About Imvision

The only automated NLP-based API security platform that protects enterprise applications at scale

Learn More »

In 2002, Bezos supposedly sent his legendary memo, urging all Amazon product teams and departments to make their data and services available over APIs. Since then, many other companies have embraced that approach. 

Today, cloud technology enables us to build and deploy APIs rapidly, so the number of APIs is growing quicker than ever, and the API economy is in full swing. APIs multiply value by making underlying data more accessible for the rest of the company. They can lead to better composability of systems and, in turn, help companies react faster to changes in the market. 

However, it’s not all roses with APIs. While the gains might outweigh the costs, there certainly are costs - and risks. For example, if not properly secured, an API may allow unauthorized access to the data and functionality it exposes. APIs that aren’t officially documented, also known as shadow APIs, can become a huge liability if left unsecure. And having multiple APIs that do the same thing is a waste of resources. 

While it’s important to gain visibility into your organization’s entire API footprint, only 2% of enterprise security leaders feel very confident that they know every API in their organization.

Why? It’s simple: Large companies with dozens of dev teams may have hundreds, or even thousands, of APIs in use. Some are built and used internally; others are supplied by third-parties; and some may also inherit legacy APIs from a merger, lurking somewhere deep in the acquired company’s infrastructure. APIs increase the complexity of the application stack.

But while you may not know what APIs you have, where they are, who owns them, and what they are used for - someone in the organization probably does. In this post, we'll cover how you can find all the APIs hiding in your infrastructure by asking the right questions.

What you should ask your developers

The following list of questions will help you get insights into your company’s API stack. 

1. “Do we have an API catalog?”


An API catalog is a library of an organization’s available APIs, used by development teams to manage and share APIs (often through the API developer portal). This is probably the most important question to ask your development team, as the answer will reveal which APIs are mostly used in your company and by your clients and partners, representing the biggest potential exposure. Furthermore, the API catalog can be further leveraged as a security control.

Asking this question will also enable you to find out which teams are responsible for API integration, development, and operations, as you will get the most valuable answers from them.  However, while getting started with API visibility is much easier via the API catalog, it doesn't help to find shadow APIs or understand what APIs are actually used for.

2. “Which APIs do we offer our clients and partners?”


The APIs your clients and partners use are potentially the highest risk due to their level of external visibility. Fortunately, this question is usually a bit simpler to answer because your clients pay for access (at least some of them). Free APIs are more likely to go unnoticed though, so make sure you know who uses what and how much they are paying for it.

When mapping APIs exposed to partners, pay special attention to their versions. Often, partners don’t switch to newer versions in order to save on integration costs. This means that with time, a mature API may have older versions deployed that were previously provided to various partners. These older versions might pose risk if they are not properly patched, updated or monitored. 

One great way to gain insights about older API versions is to look at which APIs your oldest customers are using. When mapping client and partner-facing APIs, it’s also important to note the privileges they have, the sensitive data they can access, and the actions they are authorized to do.

3. “Which API management platforms do we use?”


API management (APIM) platforms are used by developers to organize internal and external APIs in a central location, while also providing various analytics, authentication, and security policies through the API gateway. These are all important insights and capabilities to further assess exposure and plan for security.

It’s important to note that APIM platforms offer different features and are optimized for different use cases, so it’s very common for one company to use multiple platforms, especially larger enterprises. This means that even if you are aware of an APIM platform one team is using, it’s very plausible that there are others with different APIs in them - so make sure to inquire about those as well.

4. “How are our APIs documented?”


API documentation is a technical deliverable that contains instructions on how to use and integrate a specific API. Documentation can come in different forms - most commonly, the OpenAPI or JSON Schema specifications, but it can also be a Postman collection with a set of API calls. API documentation helps your users get their work done quickly, without having to nag the API creators during every step of the integration. 

Gaining access to API documentation can shed light on an API’s functionality, including sensitive data and actions, and can uncover shadow APIs that aren’t listed in the catalog or managed through an APIM platform. This is usually the case with older versions, as well as with APIs that were originally internal and became open to third parties without a proper process.

However, API documentation can become outdated, meaning that the actual implementation and access that APIs enable might differ from what’s documented. 

5. “What’s the process of testing APIs?”


Quality assurance is a big topic in API development, and knowing how your APIs are tested can give you insight into their security and performance. When your APIs are being updated, tests can become a key security control by helping you understand what changes are about to be implemented, why and by who, so that you can re-evaluate your runtime security controls.

 

See How Imvision's Platform can Defend Your API
demo banner

6. “Where do we log and monitor our API usage?”

 

Actual API traffic is a great source of insight into the APIs that are published and used by your organization. However, as different teams have different goals, it’s likely that you won’t get the same answer to this question twice. For example, your product teams might be more interested in the customer usage of your APIs, while engineering teams will look into performance or stability—and will use different tools built for each purpose.

Still, this question can uncover the traffic that actually flows through your networks, helping you discover the APIs that no one tells you about and understand how they are used, by who, and for what. This can be the basis for subsequent anomaly detection, as well as for investigation purposes in case of a breach.

7. “How is version management for APIs handled?”

 

One API can be deployed with multiple versions and, depending on the changes that happened in every version, could offer a different set of functionalities. The problem is that older versions tend to be less maintained and documented, which may introduce security vulnerabilities.

First, find out your teams’ deprecation policies and then the versioning schema they use. This may not not reveal the older versions that exist directly, but it will point you in the right direction to begin your search.

Conclusion

API discovery is crucial for every modern company. That’s because while APIs create tremendously powerful synergies, they can also become a liability. Every API can potentially be compromised and leak its data to bad actors.

But API discovery isn’t just a technicality. Teams can be very protective of their APIs if they think those APIs give them leverage in company decisions. Therefore, discovery isn’t just about asking questions, but also about seeing the context in which those questions are asked —and navigating the related complexities. 

Learn more about how Imvision can help you discover and protect all of your APIs

It’s time to bullet-proof your APIs from potential attacks