SlideShare a Scribd company logo

2022 APIsecure_API Discovery: First step towards API Security

APIsecure_ Official, profile picture
APIsecure_ Official

The document discusses the importance of API discovery in the context of API security, emphasizing the need for tools that can automatically create and maintain an API catalog with essential features such as hierarchical grouping and classification. It highlights the challenges posed by diverse deployment options and microservices architecture, and outlines a minimum feature set for effective API security tools, including open API specifications and conformance analysis. Additionally, it addresses the necessity of tracking sensitive data exposure and integrating workflows to manage potential risks effectively.

Technology
Related topics:
API Security Insights
1 of 12
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
API First step towards API Security Discovery Amod Gupta Product Management, Traceable amod@traceable.ai
GOAL ▪ Define API Discovery in the context of API Security ▪ Minimum set of discovery related features that API Security tools should provide
What makes API discovery challenging ▪ Public cloud ▪ On-premises ▪ Hybrid Deployment Options Microservices architecture has made applications massively distributed Distributed Dev teams are releasing multiple times a week Agile releases
Automatically discover all API endpoints (by inspecting traffic) Group APIs by apps, services, domains etc. so security teams can digest the information Classify APIs as external (public), internal or 3rd party Automatically catalog new APIs and updates to existing APIs API discovery tool should… Minimum Feature Set 1. Automatically create an API Catalog ● Hierarchical grouping ● Classification of APIs ● Up to date
Now, that we have an API Catalog, how do we make it actionable
Open API Specification Are APIs being consumed securely? Are APIs being consumed as the developer intended? Are APIs exposing unknown parameters, responses, content-types etc. ? Without Common source of truth between different teams and partners Portability between different security tools Easy to identify which APIs expose sensitive data and where With Minimum Feature Set 1. Automatically create an API Catalog ● Hierarchical grouping ● Classification of APIs ● Up to date 2. Open API spec for API endpoints ● Create ● Download
Minimum Feature Set We’ve cataloged all the API endpoints We have Open API specifications for them But how do we consume this when there are 1000s of endpoints? CONFORMANCE ANALYSIS Open API spec Developer version ● Missing APIs (Shadow APIs) ● Issues with parameters ● Issues with request/response bodies Open API spec Prod/Test version Doing this at scale… 1. Automatically create an API Catalog ● Hierarchical grouping ● Classification of APIs ● Up to date 2. Open API spec for API endpoints ● Create ● Download 3. Conformance analysis to identify high priority issues at scale
Sensitive data exposure Minimum Feature Set 1. Automatically create an API Catalog ● Hierarchical grouping ● Classification of APIs ● Up to date 2. Open API spec for API endpoints ● Create ● Download 3. Conformance analysis to identify high priority issues at scale Catalog of Sensitive Data SSN email age gcp_api_key ip_address credit_card_no address Integrated workflows Detect ● New data exposure ● Policy violations Log ● Create tickets ● Integrations Track & Verify ● Pre-prod environments TIN SIN aws_api_key 4. Sensitive data exposure ● Catalog data types ● Integrated workflows
Risk Score brings it together API Endpoints Risk Score /juiceshop/getorder/{order-id} 8 /juiceshop/create-account 7 /juiceshop/order/checkout/ 5 /juiceshop/account/getaccount/{account-id} 5 /juiceshop/order/notification/ 2 7 Conformance deviations Public or Internal Sensitive Data Exposure HTTP vs HTTPs Minimum Feature Set 1. Automatically create an API Catalog ● Hierarchical grouping ● Classification of APIs ● Up to date 2. Open API spec for API endpoints ● Create ● Download 3. Conformance analysis to identify high priority issues at scale 4. Sensitive data exposure ● Catalog data types ● Integrated workflows 5. Integrated risk score
Summary API Catalog Automatically create and keep up to date Open API Spec Automatically create and keep up to date Conformance Identify the drift from expected behavior Risk Score Integrated score to identify APIs that need attention Sensitive Data Integrated score to identify APIs that need attention
Questions
THANK YOU

More Related Content

PDF
INTERFACE, by apidays - API Discovery: First step towards API Security
apidays
 
