News

Lack of API visibility undermines basic principle of security

As seen on HelpNet Security.

One of the oldest principles of security is that you cannot secure what you cannot see. Visibility has always been the starting place for monitoring and protecting attack surface and valuable resources. Various technical challenges have come to bear over the years—the shift to “let it all in” HTTP back in the late 90s, the subsequent advent and then common usage of encrypted traffic, the rise of shadow IT and groups or employees empowered to incorporate their own applications, devices and data services, and more. Such challenges have necessitated new approaches to visibility.

The new visibility challenge, with so much core business depending on interconnecting processes and data via APIs, requires that companies need to know what APIs they expose externally and internally and how they should behave.

Most organizations are only aware of a portion of their APIs and typically grossly underestimate the actual number. Discovering all APIs eludes nearly all organizations. Most attempt to catalog their APIs and ideally append them with descriptions and details. Even from the onset this is a massive task that manages to identify only a portion of those in use, according to our audits of various enterprises.

To make matters worse, identifying and cataloging APIs is a moving target that requires constant monitoring and vigilance. Many enterprises are adding new APIs or changing existing APIs every week, with most of these coming from an effort not sanctioned or managed by the IT or security organizations.

Most organizations have no way of even knowing how many APIs they have, let alone what they are and how they are used. Traditional tools, such as WAFs and API Gateways were built for a different purpose and lack the ability to discover APIs and provide a complete inventory of them.

 

 

About Neosec

Neosec is reinventing application security with a powerful platform that unifies security and development teams to protect modern applications from threats. The foundation of the SaaS platform is built on data and analytics to manage security at scale. Neosec prevents threats from abusing the complex network of APIs that connect today's businesses. The platform helps organizations discover every API and audit risk. Neosec has pioneered the use of behavioral analytics to understand normal versus abnormal API usage and delivers powerful threat hunting capabilities. Neosec prevents threats and stops abuse hiding within APIs and brings new intelligence to application security. Neosec is based in Palo Alto, California with R&D in Tel Aviv, Israel. To learn more, visit Neosec.com.

news-cta-img

Test Drive the Neosec API Security Solution

One cloud-native platform, fully deployed in minutes, to protect your APIs.

Start Now