Out of the Shadows: API Discovery and Security

APIs are everywhere

The connected world runs on APIs. Your banking app uses them, your ride share app uses them, even that weather app you check before walking out the door, it gets that data from an API. We interact with them multiple times throughout our daily life, to do everything from the most essential to the most mundane. They are simply everywhere and more and more are being published every day.

As you would expect, this proliferation of APIs has marked them as a prime target for malicious actors. In the last couple years there have been quite a few well publicized attacks. From social media to fitness firms, no industry seems to be safe. With recent reports indicating that API vulnerabilities are costing businesses billions of dollars annually, it’s no wonder they are at the top of mind of many cyber security professionals.

Documentation and Inventory

With APIs being such an attractive target for the bad guys, it is important to have a solid process for publishing them. Part of this process is proper documentation of how the API behaves and how it interacts with other APIs. In the case of RESTful APIs, this documentation is done using the OpenAPI aka Swagger specification. With F5 Distributed Cloud Web App and API Protection (XC WAAP), security teams can take that specification file, upload it to the platform, and use it to build a comprehensive inventory of all known APIs, their endpoints, and expected operations (HTTP methods).

This inventory is then used to build an effective security policy to protect your APIs. But as most of us know, when it comes to deadlines, one of the first things that gets dropped is documentation. You can't protect what you can't see.

Hidden Vulnerabilities

In the dark corners of the application landscape lurk the Shadow APIs. These are rogue APIs that are published outside of defined management and security processes and are a prime target for attackers. Whether they are simply undocumented or third-part APIs outside of your control, they are unseen by your security infrastructure and unprotected. These can be a severe risk to an organization, so much so that they have been included in the OWASP API Security project as part of API9:2019 Improper Assets Management. Discovering, inventorying, and protecting these APIs is of critical importance.

Shining a Light - API Discovery

The most effective tool we have available to bring these nefarious APIs out of the shadows, is API Discovery. The F5 XC WAAP platform learns the schema structure of the Shadow API by analyzing sampled request data, then reverse-engineering the schema to generates an OpenAPI spec. This can then be ingested and inventoried, just like our properly documented APIs, closing the security loophole. This learning process runs periodically, ensuring the API inventory is as up to date as possible. This doesn't mean we can be lazy in our documentation; it means we can catch things that get missed or are out of our control.

Schema Validation

Schema validation based on the OpenAPI Specification is a critical component of a robust API security strategy. It ensures that API requests and responses align with the schema defined in our specification, reinforcing data structure conformity and validating input/output data. By implementing schema validation, organizations can bolster the integrity, security, and interoperability of their APIs while proactively addressing potential vulnerabilities. The F5 XC WAAP platform provides flexible configuration options, allowing you to apply schema validation to all or specific endpoints within your API Definition. With multiple enforcement types and a customizable set of properties to validate against your specification, you have granular control over the validation process. Additionally, the platform supports the creation of fall-through rules to effectively handle any shadow APIs that may arise.

Visibility and Dashboards

In today's dynamic API landscape, maintaining comprehensive visibility into the security posture of your endpoints is paramount. Dashboards play a crucial role in providing this visibility, allowing you to effortlessly monitor and assess the security of your APIs. The F5 XC WAAP platform goes beyond basic API inventory management by offering advanced dashboards that present essential security information based on actual and attack traffic. Within the API Endpoints Dashboard, you gain valuable insights into critical security aspects. You are presented with the Top Attacked APIs by percentage of attacks, Top Sensitive Data types found, Total API calls broken down by response code, and Most Active APIs. In the table view of the inventory, you can easily access information such as discovered sensitive data types, threat levels determined by attack traffic, authentication status, API category, and the risk score assigned by the platform. This consolidated view enables you to quickly identify potential vulnerabilities, prioritize remediation efforts, and make informed decisions to strengthen the overall security posture of your APIs.

The threat cannot be ignored

We increasingly rely on applications for some of the most important aspects of our lives. Given the sensitive nature of the data that can be exposed by unprotected APIs, the need for effective security cannot be stressed enough. Recent breaches have exposed everything from your credit score to your age, gender, and even how often you work out. Worst of all we have seen unprotected APIs expose Personally Identifiable Information and login credentials of 37 million people. The threat is real and cannot be ignored.

With F5 Distributed Cloud Web App and API protection security teams can discover, inventory, and secure their critical APIs. Helping you defend your known endpoints and bring those rogue Shadow APIs into the light.

DevSecOps and F5 Distributed Cloud API Security

No modern security strategy is complete without incorporating DevSecOps practices. Integrating security into the entire software delivery lifecycle is essential for delivering secure applications with speed and quality. Deploy the API Discovery and Security discussed in this article using Infrastructure as Code and GitHub Actions. The F5 Distributed Cloud WAAP Terraform Examples repository is a great jumping off point for organizations looking to deploy the F5 XC solutions showcased here using DevSecOps practices.