Blog, News, Whitepapers

Effective Attack Surface Management – Three Steps to Overcoming the Challenge of API Vulnerabilities

The enterprise attack surface is a continuous challenge for any Vulnerability Management (VM) Program. Not only is it constantly changing, its continuously evolving. Anything facing public internets including Cloud deployments, Data Centers, Firewalls, IOT Devices, Servers and Web Services is potentially attackable. But API’s are a different beast. They require a fundamentally different approach. And frankly, the industry is not mature in managing the special case of API’s.  

 

What Makes API’s so Challenging – Can We Talk? 

Not to be dismissive but Web and IP are more easily dealt with just standard scanning tools. Exposures related to things like the Administrator Console or Internal Databases in the context of Attack Surface Management are relatively straightforward to handle and there are mature solutions to deal with them. API’s are a different breed of animal. 

 

The principal challenge is that the security specialist needs to “talk” to an API. One cannot detect API issues with port scanning-only type solutions – it requires a multi-layer probing approach. API’s can “hide” behind regular web ports without being found by typical port scanning technologies.  

 

Even when found, API’s are constantly changing. Changes on the backend can expose new sensitive data and changes to the application present new risks altogether. Traditional Network and Application scanning tools were not made for this kind of complexity. 

 

 

The Solution – A Three-Stepped Phased Approach 

In order to talk to an API for detection purposes, a full stack probing technology needs to be deployed where it looks for API’s across the web application and network stack.  

 

To provide total visibility – a three-phased approach is recommended: 

 

Phase 1 Passive – Analyze the estate looking for indicators of APIs. 

 

Phase 2 Interaction – To effectively discover unknown and shadow API’s, continuous asset profiling must be run against all available external addresses integrated with multilayered checks applied to all live services. 

 

Phase 3 Assessment and Enumeration – After API discovery has been completed, run custom API security assessments against all live services. These are specific API security checks to determine the security posture of the discovered API’s. 

 

 

Bonus Lesson – Extending ASM with VM – A Three-Layered Approach 

 

But of course, no matter how accurate and continuous your Attack Surface Management (ASM) program is – one must still manage risk by accurately identifying vulnerabilities as they occur across the full technology stack. And then one must assess their impact and resolve them in a timely manner.  So just as we suggested a three-step approach to API discovery, we also suggest layering in three basic approaches with VM: 

 

Layer 1 – ASM – continuously and accurately detect and assess your attack surface including the challenging case of API’s. What can be potentially hacked? 

 

Layer 2 – Vulnerability Management – continuously and accurately detect all vulnerabilities and exposures across the full stack. Rank them by business concerns and tightly integrate with support operations to ensure timely remediation on what matters most.. What weaknesses do we have? 

Layer 3 – Penetration Testing – armed with ASM and VM intelligence, perform laser-focused resilience tests on: 

  • Areas of concern 
  • Complex areas not suitable for automation such as business logic, to determine the validity of any potential issues 
  • And take the extra step of breaking the business logic of applications for 100% validation. What can a skilled attacker do? 

  

  

Proactive API Management 

Scanning tools are all the rage for Enterprise ASM and VM. But despite the temptation of fixating on point scanning tools for one’s Vulnerability Management (VM) solution – it does not take a huge conceptual leap to think it would be easier to effectively run a VM program if one detects and shuts down rogue attack surface exposures including API’s even before the incidents start to happen. Yet the industry remains highly reactive with API vulnerability management. Smart VM means having Smart ASM. API’s can be the most challenging but, with the right approach, they can be managed just as proactively and effectively. 

 

 

Want to learn more about Best Practices for Attack Surface Management? Click Edgescan/The Evolving Attack Surface. 

Posted April 14, 2022 in NEWS

Theo

theo.g@edgescan.com

Marketing Executive of Edgescan

Recent News

Native Cloud Integration for ASM and Vulnerability Management
Nov 21, 2022

Native Cloud Integration for ASM and Vulnerability Management

How Cyber Smart Are You? Edgescan’s Cybersecurity Checklist
Oct 19, 2022

How Cyber Smart Are You? Edgescan’s Cybersecurity Checklist

What is PTaaS (Penetrating Testing as a Service)?
Oct 17, 2022

What is PTaaS (Penetrating Testing as a Service)?