APIs are a crucial part of modern applications, facilitating connectivity and powering mobile and web applications. They are ubiquitous, with large enterprises operating with tens of thousands of APIs and even small organizations having a surprising number, both internal and external. However, many organizations lack accurate context into the sheer scale and volume of APIs across their infrastructure, leading to potential security risks due to the absence of discovery mechanisms.
Understanding the volume of resources required and creating stronger API testing policies is essential. To derive the most value from API discovery and accumulate accurate, reliable data, a new approach is needed as existing methods are often incomplete. Traditionally, API discovery has been carried out using tools that sit on API gateways and monitor traffic, resulting in an inefficient way to understand an organization’s entire API ecosystem.
Leveraging source code repositories is necessary to unlock a comprehensive view of an enterprise’s attack surface and accurately determine the breadth and depth of their accompanying risk. Connecting directly to an organization’s code repository will enable security teams to identify repositories that contain web applications or APIs and prioritize testing for repositories with a higher volume of assets. This process also helps in setting appropriate security testing mechanisms that occur in a timely manner.
Additionally, it is important to secure all APIs, not just the internet-facing ones, to have an effective security program and scale security measures across internal APIs. Conducting API discovery at the source code level can help organizations create accurate API inventories and facilitate collaboration between security and development teams. As attackers increasingly target APIs, discovery is crucial to derive comprehensive insights into an organization’s attack surface.
Existing methods, such as monitoring API gateway traffic, fall short in uncovering APIs beyond those that are active. Taking an inside-out approach to discovery from source code is the only way to provide security teams with an accurate and complete picture of their attack surface, strengthening their ability to prioritize APIs and applications for security testing.