cave and mud
of Rescue of Tham Luang CaveThe 2018 mission was a high-stakes operation in northern Thailand to rescue a youth soccer team and its coach trapped in a flooded cave. Monsoon rains flooded the cave, blocking their exit. The rescue operation involved an international team of divers, cave experts and volunteers. For 18 days, rescue teams worked tirelessly to navigate treacherous cave passages and drain floodwaters, successfully bringing all 13 people to safety. One aspect of his rescue effort was that the water was so murky that rescuers could not see anything, and the operation was almost entirely hands-on.
The importance of visibility
Although we often do not associate the physical sensation of a lack of vision with the same sensation in the virtual or etheric world, the anxiety caused by that sensation, or the lack of it, is nearly the same. That means you don’t have the ability to “see” what’s going on. Tech stacks require engineers to fumble their way through. And that experience significantly slows down all work and makes progress dangerous.
The inability to see what is happening leaves room for undetected or unmitigated attacks. This is especially true for APIs. APIs are notoriously difficult to secure because they are constantly changing, including updates, upgrades, feature releases, infrastructure changes, and hotfixes, and are open to countless connections at any given time. .
Lack of API inventory is common and a problem. threat actor “Leverage APIs that are completely unknown to your organization (shadow APIs or zombie APIs) or have no visibility into your security posture, such as unmanaged or third-party APIs.”
Shadow APIs are APIs that are undocumented or not publicly documented or supported by a company or organization. The API may not adhere to security best practices and is exposed to many users. Common API threat. You can reverse engineer these unofficial APIs to access the functionality of your service or application. They may not be officially approved, are not maintained, and are subject to change without notice, so their use may be considered dangerous and may result in disruption of integration. There is a gender.
A zombie API is an abandoned, obsolete, or forgotten API or API endpoint that was once used to provide a specific functionality, but is no longer needed or has been replaced by a newer version. The main concern with zombie APIs is that they are not properly maintained or updated, making them highly vulnerable to exploitation.
API visibility is your best friend
There is a way to clear up the muddy landscape surrounding API management and maintenance, and it’s a multi-pronged approach.
identification/inventory
This is one of the top 10 OWASP APIs. Especially #9. Attackers can exploit this unknown vulnerability to gain “unauthorized access via older API versions or endpoints that run unpatched and use weaker security requirements.”
continuous testing
APIs are constantly changing, including updates, upgrades, feature releases, infrastructure changes, and hotfixes. It’s important to test, test, test.
traffic analysis
Understanding API usage patterns and traffic sources helps with capacity planning, optimizing API design, and identifying potential security threats.
Security and access control
API visibility also includes monitoring and controlling who accesses your API. Implementing authentication and authorization mechanisms, rate limiting, and API keys are essential to ensure that unauthorized access is prevented.
Documentation and version control
A well-documented API provides developers with a clear and comprehensive guide on how to use the API. Good documentation helps developers understand the API ecosystem, including parameters, authentication methods, and usage.
Throttling and rate limiting
Implementing throttling and rate limiting policies can help prevent API abuse and overuse and ensure fair access for all users.
Practice safe practices or anticipate the unexpected?
If something like a token is hard-coded, if useful information is revealed in an error message, if the endpoint is hidden but not actually protected (security through obscurity), or if input If they are not verified, normal users will find them and use them frequently. Malicious users can find and exploit them. Don’t plan on everyone playing it safe. For many customers, technology is a tool that is used relentlessly because they expect it to handle their traffic. A company’s job is to expect expectations from thousands, if not millions, of people who are thinking the same thing. For threat actors, they want things to be bad.
Build on good policies
While the list above focuses on more specific steps, let’s step down and return to a high-level approach: the policy level. Increase visibility by incorporating the following into your API policy:
- strategy: Focus first on internal APIs and develop actionable business outcomes based on your digital strategy. This will also help you learn how to manage your outsourced APIs without adding to their complexity.
- Incorporate organizational and user needs: Discover as much as possible what everyone is trying to get out of your product or service (easier said than done!).
- Adapt: Be ready to make changes. There will be routine maintenance and planned upgrades based on customer feedback, but then large-scale technological or societal changes may require sudden and significant changes.
- Measurable goals (SMART): Whether detailed or not, the need for goals that are specific, measurable, achievable, relevant, and time-bound will never go out of style.
- Communicate to stakeholders: Let those with a stake in your product know what’s going on. Know who your stakeholders are – board of directors, executives, developers (internal or contract), customers, prospects – and communicate with them.
Key
Organizations must embrace API visibility to avoid the pitfalls of intangibility, inability to see inventory, and the anxiety caused by the unknown. Is it time consuming? yes. Can you do that? yes.