The enterprise attack surface is a continuous challenge for any Vulnerability Management (VM) Program. Not only is it constantly changing, its continuously evolving. Anything facing public internets including Cloud deployments, Data Centers, Firewalls, IOT Devices, Servers and Web Services is potentially attackable. But API’s are a different beast. They require a fundamentally different approach. And frankly, the industry is not mature in managing the special case of API’s.
What Makes API’s so Challenging – Can We Talk?
Not to be dismissive but Web and IP are more easily dealt with just standard scanning tools. Exposures related to things like the Administrator Console or Internal Databases in the context of Attack Surface Management are relatively straightforward to handle and there are mature solutions to deal with them. API’s are a different breed of animal.
The principal challenge is that the security specialist needs to “talk” to an API. One cannot detect API issues with port scanning-only type solutions – it requires a multi-layer probing approach. API’s can “hide” behind regular web ports without being found by typical port scanning technologies.
Even when found, API’s are constantly changing. Changes on the backend can expose new sensitive data and changes to the application present new risks altogether. Traditional Network and Application scanning tools were not made for this kind of complexity.
The Solution – A Three-Stepped Phased Approach
In order to talk to an API for detection purposes, a full stack probing technology needs to be deployed where it looks for API’s across the web application and network stack.
To provide total visibility – a three-phased approach is recommended:
Phase 1 Passive – Analyze the estate looking for indicators of APIs.
Phase 2 Interaction – To effectively discover unknown and shadow API’s, continuous asset profiling must be run against all available external addresses integrated with multilayered checks applied to all live services.
Phase 3 Assessment and Enumeration – After API discovery has been completed, run custom API security assessments against all live services. These are specific API security checks to determine the security posture of the discovered API’s.
Bonus Lesson – Extending ASM with VM – A Three-Layered Approach
But of course, no matter how accurate and continuous your Attack Surface Management (ASM) program is – one must still manage risk by accurately identifying vulnerabilities as they occur across the full technology stack. And then one must assess their impact and resolve them in a timely manner. So just as we suggested a three-step approach to API discovery, we also suggest layering in three basic approaches with VM:
Layer 1 – ASM – continuously and accurately detect and assess your attack surface including the challenging case of API’s. What can be potentially hacked?
Layer 2 – Vulnerability Management – continuously and accurately detect all vulnerabilities and exposures across the full stack. Rank them by business concerns and tightly integrate with support operations to ensure timely remediation on what matters most.. What weaknesses do we have?
Layer 3 – Penetration Testing – armed with ASM and VM intelligence, perform laser-focused resilience tests on:
- Areas of concern
- Complex areas not suitable for automation such as business logic, to determine the validity of any potential issues
- And take the extra step of breaking the business logic of applications for 100% validation. What can a skilled attacker do?
Proactive API Management
Scanning tools are all the rage for Enterprise ASM and VM. But despite the temptation of fixating on point scanning tools for one’s Vulnerability Management (VM) solution – it does not take a huge conceptual leap to think it would be easier to effectively run a VM program if one detects and shuts down rogue attack surface exposures including API’s even before the incidents start to happen. Yet the industry remains highly reactive with API vulnerability management. Smart VM means having Smart ASM. API’s can be the most challenging but, with the right approach, they can be managed just as proactively and effectively.
Want to learn more about Best Practices for External Attack Surface Management? Click Edgescan/The Evolving Attack Surface.