Free Book - External Exposure & Attack Surface Management for Dummies
CyCognito Attack Surface Management (ASM) now offers the ability to discover APIs on an organization’s attack surface. Given the proliferation of APIs and their attractiveness to attackers, this capability is an important new tool for security teams. This post describes the issue and how CyCognito ASM solves it.
Most modern applications are built using APIs. This has caused an explosion in public-facing APIs on the internet. It’s not uncommon for an enterprise to have hundreds or even thousands of APIs exposed.
According to Gartner, 90% of web-enabled applications will have more attack surface area in exposed APIs rather than in the user interface. Gartner also predicted that in 2022, API abuses will move from infrequent to the most frequent attack vector. Salt Security research showed that 94% of organizations experienced security problems in production APIs in 2022, and one in five suffered a data breach due to security gaps in APIs.
APIs, by nature, have access to application logic, sensitive data, databases, and the underlying infrastructure of applications using them. They are prime targets for attackers. Moreover, they are easy to deploy and integrate - making them harder to track and manage by security teams.
There are many ways attackers can threaten an API:
Many organizations now use API gateways to handle common management tasks like authentication, rate limiting, and reporting. APIs are deployed via the gateway and can therefore be managed and tested properly.
Not surprisingly, not every API is deployed using a gateway. These unmanaged APIs pose significant security risks. There are three classes of unmanaged APIs:
All three of the above need to be known to an organization to manage risk.
To discover APIs, the Cycognito platform sends a normal HTTP request to each URL owned by an organization and then analyzes the response. If two or more of the following criteria are met, the platform tags that URL as an API endpoint:
HTTP content type is either XML or JSON
The primary way to view APIs in the Cycognito platform is via the API Dashboard (Attack Surface > Views > API Dashboard). The following information is available, as shown in Figure 1 below.
Figure 1: The API Dashboard shows total APIs by type, per organization, and those at risk.
The API Dashboard can also show you the security posture of your APIs. This allows you to assess the risk associated with your API endpoints and take necessary measures to enhance protection.
Figure 2 - Security posture dashboard shows 34 endpoints without HTTPS and 231 without WAF protection.
The information can be accessed on the Asset List by using the Filter & Search keyword WEB APPLICATION CONTAINS API ENDPOINTS. The Asset Details page of a particular web application will also show related APIs. This information is also available via the CyCognito API.
One of the benefits of the CyCognito platform is asset attribution. Using this feature, a security team can understand what team owns the unmanaged API.
Typically, there are three ways to go for remediation, which include both ongoing management of the APIs and fixing any immediate security issue(s).
The feature is currently available to all CyCognito customers. Simply navigate to the API Dashboard, shown above in Figure 1, to start. If you are not a CyCognito customer and are interested in a demo, please contact us.