Source code: The source of truth for securing the API attack surface
Most organizations find themselves in the midst of their API security journey, racing to keep pace with expanding API ecosystems in a colossal threat landscape. As a core enabler of modern applications, facilitating seamless connectivity and powering mobile and web applications, APIs are everywhere. The DevOps revolution has completely transformed the pace at which developers can design and build APIs faster than a security team can match.
Large enterprises are operating with tens of thousands of APIs, and even small organizations have a surprising number, both internal and external. With applications and API portfolios becoming increasingly complex, maintaining a comprehensive understanding of all existing APIs has emerged as a significant hurdle. As APIs can quickly become obscured or forgotten, many organizations lack accurate context into the sheer scale and volume of APIs that persist across their infrastructure -- subsequently resulting in the absence of a full picture of their attack surface. As one cannot secure what they cannot see, the absence of discovery mechanisms opens organizations to a host of security risks. That is why API discovery is now a crucial process for security teams, designed to identify, catalog, and assess APIs.
As there are many different sources of APIs, from those developed internally to those provided by third-party providers, discovery helps organizations create an up-to-date inventory of all APIs. API discovery bolsters API governance and posture, and provides security teams with the comprehensive intel required to make more informed decisions about API usage. It also helps organizations determine the volume of resources they require to help with C-level buy-in and informs the creation of stronger API testing policies.
However, to derive the most value out of API discovery and accumulate accurate, reliable data, it requires a new approach. Most existing methods that are utilized today are incomplete. Traditionally, API discovery has been carried out utilizing tools that sit on API gateways and monitor traffic to determine where APIs exist. But analyzing traffic on a gateway or evaluating API logs will only ever help organizations discover the APIs that are active and already within production. A highly inefficient way to understand and define an organization's entire API ecosystem.
As APIs live in an organization's code base, source code is the only underlying source of truth to unlocking a comprehensive view of an enterprise's attack surface and the most effective way to gather a full scope of APIs and applications. If an organization built it, then it's in code and it's in source code repositories. Leveraging source code repositories enables organizations to effectively and accurately determine where all APIs exist and the breadth and depth of their accompanying risk.
Adopting discovery mechanisms that connect directly to an organization's code repository will enable security teams to identify which of these repositories have a framework that indicates that there are web applications or APIs within them. This unique process will identify repositories that contain assets that should be under security test, and also illustrate the volume of code commits within these to help organizations articulate which are the most active repositories. This will allow security teams to prioritize testing for repositories with higher volumes of assets. The practice will also unearth how often code is deployed among all of the different assets to help teams set appropriate security testing mechanisms that occur in a timely cadence.
Security teams often focus on securing the most outward-facing endpoints and tend to ignore equally sensitive and powerful internal APIs, especially when strapped for resources, as most security teams are. But All APIs, not just the internet-facing ones, are important to secure. All of those internal APIs also have access to valuable data, and you must be able to scale security measures across them to have an effective security program.
Conducting API discovery at the source code level will not only help organizations create accurate API inventories but also facilitate collaboration and understanding between security and development teams. As the pace of innovation continues to accelerate and change, many security professionals are largely removed from modern software development practices, often lacking the context into certain functions and policies. When security teams discover a previously untested asset through API discovery, it will enable them to reach out to developers and gain a deeper understanding of an asset's purpose to streamline the process of bringing similar assets under security test in the future.
As attackers continue to set their sights on APIs to execute malicious attacks, discovery is a pivotal practice to derive comprehensive insights into one’s attack surface. Existing methods such as monitoring API gateway traffic fall short, failing to uncover APIs beyond those that are active. Taking an inside out approach to discovery and identifying APIs and applications from source code is the only way to provide security teams with an accurate and complete picture of their attack surface. A practice that will strengthen security teams ability to pinpoint and prioritize APIs and applications that need to be under security testing.
Image Credit: Jirapong Manastrong / Dreamstime.com
Scott Gerlach is CSO and co-founder at StackHawk.