Exploring API Discovery and Risk Prioritization
In the fast-paced world of technology, keeping track of APIs and their risks is crucial for the security and success of any organization. Continuous discovery allows companies to stay on top of changes in real-time, making it easier to manage and prioritize APIs based on their life cycle and level of support.
Here are some common groups that organizations typically categorize their APIs into:
- “Rogue” or “unmanaged” APIs: These APIs are being actively used but have not been reviewed or approved by the security team.
- “Prohibited” or “banned” APIs: These APIs have been reviewed and are not approved for use within the organization or its supply chain.
- “Monitored” or “supported” APIs: These APIs are actively maintained and supervised by the security team.
- “Deprecated” or “zombie” APIs: These APIs were supported in the past, but newer versions exist that API consumers should use instead.
Quantifying API Risks
Once an organization has an API inventory that is consistently updated with its runtime APIs, the next challenge is how to prioritize APIs in terms of risk. With limited resources, risk scoring becomes essential to focus on remediations that will have the most impact.
Calculating risk for API calls can vary, but a holistic approach is usually the most effective. Threats can come from various sources, both internal and external, including the supply chain or attackers posing as legitimate users. While perimeter security products focus on the API request itself, examining API requests and responses together can provide insights into broader risks related to security, quality, conformance, and business operations.