DEV Community

yayabobi
yayabobi

Posted on • Originally published at openappsec.io

What is API Discovery, and How to Use it to Reduce Your Attack Surface

APIs are the bilingual translators of the software world, enabling applications to communicate with one another seamlessly.

However, attacks targeting APIs increased by 400% at the start of 2023, and 90% of cybersecurity investigations reveal API security vulnerabilities. Although it might seem like this problem is too colossal to fix, there is a way.

What is API Discovery?

API (Application Programming Interface) discovery is the process of cataloging all internal and third-party APIs used within your organization. It helps developers find existing APIs that fulfill specific functions, avoiding redundant work and seamlessly integrating them into new applications.

APIs are crucial in software development, enabling different software applications to communicate. However, keeping track of all APIs can become challenging as your project scales. That's why API discovery is a lifesaver. There are an array of API discovery tools available, each designed to cater to different aspects of API management and security.

7 Types of API Discovery Tools

  1. Automated Scanners: Scan networks and applications to identify APIs.

  2. API Catalogs: Act as organized repositories maintaining up-to-date information about APIs.

  3. API Security Platforms: Focus on both discovery and security assessment. They identify vulnerabilities in APIs and provide solutions to address them.

  4. API Monitoring Tools: Track APIs' real-time activities, reveal usage patterns, and detect security breaches or performance issues.

  5. API Documentation Generators: Automate the creation of API documentation.

  6. Network Traffic Analysis Tools: Specialize in identifying API-related patterns and interactions. 

  7. Web Application Security Scanners: Target APIs within web applications to detect security vulnerabilities like SQL injection, CSRF, and XSS.

How do APIs work

Security Risks of Hidden APIs

As organizations increasingly rely on APIs, hidden APIs become a significant cybersecurity threat. Since they lack appropriate security measures, they are prime targets for exploitation. Here are the key risks associated with hidden APIs:

  • Unnoticed Exploitation Opportunities: Hidden APIs allow hackers to exploit them without immediate detection, providing ample time to inflict damage or steal sensitive data.

  • Ambiguous Data Transmission: The need for more transparency in shadow APIs creates uncertainty about data transmission.

  • Regulatory Compliance Challenges: Hidden APIs can lead to non-compliance with data protection laws. Organizations could face severe penalties for non-compliance in the event of a breach. 

  • Incomplete Discovery and Management: Traditional API discovery methods, which focus on internal tracking, may not reveal APIs visible to external attackers. This inside-out approach can miss APIs that are accidentally exposed or improperly secured.

  • Dynamic API Environment Challenges: Modern APIs are dynamic and constantly evolving. New APIs are frequently deployed, and existing ones are updated or retired. This constant change can make it challenging to track and secure all APIs.

What is the Difference Between Manual and Automatic API Discovery?

Understanding the characteristics of manual and automatic API discovery is key to selecting the best method for your organization.

Manual API Discovery

Manual API discovery is a hands-on approach where team members manually track and record the APIs used within your organization. It is suitable for smaller, less complex environments but faces challenges in larger, dynamic settings.

Pros:

  • More manageable in environments with fewer APIs.

  • Offers detailed troubleshooting and direct API interaction.

Cons:

  • Requires significant human effort and dedicated personnel.

  • Often misses hidden or undocumented APIs.

  • Human mistakes can lead to inaccurate documentation.

Automatic API Discovery

Automatic API discovery uses software tools to identify and document APIs automatically. It is best suited for large-scale, dynamic environments where managing a high volume of APIs and frequent changes is essential.

Pros:

  • Rapidly identifies APIs, saving time and effort.

  • More likely to find all APIs, including hidden ones.

  • Reduces human error.

  • Some tools offer immediate monitoring for security and performance.

  • Maintains uniform discovery methods across teams.

Cons:

  • Automated tools might incorrectly identify non-API elements as APIs.

  • Setting up automated discovery tools can be complex and time-consuming.

Why is API Discovery Important?

  • Enhanced Security Insights: Provides visibility into all APIs, helping to identify weak authentication and spotting inadequate security in data handling.

  • Efficient Software Testing: Improves API testing accuracy with access to current API versions and uncovers less obvious or undocumented APIs.

  • Improved Compliance Management: Helps maintain compliance with data protection laws by ensuring all APIs are accounted for and audited.

  • Streamlined Development: Optimizes development processes by identifying reusable APIs and helping integrate new services or systems.

  • Proactive Risk Management: Provides early detection of security weaknesses in APIs and supports strategic planning for API security challenges.

How to Use API Discovery to Reduce Your Attack Surface

Let's explore six practical methods and best practices for employing API discovery to safeguard your digital assets.

1. Use API Discovery Tools

Example API

Automated API discovery tools are essential in identifying both known and unknown APIs. These tools scan various segments of your network and catalog APIs, offering insights into their operations and potential vulnerabilities.