PPTX
What It Takes to Build API Integrations
Nordic APIs
 
PPTX
2022 APIsecure_Securing APIs with Open Standards
APIsecure_ Official
 
PDF
Apidays Paris 2023 - Building an Inventory, Maria Teresa Pereira, KPMG Portugal
apidays
 
PDF
Build, host and manage your custom API in less than an hour
Jerome Louvel
 
PDF
Peeling the Onion: Making Sense of the Layers of API Security
Matt Tesauro
 
ODP
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Matt Tesauro
 
PPTX
API Services: Building State-of-the-Art APIs
Apigee | Google Cloud
 
INTERFACE, by apidays - API Discovery: First step towards API Security
apidays
 
What It Takes to Build API Integrations
Nordic APIs
 
2022 APIsecure_Securing APIs with Open Standards
APIsecure_ Official
 
Apidays Paris 2023 - Building an Inventory, Maria Teresa Pereira, KPMG Portugal
apidays
 
Build, host and manage your custom API in less than an hour
Jerome Louvel
 
Peeling the Onion: Making Sense of the Layers of API Security
Matt Tesauro
 
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Matt Tesauro
 
API Services: Building State-of-the-Art APIs
Apigee | Google Cloud
 

Similar to 2022 APIsecure_API Discovery: First step towards API Security (20)

PPTX
WaveMaker API Success
WaveMaker, Inc.
 
PDF
2022 APIsecure_Shift Left API Security - The Right Way
APIsecure_ Official
 
PPTX
Manual JavaScript Analysis Is A Bug
Lewis Ardern
 
PDF
API testing methdology - OWASP Pune (1).pdf
zerocoool10
 
PDF
Using ap is to gather data
Ke Jiang
 
PDF
Build, Test, Deploy: The Ultimate Handbook for Modern API Development
ScalaCode
 
PPTX
Apache Eagle Strata Hadoop World London 2016
Arun Karthick Manoharan
 
PDF
APImetrics Product Overview March 2015
apimetrics
 
PPTX
API Testing with Frisby and Mocha
Lyudmila Anisimova
 
PDF
Deploy a web API in 15'
Restlet
 
PPTX
apidays Paris 2024 - Do not Live in the Shadow (APIs) - Teresa Pereira, Sieme...
apidays
 
PPTX
Office Add-ins developer community call-July 2019
Microsoft 365 Developer
 
PDF
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays
 
PDF
[Workshop] Managing the API lifecycle with Open Source Technologies
WSO2
 
PDF
apidays LIVE Paris - Potential of API integrations, common traps and advices ...
apidays
 
PDF
2022 apidays LIVE Helsinki & North_Event API Products – Maximizing the Value ...
apidays
 
PDF
Building an API Security Strategy
SmartBear
 
PDF
The ultimate api checklist by Blendr.io
Blendr.io
 
PPTX
Diving into the World of Test Automation The Approach and the Technologies
QASymphony
 
PPTX
To Open Banking and Beyond: Developing APIs that are Resilient to every new I...
Curiosity Software Ireland
 
WaveMaker API Success
WaveMaker, Inc.
 
2022 APIsecure_Shift Left API Security - The Right Way
APIsecure_ Official
 
Manual JavaScript Analysis Is A Bug
Lewis Ardern
 
API testing methdology - OWASP Pune (1).pdf
zerocoool10
 
Using ap is to gather data
Ke Jiang
 
Build, Test, Deploy: The Ultimate Handbook for Modern API Development
ScalaCode
 
Apache Eagle Strata Hadoop World London 2016
Arun Karthick Manoharan
 
APImetrics Product Overview March 2015
apimetrics
 
API Testing with Frisby and Mocha
Lyudmila Anisimova
 
Deploy a web API in 15'
Restlet
 
apidays Paris 2024 - Do not Live in the Shadow (APIs) - Teresa Pereira, Sieme...
apidays
 
Office Add-ins developer community call-July 2019
Microsoft 365 Developer
 
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays
 
[Workshop] Managing the API lifecycle with Open Source Technologies
WSO2
 
apidays LIVE Paris - Potential of API integrations, common traps and advices ...
apidays
 
