Shadow APIs require a search light of discovery
Rapid cloud-native services adoption leads to poor visibility of security risks and data vulnerabilities from uncharted APIs use
Since early 2020, being able to quickly develop and use cloud-based applications and services has become a standard rapid response to satisfy the need for IT innovation and to meet new demands for digital business outcomes.
At breakneck speed, APIs from many sources are being adopted across most organizations. APIs are now at the core of the expanding digital business economy – and they are here to stay. Already somewhere in the neighborhood of 7.1 billion APIs are in some form of use all around the globe. Microsoft Azure, AWS, and Google clouds are all foundries for API adoption.
Yet, despite their popularity, few people inside of the companies using APIs can tell you how those APIs are in operation — never mind how many are touching their most sensitive data. Could anyone deliver a rudimentary graph predicting how many more APIs will be in use in six months? Almost certainly not. But expect the numbers to continue to skyrocket.
The rationale for applications developers and cloud services architects to use APIs won’t be easily dissuaded. APIs make their jobs easier, can be accessed quickly from many third-party sources, and have become a core and irreplaceable commodity supporting digital businesses. Fast-emerging API marketplaces will further drive usage and the potential for unforeseen vulnerabilities.
As with past rapid-adoption IT patterns, too much of a good thing can grow unwieldy, ungoverned, and adopted in the shadows. The usage grows faster than the needed security precautions can be implemented and enforced. The same unappreciated and rising risk is happening with APIs. As a result, by the end of 2022, API abuses will move from an infrequent to the most-frequent attack vector, resulting in data breaches for enterprise web applications, according to consultancy Gartner.
For comprehensive API security across the shadow API land grab, organizations must understand all the APIs in their ecosystems, as well as the specific risks associated with each of them to both detect and protect against attacks. Such protection won’t come from bottling APIs up or imposing draconian rules limiting their use and exploitation.
“Securing APIs is a multi-layered approach. My philosophy is that APIs are meant to be exposed. We expose APIs to enable developers to do amazing things on our platform,” according to Rinki Sethi, Vice President and Chief Information Security Officer (CISO) at Twitter, when we interviewed her in November, 2021. “Each API introduces its own risk, and there must be a multi-layered approach in how you go and secure that.”
The first step on the journey to a proper and responsive shadow API security posture is attaining a comprehensive understanding of all an organization’s APIs. Similar to asset inventory management, API security requires a clear, holistic view of all APIs and associated data flows. A simple list is not enough, however. The meta data of how APIs operate in context is essential. Which new and shadow APIs were introduced recently? By whom and for what purpose? Which API’s are external-facing versus internal facing? Which have sensitive data coming in, or going out? These are the questions organizations must answer to determine how their APIs in their current and constantly changing use are secured properly – and which ones have serious vulnerabilities.
Only when such a qualitative and quantitative API inventory is in place can today’s businesses begin to protect their applications, services, data, and processes. You can’t protect what you are not aware of. An up-to-date inventory and real-time, on-going discovery are indispensable to gain proper and actionable visibility into all the APIs an organization produces and consumes. The inventory, or catalog, opens a full understanding of sensitive data flows to and from all the APIs and uncovers the application logic, an essential ingredient to enable relevant security policies and detection signatures. Most security solutions lack the ability to penetrate and mine the logic to determine if it’s vulnerable, being misused, or under attack.
To influence the development and improvement of shadow APIs, knowledge is power. And for applications and processes developers, knowledge about the empirical behavior of their services in operation, in the field, provides unparalleled power to secure, improve, and enhance their applications. For example, developers can rapidly discover design flaws or problems in their API specifications that could potentially lead to exploitation.
Analysis of APIs behavior is growing in prominence as a way to provide a high-level summary of critical endpoint details that can be seen in a single view. API dependencies and risks can be inventoried entirely, probably for the first time. And developers are not the only beneficiaries. For the organization’s security teams, such insights provide unassailable risk monitoring capabilities. Continuous API risk monitoring helps the security team prioritize their focus and identify critically needed efforts.
Especially for monitoring sensitive data flows and user activity tracking, shadow API risk monitoring sets the stage for an even higher-order value. API conformance and compliance parameters can be set and enforced. What was a developer and security officer benefit, now becomes a stalwart tool of the governance, risk, and compliance officers. Knowledge of shadow API adoption, it turns out, needs to be shared widely in companies.
