Maintaining a complete, up to date API inventory with accurate documentation is critical to understanding potential exposure and risk. An outdated or incomplete inventory results in unknown gaps in the API attack surface and makes it difficult to identify older versions of APIs that should be decommissioned. Similarly, inaccurate documentation results in risk such as unknown exposure of sensitive data and also makes it difficult to identify vulnerabilities that need to be remediated.
Unknown APIs, referred to as shadow APIs, and forgotten APIs, referred to as zombie APIs, are typically not monitored or protected by security tools. Even known API endpoints may have unknown or undocumented functionality, referred to as shadow parameters. As a result, these APIs and the infrastructure that serve them are often unpatched and vulnerable to attacks.
Attackers may gain unauthorized access to sensitive data, or even gain full server access through old, unpatched or vulnerable versions of APIs.
Research conducted by Salt Security shows a common gap of up to 40% between manually created API documentation (or schema definitions) in the form of Open API Specification (OAS) vs. what is actually deployed in production APIs. These gaps fall into the following three categories:
Traditional security controls like WAFs and API gateways lack capabilities to continuously discover APIs at a granular level and monitor them for changes. These security controls only know what they are configured for, requiring API schema definitions to be imported in order to gain a view of the API environment. If documentation is missing or inaccurate, as is often the case for many security teams, these traditional security controls will have an inaccurate view of the API environment.
API security solutions must be able to analyze all API traffic and continuously discover APIs. Discovery must include the ability to identify all host addresses, API endpoints, HTTP methods, API parameters, and their data types including the identification and classification of sensitive data. These solutions must provide discovery on an ongoing basis to maintain an up-to-date catalog of the API environment and accurate API documentation even as new APIs are introduced and updates are made to existing APIs.
Like many other API breaches, the Optus security incident highlights the importance of dedicated API security.
Salt Security's Roey Eliyahu and TAG Cyber's Ed Amoroso sat down together for a joint webinar on API security and zero trust. Check out the takeaways.