The Evolving Attack Surface

Effective Attack Surface Management – Three Steps to Overcoming the Challenge of API Vulnerabilities
Read full Whitepaper

“The vulnerability management industry is simply not mature in API discovery. The good news is that in 2022, there are repeatable approaches and solutions that have solved the historically complex problem of discovery of unknown and shadow API’s.”

The enterprise attack surface is a continuous challenge for any Vulnerability Management (VM) Program. Not only is it constantly changing, its continuously evolving. Anything facing public internets including Cloud deployments, Data Centers, Firewalls, IOT Devices, Servers and Web Services is potentially attackable. But API’s are a different beast. They require a fundamentally different approach. And frankly, the industry is not mature in managing the special case of API’s.  

 

What Makes API’s so Challenging – Can We Talk? 

Not to be dismissive but Web and IP are more easily dealt with just standard scanning tools. Exposures related to things like the Administrator Console or Internal Databases in the context of Attack Surface Management are relatively straightforward to handle and there are mature solutions to deal with them. API’s are a different breed of animal. 

 

The principal challenge is that the security specialist needs to “talk” to an API. One cannot detect API issues with port scanning-only type solutions – it requires a multi-layer probing approach. API’s can “hide” behind regular web ports without being found by typical port scanning technologies.  

 

Even when found, API’s are constantly changing. Changes on the backend can expose new sensitive data and changes to the application present new risks altogether. Traditional Network and Application scanning tools were not made for this kind of complexity. 

 

 

The Solution – A Three-Stepped Phased Approach 

In order to talk to an API for detection purposes, a full stack probing technology needs to be deployed where it looks for API’s across the web application and network stack.  

 

To provide total visibility – a three-phased approach is recommended: 

 

Phase 1 Passive – Analyze the estate looking for indicators of APIs. 

 

Phase 2 Interaction – To effectively discover unknown and shadow API’s, continuous asset profiling must be run against all available external addresses integrated with multilayered checks applied to all live services. 

 

Phase 3 Assessment and Enumeration – After API discovery has been completed, run custom API security assessments against all live services. These are specific API security checks to determine the security posture of the discovered API’s. 

 

 

Bonus Lesson – Extending ASM with VM – A Three-Layered Approach 

 

But of course, no matter how accurate and continuous your Attack Surface Management (ASM) program is – one must still manage risk by accurately identifying vulnerabilities as they occur across the full technology stack. And then one must assess their impact and resolve them in a timely manner.  So just as we suggested a three-step approach to API discovery, we also suggest layering in three basic approaches with VM: 

 

Layer 1 – ASM – continuously and accurately detect and assess your attack surface including the challenging case of API’s. What can be potentially hacked? 

 

Layer 2 – Vulnerability Management – continuously and accurately detect all vulnerabilities and exposures across the full stack. Rank them by business concerns and tightly integrate with support operations to ensure timely remediation on what matters most.. What weaknesses do we have? 

Layer 3 – Penetration Testing – armed with ASM and VM intelligence, perform laser-focused resilience tests on: 

  • Areas of concern 
  • Complex areas not suitable for automation such as business logic, to determine the validity of any potential issues 
  • And take the extra step of breaking the business logic of applications for 100% validation. What can a skilled attacker do? 

  

  

Proactive API Management 

Scanning tools are all the rage for Enterprise ASM and VM. But despite the temptation of fixating on point scanning tools for one’s Vulnerability Management (VM) solution – it does not take a huge conceptual leap to think it would be easier to effectively run a VM program if one detects and shuts down rogue attack surface exposures including API’s even before the incidents start to happen. Yet the industry remains highly reactive with API vulnerability management. Smart VM means having Smart ASM. API’s can be the most challenging but, with the right approach, they can be managed just as proactively and effectively. 

 

 

Want to learn more about Best Practices for Attack Surface Management? Click Edgescan/The Evolving Attack Surface. 

Why is the VM Industry Proliferated with Point Solutions?

It seems almost obvious that a single, composite view is superior to a layered approach. So one must ask – Why is the industry proliferated with the point solution approach?   How Did We Get Here? The most straight-forward explanation is simply the fact that the...

CISA 101 for Enterprises – Why CISA Matters

What is CISA? CISA stands for the Cybersecurity and Infrastructure Security Agency (CISA) and it leads the United States national effort to understand, manage, and reduce risk to American cyber and physical infrastructure. Its vision is to achieve a secure and...

Effective Attack Surface Management – Three Steps to Overcoming the Challenge of API Vulnerabilities

The enterprise attack surface is a continuous challenge for any Vulnerability Management (VM) Program. Not only is it constantly changing, its continuously evolving. Anything facing public internets including Cloud deployments, Data Centers, Firewalls, IOT Devices,...

What Exactly is an Evolving Attack Surface and Why Does it Matter?

An evolving attack surface is a very evocative phrase. It almost suggests a science fiction-type futuristic world where menacing aliens have the power to morph your protective barriers and leverage them for easy access to your internal, unprotected assets. However, in...

How to Make Your IT and Operations Team Security Remediation Superstars

Necessary Links for a Necessary Chain  The best efforts of an enterprise IT and Operations team can be completely undone by one hacker leveraging one vulnerability at one given moment in time. IT and Operations should be very motivated to make sure they continuously...

How to Fix Security Alert Fatigue (And Yes, it is real)

The Security Alert Fatigue Problem is Real  According to a recent Dimensional Research report (2020), “56% of Large Companies Handle 1,000+ Security Alerts Each Day.” And year–over–year the problem is getting worse. “Seventy percent said the volume of...

How To Make Your Vulnerability Alerts Virtually 100% False-Positive Free

An Alarming Status Quo  For those outsides of the enterprise cyber security community, it can seem strange to even imagine that experienced security professionals live in a world where managing the noise associated with false-positive alerts is a daily and significant...

Five Ways You Can Make Your Vulnerability Management (VM) Program Smart Now

So you are convinced that your need to adopt a “Smart” Vulnerability Management (VM) approach but you are not quite sure how to get started or even what to shoot for. Here are Five Very Important Steps you need to take to bring on the “Smart”.    Number 1 –...

Five Simple Ways to Know if Your Vulnerability Management Program is “Smart”

Do you think you have an optimal Vulnerability Management (VM) Program set up or perhaps, you are not so sure? Well, we have the test for you. Here are Five Indicators you need to be able to check off before you can say your VM Program is “Smart”:   Smartness...

Five Reasons You Need to Embrace “Smart” Vulnerability Management Today

You may have taken the initial steps and deployed automated scanning tools for your Vulnerability Management program (VM) only to find out that they generate a lot of noise and do not offer business context nor remediation guidance. Furthermore, the overhead to...