“APIs need a shared responsibility model,” said Alissa Knight, recovering hacker, CISO, and partner at Knight Ink. One of the first things I learned from being a CISO was, “Wow, I’m in the business of relationships. I’m in the business of forming a relationship with my chief fraud officer, my CTO, and the human resources officer.”
The API intelligence gift-that-keeps-giving endows each of a businesses’ governance, risk and compliance (GRC) functions by delivering true API governance and risk management. Ongoing and continuous insights into sensitive data flows and ease in determining data classification (such as PII, PCI, HIPAA, GDPR, etc.), allow for evaluating all third-party data and API risk. The end result is simplified auditing and compliance thanks to breadth and intelligence for shadow API vulnerability detection and tracking insights.
And knowledge about how APIs form an integral part of the digital business supply chain not only benefits the API lifecycle — it can impact and transform the culture around security. Because discovering and securing APIs requires more data and analysis than measuring and blocking, the process can be a security culture change-agent.
API security culture
At cloud business solutions services provider Atlassian, API security tools have a larger role than just detecting vulnerabilities amid shadow API sprawl. They should also promote a new way of thinking about security, even be part of instilling a new culture around security and who is responsible for it, says the Australian company’s CISO.
“We used to describe applications as being monoliths. There were very few parts of the application that were exposed. At this point, most applications are microservices. And that means across an application, there might be 1,000 different parts of the application that are publicly exposed. They all must have some level of security checks being done on them to make sure that if they’re handling an input that might be coming from the other side of the world that it’s being handled correctly,” said Adrian Ludwig, CISO at Atlassian.
“We have to think about that. How do we design processes to deal with that? How do you design technology, and what’s the culture that needs to be in place? I think part of it is having a culture of every single developer being conscious of the fact that the decisions they’re making have security implications,” he said.
“But once you have that sort of culture, you start thinking, ‘Okay. How do I actually monitor what’s going on in each of the different areas?’ With that visibility, exposure, and understanding what’s going in and out of specific applications, you can detect when there’s something you’re not expecting,” said Ludwig. “That turns out to be really difficult, if what you’re looking at is very big and very, very complicated.”
Being able to trace behaviors within the pieces of an application as it’s in operation, and understanding which APIs each of those different microservices is exposing, turns out to be a really important task for Atlassian and its army of developers.
“If you combine decomposing applications into smaller pieces with monitoring what’s going on in them and creating a culture where anybody can find a potential security flaw, surface it, and react to it — those are good building blocks for having an environment where you have a lot more security than you would have otherwise,” concluded Ludwig in a podcast chat with Dana Gardner from Interarbor Solutions.
The payoffs from greater visibility and shared insights into API behaviors are substantial and enduring. That shift in understanding helps turn development organizations into security-minded innovators with customer experience and operational resilience as top-of-mind, together.
“The result over time is you get closer to a good product because you can gain feedback from customers, you’re able to see how it’s working in reality, and you’ll be able to get testing that takes place with real data. There are lots of advantages to that,” said Ludwig. “But the critical part of it, from a security standpoint, is it makes it possible to respond to security flaws in near real-time.”
API protection via API intelligence
Applications and services, increasingly interconnected in the API economy, are exposed to a range of interactions – from normal benign traffic to creative and malignant attacks from threat actors around the world. Application owners and security professionals face an unprecedented challenge of understanding what is actually happening in these applications and services. The complexity of application architectures and continuous delivery of new features and updates makes this a uniquely difficult and ongoing challenge.
Advanced analytics of API ecosystem data uncovers a treasure-trove of information that can be used in myriad ways. Beyond a basic inventory and discovery of shadow APIs, an API catalog accounts for the business risk of each of the APIs and potential data exposure that is passed through the APIs. API usage starts and ends with users who are engaging in business transactions, so the analysis includes who is using APIs, how often, and to what degree. By also knowing where they are coming from, geographic-sensitive insights about API usage helps security teams identify how their systems may be under siege by an adversary.
Analysis of API and applications usage patterns provide valuable insights into both typical application and business activities. More importantly, usage patterns can indicate intentional attacks, anomalies, or unintentional (defects) anomalies.
Mining APIs across an organization for their true use and nature is clearly a gift that keeps giving. From compliance, to a broader security culture, to an ability to optimize and govern API uses and outcomes, an API knowledge base has become indispensable.