The 7 questions you should ask your developers to discover all your APIs
In 2002, Bezos supposedly sent his legendary memo, urging all Amazon product teams and departments to make their data and services available over APIs. Since then, many other companies have embraced that approach.
Today, cloud technology enables us to build and deploy APIs rapidly, so the number of APIs is growing quicker than ever, and the API economy is in full swing. APIs multiply value by making underlying data more accessible for the rest of the company. They can lead to better composability of systems and, in turn, help companies react faster to changes in the market.
However, it’s not all roses with APIs. While the gains might outweigh the costs, there certainly are costs – and risks. For example, if not properly secured, an API may allow unauthorized access to the data and functionality it exposes. APIs that aren’t officially documented, also known as shadow APIs, can become a huge liability if left unsecure. And having multiple APIs that do the same thing is a waste of resources.
While it’s important to gain visibility into your organization’s entire API footprint, only 2% of enterprise security leaders feel very confident that they know every API in their organization.
Why? It’s simple: Large companies with dozens of dev teams may have hundreds, or even thousands, of APIs in use. Some are built and used internally; others are supplied by third-parties; and some may also inherit legacy APIs from a merger, lurking somewhere deep in the acquired company’s infrastructure. APIs increase the complexity of the application stack.
But while you may not know what APIs you have, where they are, who owns them, and what they are used for – someone in the organization probably does. In this post, we’ll cover how you can find all the APIs hiding in your infrastructure by asking the right questions.
What you should ask your developers
The following list of questions will help you get insights into your company’s API stack.
1. “Do we have an API catalog?”
An API catalog is a library of an organization’s available APIs, used by development teams to manage and share APIs (often through the API developer portal). This is probably the most important question to ask your development team, as the answer will reveal which APIs are mostly used in your company and by your clients and partners, representing the biggest potential exposure. Furthermore, the API catalog can be further leveraged as a security control.
Asking this question will also enable you to find out which teams are responsible for API integration, development, and operations, as you will get the most valuable answers from them. However, while getting started with API visibility is much easier via the API catalog, it doesn’t help to find shadow APIs or understand what APIs are actually used for.
2. “Which APIs do we offer our clients and partners?”
The APIs your clients and partners use are potentially the highest risk due to their level of external visibility. Fortunately, this question is usually a bit simpler to answer because your clients pay for access (at least some of them). Free APIs are more likely to go unnoticed though, so make sure you know who uses what and how much they are paying for it.
When mapping APIs exposed to partners, pay special attention to their versions. Often, partners don’t switch to newer versions in order to save on integration costs. This means that with time, a mature API may have older versions deployed that were previously provided to various partners. These older versions might pose risk if they are not properly patched, updated or monitored.
One great way to gain insights about older API versions is to look at which APIs your oldest customers are using. When mapping client and partner-facing APIs, it’s also important to note the privileges they have, the sensitive data they can access, and the actions they are authorized to do.
3. “Which API management platforms do we use?”
API management (APIM) platforms are used by developers to organize internal and external APIs in a central location, while also providing various analytics, authentication, and security policies through the API gateway. These are all important insights and capabilities to further assess exposure and plan for security.
It’s important to note that APIM platforms offer different features and are optimized for different use cases, so it’s very common for one company to use multiple platforms, especially larger enterprises. This means that even if you are aware of an APIM platform one team is using, it’s very plausible that there are others with different APIs in them – so make sure to inquire about those as well.
4. “How are our APIs documented?”
API documentation is a technical deliverable that contains instructions on how to use and integrate a specific API. Documentation can come in different forms – most commonly, the OpenAPI or JSON Schema specifications, but it can also be a Postman collection with a set of API calls. API documentation helps your users get their work done quickly, without having to nag the API creators during every step of the integration.
Gaining access to API documentation can shed light on an API’s functionality, including sensitive data and actions, and can uncover shadow APIs that aren’t listed in the catalog or managed through an APIM platform. This is usually the case with older versions, as well as with APIs that were originally internal and became open to third parties without a proper process.
However, API documentation can become outdated, meaning that the actual implementation and access that APIs enable might differ from what’s documented.
5. “What’s the process of testing APIs?”
Quality assurance is a big topic in API development, and knowing how your APIs are tested can give you insight into their security and performance. When your APIs are being updated, tests can become a key security control by helping you understand what changes are about to be implemented, why and by who, so that you can re-evaluate your runtime security controls.
*** This is a Security Bloggers Network syndicated blog from Imvision Blog authored by Omer Primor. Read the original post at: https://blog.imvision.ai/the-7-questions-you-should-ask-your-developers-to-discover-all-your-apis
