issue affecting their use of API-based development.

Unknown and shadow APIs have become so prevalent that within minutes of using API discovery tools, customers performing API inventories often find 100 times more shadow APIs than they knew existed within their networks.

The same research found that 41% of security teams are worried about an evolving threat landscape. The attack types seen on the OWASP API Security Top 10 are being joined by issues such as content scraping, or attackers taking advantage of configuration errors to gain illicit access.

The combination of factors facing businesses today — widespread API use, low visibility, and a complex threat landscape — has led to a new era of data protection needs. Seizing the development advantages that have made API usage so popular depends on also getting the security question right.

While API discovery is absolutely essential from an overall security perspective, companies are hindered by taking a limited approach to discovering their APIs. There are two perspectives when it comes to API discovery: Inside-out and outside-in.

Inside-out means continually identifying and tracking the API inventory from within, assessing their risks and basing protection on these findings. Outside-in involves analyzing your public domain to determine a company’s API attack surface — effectively showing them what an attacker would see. These methodologies each have their limitations when companies exclusively use one or the other. This is why it’s best to combine them and get a truly comprehensive look at how data is moving through APIs.

Taking a modern API discovery approach

What does it look like when an organization gets serious about both inside-out and outside-in API discovery? The process can involve two separate tools, each responsible for a distinct part of detecting and defending an organization’s complete API footprint.

In practice, the roles of these two types of systems break down along these lines:

API discovery from the outside in

When it comes to API use, a company’s security team can’t learn everything from an internal view. Taking an exterior view of public facing APIs allows security personnel to detect issues that may otherwise go unnoticed, such as internal APIs inadvertently becoming public or issues with deprecated APIs.

An outside-in view provides a valuable perspective, revealing security and compliance issues that even standard vulnerability and penetration testing may miss. By finding every publicly visible endpoint, such a solution gives IT security teams the same view that a potential attacker would have, revealing the company’s true external attack surface.

The next step after finding a potential issue is to alert personnel so they can take action. By studying a ranked dashboard of threats, team members can prioritize the most pressing vulnerabilities facing the team.

API discovery from the inside out

Completing the story of a company’s API use requires an internal as well as external view. This allows businesses to discover, catalog and track all their APIs, whatever their origin. 

By looking at an easy-to-read dashboard, team members can see both internal and public API usage. This includes managed APIs, unmanaged APIs and any third-party APIs in use. Metrics displayed on the dashboard include usage stats for the various APIs found, such as geographic traffic information.

The discovered APIs can then be sorted by risk profile, segueing smoothly from discovery into protection and risk remediation. Once security teams know the extent of their companies’ API profiles, they can get started protecting them more effectively.

API discovery’s role in Unified API Protection

Discovery is one of the essential aspects of a modern, comprehensive approach to API protection. Such a unified method is different from the common “API security” offerings that may help organizations detect some threats targeting their APIs but don’t equip them to guard against those attacks.

API discovery is step one in the Unified API Protection lifecycle. Advanced API discovery is at its best when combined with real-time detection of threats and real-time responses to the most pressing risk factors. Organizations that know the full extent of their attack surfaces, see all ongoing traffic and have defenses ready are ideally prepared to deal with today’s API-driven development environment.

Jason Kent

For over the last 20 years, Jason has been ethically peering into Client Behaviour, Wireless Networks, Web Applications, APIs and Cloud Systems, helping organisations secure their assets and intellectual property from unauthorised access. As a consultant he's taken hundreds of organisations through difficult compliance mine fields, ensuring their safety. As a researcher he has found flaws in consumer IOT systems and assisted in hardening them against external attacks. At Cequence Security Jason does research, community outreach and supports efforts in identifying Automated Attacks against Web, Mobile, and API-based Applications to keep Cequence's customers safe.

Choose an AI solution to transform beyond technology

Kit Cox • 09th December 2024

The first step is knowing exactly what your business wants to achieve with AI; think faster, smarter and more efficient. Once you know what you are working towards, you can start looking for a solution that can help you make it a reality. AI integration can feel like a daunting task at the beginning, so...

A Roadmap to Security and Privacy Compliance

John Lynch Director of Kiteworks • 04th December 2024

Only by understanding the current regulatory environment and implementing robust data protection measures, can organisations enhance their security posture, ensure compliance, and build resilience against the latest cyber threats. This article provides a comprehensive roadmap of how to do it.

Data-Sharing Done Right: Finding the Best Business Approach

Bart Koek • 20th November 2024

To ensure data is not only available, but also accessible to those that need it, businesses recognise that it is vital to focus on collecting, sorting and governing all the data in their organisation. But what happens when data also needs to be accessed and shared across the business? That is where organisations discover a...

Nova: The Ultimate AI-Powered Martech Solution for Boosting Sales, Marketing...

Erin Lanahan • 19th November 2024

Discover how Nova, the AI-powered engine behind Launched, revolutionises Martech by automating sales and marketing tasks, enhancing personalisation, and delivering unmatched ROI. With advanced intent data integration, revenue attribution, and real-time insights, Nova empowers businesses to scale, streamline operations, and outperform competitors like 6Sense and 11x.ai. Experience the future of Martech with Nova’s transformative AI...

How E-commerce Marketers Can Win Black Friday

Sue Azari • 11th November 2024

As new global eCommerce players expand their influence across both European and US markets, traditional brands are navigating a rapidly shifting landscape. These fast-growing Asian platforms have gained traction by offering ultra-low prices, rapid product turnarounds, heavy investment in paid user acquisition, and leveraging viral social media trends to create demand almost in real-time. This...

Why microgrids are big news

Craig Tropea • 31st October 2024

As the world continues its march towards a greener future, businesses, communities, and individuals alike are all increasingly turning towards renewable energy sources to power their operations. What is most interesting, though, is how many of them are taking the pro-active position of researching, selecting, and implementing their preferred solutions without the assistance of traditional...

Is automation the silver bullet for customer retention?

Carter Busse • 22nd October 2024

CX innovation has accelerated rapidly since 2020, as business and consumer expectations evolved dramatically during the Covid-19 pandemic. Now, finding the best way to engage and respond to customers has become a top business priority and a key business challenge. Not only do customers expect the highest standard, but companies are prioritising superb CX to...