Actionable Tips:

  • Configure Swagger UI or a similar tool for automated scanning and documentation of your network's APIs. Here's a basic example of how to set up a Swagger configuration file (swagger-config.yaml) for API documentation:

swagger: '2.0'

info:

  title: Sample API

  description: API documentation for our sample API

  version: 1.0.0

host: api.sample.com

basePath: /v1

schemes:

  - https

paths:

  /users:

    get:

      summary: Gets a list of users

      responses:

        200:

          description: Successful response

  • Implement automated tools like Apigee or Kong to get detailed analytics and security insights for your APIs.

Proxy Perfomance

2. Explore API Marketplaces

API marketplaces provide a platform for discovering and using APIs and offer community feedback, security insights, and usage analytics. They are ideal for finding APIs vetted and reviewed by other developers and companies.

Actionable Tips:

  • Use platforms like Check Point API Reference to explore APIs that fit your automation needs. 

  • Use APIs.gurufor exploring well-documented OpenAPI files. For example, imagine you are interested in integrating a weather API. By searching for "weather" on APIs.guru, you find several options.

API Guru

3. Conduct Regular API Audits

API auditing systematically reviews and analyzes APIs to ensure they are secure, efficient, and compliant with relevant standards and policies. In addition, regular audits can uncover performance issues and inefficiencies in API designs and help keep API documentation up to date.

Actionable Tips:

Automated scan using OWASP ZAP

zap-cli start

zap-cli open-url http://your-api-endpoint.com

zap-cli active-scan --recursive http://your-api-endpoint.com

zap-cli alerts -l Informational

  • Use automated scripts to regularly test your API endpoints against common vulnerabilities like SQL injection, cross-site scripting (XSS), etc.

import requests

from bs4 import BeautifulSoup

Example of a simple script to test for XSS vulnerability

def test_xss(api_endpoint):

    payload = "alert('XSS')"

response = requests.post(api_endpoint, data=payload)

    if payload in response.text:

        print(f"Potential XSS vulnerability detected in {api_endpoint}")

test_xss("http://your-api-endpoint.com/api/v1/login")

  • Regularly check APIs against industry standards like RESTful API guidelines.

4. Understand API Specifications

Deep knowledge of API specifications is key to understanding how APIs interact with your systems. This step involves thoroughly examining API documentation, focusing on authentication, authorization, and data handling practices.

Actionable Tips:

  • Use tools like Check Point's AI-powered Infinity to prevent threats across your entire security infrastructure, including endpoints.  

  • Use Redoc to generate user-friendly API documentation.

  • Define a routine for periodically reviewing and updating API specifications. For example, you can create an automation script with swagger-cli like this:

!/bin/bash

Script to pull latest API specs and update documentation

git pull origin master

swagger-cli bundle -o ./path/to/swagger.yaml ./path/to/api-specs/

echo "API specifications updated and bundled with Swagger."

5. Implement API Gateways

API gateway

API gateways are the entry point for managing and securing API traffic. They provide essential functions like authentication, rate limiting, request/response transformation, and collecting analytics.

Actionable Tips:

  • Configure security policies in Amazon API Gateway. For example, you can set a rate limit in the API Gateway throttling setting like the below:

"Type": "TOKEN_BUCKET", 

"rateLimit": 100, 

"burstLimit": 200 

}

  • Enable logging and monitoring in your API Gateway settings. For AWS, this can be done by integrating with CloudWatch. The below alarm configuration triggers an alert if there are more than 50 5XX errors within 5 minutes.

{

  "AlarmName": "High API Traffic",

  "MetricName": "5XXError",

  "Namespace": "AWS/ApiGateway",

  "Statistic": "Sum",

  "Period": 300,

  "EvaluationPeriods": 1,

  "Threshold": 50,

  "ComparisonOperator": "GreaterThanThreshold"

}

6. Use open-appsec

open-appsec platform

open-appsecis one of the best web application firewall (WAF) and API security solutions. It stands out with its innovative ML-based engine that continuously learns and adapts to ensure your API security measures stay ahead of evolving cyber threats.

open-appsec is not limited to API security; it offers a variety of other benefits, too:

  • Prevents OWASP-10 and zero-day threats automatically with the ML engine.

  • Continuous monitoring ensures your web applications are always protected.

  • Easy integration with Kubernetes, NGINX, GraphQL, HELM, and more.

  • Automatically stops and blocks malicious requests.

  • Protects against over 2,800 Web CVEs based on award-winning NSS-Certified IPS.

  • Sets a cap on how many requests can be made to APIs within a certain period.

open-appsec is an open-source project that builds on machine learningto provide pre-emptive web app & API threat protection against OWASP-Top-10 and zero-day attacks. It simplifies maintenance as there is no threat signature upkeep and exception handling, like common in many WAF solutions.

To learn more about how open-appsec works, see this White Paperand the in-depth Video Tutorial. You can also experiment with deployment in the free Playground.

Top comments (0)