2022 apidays LIVE Helsinki & North_Event API Products – Maximizing the Value ...
apidays
 
Building an API Security Strategy
SmartBear
 
The ultimate api checklist by Blendr.io
Blendr.io
 
Diving into the World of Test Automation The Approach and the Technologies
QASymphony
 
To Open Banking and Beyond: Developing APIs that are Resilient to every new I...
Curiosity Software Ireland
 
Ad

More from APIsecure_ Official (20)

PPTX
2022 APIsecure_The Real World, API Security Edition
APIsecure_ Official
 
PDF
2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...
APIsecure_ Official
 
PDF
2022 APIsecure_A day in the life of an API; Fighting the odds
APIsecure_ Official
 
PDF
2022 APIsecure_Passwordless Multi-factor Authentication Security and Identity
APIsecure_ Official
 
PDF
2022 APIsecure_Securing Large API Ecosystems
APIsecure_ Official
 
PDF
2022 APIsecure_Quarterly Review of API Vulnerabilities
APIsecure_ Official
 
PPTX
2022 APIsecure_Top Ten Security Tips for APIs
APIsecure_ Official
 
PPTX
2022 APIsecure_Are your APIs Rugged Enough?
APIsecure_ Official
 
PPTX
2022 APIsecure_Making webhook APIs secure for enterprise
APIsecure_ Official
 
PDF
2022 APIsecure_API Security & Fraud Detection - Are you ready?
APIsecure_ Official
 
PPTX
2022 APIsecure_Monitoring and Responding to API Breaches
APIsecure_ Official
 
PDF
2022 APIsecure_Exploiting multi-step business logic vulnerabilities in APIs
APIsecure_ Official
 
PPTX
2022 APIsecure_API Security Testing: The Next Step in Modernizing AppSec
APIsecure_ Official
 
PPTX
2022 APIsecure_Realizing the Full Cloud Native Potential With a Multi-Layered...
APIsecure_ Official
 
PPTX
2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...
APIsecure_ Official
 
PPTX
2022 APIsecure_Hackers with Valid Credentials
APIsecure_ Official
 
PDF
2022 APIsecure_API Abuse - How data breaches now and in the future will use A...
APIsecure_ Official
 
PDF
2022 APIsecure_Understanding API Abuse With Behavioral Analytics
APIsecure_ Official
 
PDF
2022 APIsecure_Harnessing the Speed of Innovation
APIsecure_ Official
 
PPTX
2022 APIsecure_We’re Not in AppSec Anymore Toto
APIsecure_ Official
 
2022 APIsecure_The Real World, API Security Edition
APIsecure_ Official
 
2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...
APIsecure_ Official
 
2022 APIsecure_A day in the life of an API; Fighting the odds
APIsecure_ Official
 
2022 APIsecure_Passwordless Multi-factor Authentication Security and Identity
APIsecure_ Official
 
2022 APIsecure_Securing Large API Ecosystems
APIsecure_ Official
 
2022 APIsecure_Quarterly Review of API Vulnerabilities
APIsecure_ Official
 
2022 APIsecure_Top Ten Security Tips for APIs
APIsecure_ Official
 
2022 APIsecure_Are your APIs Rugged Enough?
APIsecure_ Official
 
2022 APIsecure_Making webhook APIs secure for enterprise
APIsecure_ Official
 
2022 APIsecure_API Security & Fraud Detection - Are you ready?
APIsecure_ Official
 
2022 APIsecure_Monitoring and Responding to API Breaches
APIsecure_ Official
 
2022 APIsecure_Exploiting multi-step business logic vulnerabilities in APIs
APIsecure_ Official
 
2022 APIsecure_API Security Testing: The Next Step in Modernizing AppSec
APIsecure_ Official
 
2022 APIsecure_Realizing the Full Cloud Native Potential With a Multi-Layered...
APIsecure_ Official
 
2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...
APIsecure_ Official
 
2022 APIsecure_Hackers with Valid Credentials
APIsecure_ Official
 
2022 APIsecure_API Abuse - How data breaches now and in the future will use A...
APIsecure_ Official
 
2022 APIsecure_Understanding API Abuse With Behavioral Analytics
APIsecure_ Official
 
2022 APIsecure_Harnessing the Speed of Innovation
APIsecure_ Official
 
2022 APIsecure_We’re Not in AppSec Anymore Toto
APIsecure_ Official
 
Ad

Recently uploaded (20)

PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
A Presentation on Artificial Intelligence
memembruh336
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Teaching material agriculture food technology
LiaRayya
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 

2022 APIsecure_API Discovery: First step towards API Security

  • 1. API First step towards API Security Discovery Amod Gupta Product Management, Traceable amod@traceable.ai
  • 2. GOAL ▪ Define API Discovery in the context of API Security ▪ Minimum set of discovery related features that API Security tools should provide
  • 3. What makes API discovery challenging ▪ Public cloud ▪ On-premises ▪ Hybrid Deployment Options Microservices architecture has made applications massively distributed Distributed Dev teams are releasing multiple times a week Agile releases
  • 4. Automatically discover all API endpoints (by inspecting traffic) Group APIs by apps, services, domains etc. so security teams can digest the information Classify APIs as external (public), internal or 3rd party Automatically catalog new APIs and updates to existing APIs API discovery tool should… Minimum Feature Set 1. Automatically create an API Catalog ● Hierarchical grouping ● Classification of APIs ● Up to date
  • 5. Now, that we have an API Catalog, how do we make it actionable
  • 6. Open API Specification Are APIs being consumed securely? Are APIs being consumed as the developer intended? Are APIs exposing unknown parameters, responses, content-types etc. ? Without Common source of truth between different teams and partners Portability between different security tools Easy to identify which APIs expose sensitive data and where With Minimum Feature Set 1. Automatically create an API Catalog ● Hierarchical grouping ● Classification of APIs ● Up to date 2. Open API spec for API endpoints ● Create ● Download
  • 7. Minimum Feature Set We’ve cataloged all the API endpoints We have Open API specifications for them But how do we consume this when there are 1000s of endpoints? CONFORMANCE ANALYSIS Open API spec Developer version ● Missing APIs (Shadow APIs) ● Issues with parameters ● Issues with request/response bodies Open API spec Prod/Test version Doing this at scale… 1. Automatically create an API Catalog ● Hierarchical grouping ● Classification of APIs ● Up to date 2. Open API spec for API endpoints ● Create ● Download 3. Conformance analysis to identify high priority issues at scale
  • 8. Sensitive data exposure Minimum Feature Set 1. Automatically create an API Catalog ● Hierarchical grouping ● Classification of APIs ● Up to date 2. Open API spec for API endpoints ● Create ● Download 3. Conformance analysis to identify high priority issues at scale Catalog of Sensitive Data SSN email age gcp_api_key ip_address credit_card_no address Integrated workflows Detect ● New data exposure ● Policy violations Log ● Create tickets ● Integrations Track & Verify ● Pre-prod environments TIN SIN aws_api_key 4. Sensitive data exposure ● Catalog data types ● Integrated workflows
  • 9. Risk Score brings it together API Endpoints Risk Score /juiceshop/getorder/{order-id} 8 /juiceshop/create-account 7 /juiceshop/order/checkout/ 5 /juiceshop/account/getaccount/{account-id} 5 /juiceshop/order/notification/ 2 7 Conformance deviations Public or Internal Sensitive Data Exposure HTTP vs HTTPs Minimum Feature Set 1. Automatically create an API Catalog ● Hierarchical grouping ● Classification of APIs ● Up to date 2. Open API spec for API endpoints ● Create ● Download 3. Conformance analysis to identify high priority issues at scale 4. Sensitive data exposure ● Catalog data types ● Integrated workflows 5. Integrated risk score
  • 10. Summary API Catalog Automatically create and keep up to date Open API Spec Automatically create and keep up to date Conformance Identify the drift from expected behavior Risk Score Integrated score to identify APIs that need attention Sensitive Data Integrated score to identify APIs that need attention