As seen on HelpNet Security.
One of the oldest principles of security is that you cannot secure what you cannot see. Visibility has always been the starting place for monitoring and protecting attack surface and valuable resources. Various technical challenges have come to bear over the years—the shift to “let it all in” HTTP back in the late 90s, the subsequent advent and then common usage of encrypted traffic, the rise of shadow IT and groups or employees empowered to incorporate their own applications, devices and data services, and more. Such challenges have necessitated new approaches to visibility.
The new visibility challenge, with so much core business depending on interconnecting processes and data via APIs, requires that companies need to know what APIs they expose externally and internally and how they should behave.
Most organizations are only aware of a portion of their APIs and typically grossly underestimate the actual number. Discovering all APIs eludes nearly all organizations. Most attempt to catalog their APIs and ideally append them with descriptions and details. Even from the onset this is a massive task that manages to identify only a portion of those in use, according to our audits of various enterprises.
To make matters worse, identifying and cataloging APIs is a moving target that requires constant monitoring and vigilance. Many enterprises are adding new APIs or changing existing APIs every week, with most of these coming from an effort not sanctioned or managed by the IT or security organizations.
Most organizations have no way of even knowing how many APIs they have, let alone what they are and how they are used. Traditional tools, such as WAFs and API Gateways were built for a different purpose and lack the ability to discover APIs and provide a complete inventory of them.