API Discovery

In cybersecurity, API Discovery refers to the systematic process of identifying and cataloging all Application Programming Interfaces (APIs) that an organization owns, operates, or indirectly exposes. This includes both sanctioned (known and approved) and unsanctioned (unknown or shadow IT) APIs, regardless of whether they are internal-facing (used within the organization) or external-facing (exposed to partners, clients, or the public internet).

API Discovery in cybersecurity aims to complete and accurately inventory an organization's API landscape, which is often a significant and expanding attack surface. It's built on the principle that "you can't secure what you don't know exists."

Key aspects and methods of API Discovery include:

1. Internal Discovery: Analyzing internal network traffic, API gateway logs, code repositories, development environments, and configuration files to find APIs used within the organization. This often reveals APIs created for specific projects but never formally documented or decommissioned.

2. External Discovery (Reconnaissance): Scanning the public internet, analyzing DNS records, inspecting web applications for API calls, reviewing mobile application code, and looking at public documentation (e.g., Swagger/OpenAPI specifications) to identify APIs exposed outside the corporate perimeter. This perspective is crucial because attackers primarily target externally discoverable APIs.

3. Traffic Analysis: Monitoring network traffic (both internal and external) to observe API calls, identify endpoints, and understand API behavior.

4. Code Analysis: Automated scanning of source code and compiled binaries to identify API endpoints, parameters, and potential vulnerabilities within the code itself.

Information typically discovered about APIs includes:

• API endpoints (URLs)

• Authentication mechanisms (e.g., API keys, OAuth, token types)

• HTTP methods supported (GET, POST, PUT, DELETE, etc.)

• Request and response structures (parameters, data formats)

• Associated services or databases

• Developer documentation or specifications

Why API Discovery Matters for Cybersecurity:

• Attack Surface Management: APIs represent direct entry points into an organization's data and systems. Undiscovered or undocumented APIs are significant blind spots attackers can exploit without detection.

• Shadow API Identification: Employees or departments might deploy APIs without a formal security review, creating "shadow APIs" that bypass security controls and governance.

• Vulnerability Assessment: Once APIs are identified, they can be subjected to security testing (e.g., penetration testing, DAST/SAST) to uncover flaws like broken authentication, insecure direct object references, or excessive data exposure.

• Data Governance & Compliance: APIs often facilitate the flow of sensitive data. Knowing all APIs helps ensure data privacy, residency, and regulatory compliance (e.g., GDPR, HIPAA, PCI-DSS).

• Incident Response: A complete API inventory is vital for understanding the scope of a breach if an API is compromised and for taking quick, decisive action.

• Third-Party Risk: Organizations must discover APIs that their vendors and partners expose, as these can introduce supply chain risks.

API Discovery is the foundational step towards establishing comprehensive API security, ensuring an organization has full visibility and control over all its digital interfaces.

ThreatNG helps with API Discovery by providing a comprehensive, external, and attacker-centric view of an organization's API landscape, including discovering and assessing shadow APIs and API-related vulnerabilities.

1. External Discovery: ThreatNG performs purely external, unauthenticated discovery without needing connectors. This is fundamental for API discovery as it identifies publicly accessible APIs, even if they are not internally documented or are part of "shadow IT."

• Example: ThreatNG can identify publicly exposed API endpoints for an organization's web applications or mobile apps by analyzing and inspecting JavaScript files and mapping related subdomains. It can even uncover APIs associated with unsanctioned SaaS services used by employees.

2. External Assessment: ThreatNG provides assessment ratings that directly quantify the security posture and risks associated with discovered APIs from an external perspective:

• Web Application Hijack Susceptibility: ThreatNG analyzes externally accessible parts of web applications, including their APIs, to identify potential entry points for attackers.

  • Example: An API endpoint handling user authentication for a web application might be assessed as highly susceptible if ThreatNG identifies that it lacks proper rate limiting (via response headers) or is vulnerable to common web exploits like SQL injection or cross-site scripting (XSS), indicating a weak API security posture.

• Cyber Risk Exposure: This score considers parameters like sensitive ports and "Code Secret Exposure".

  • Example: ThreatNG can identify an API endpoint running on a sensitive port (e.g., an unusual port open to the internet ) or uncover a public code repository containing exposed API keys or other credentials that could grant unauthorized access to an API. This directly indicates a high cyber risk exposure from an API perspective.

• Mobile App Exposure: ThreatNG evaluates an organization’s mobile app exposure by discovering them in marketplaces and analyzing their contents for Access Credentials APIs, AWS API Keys, Google API Keys, GitHub Access Tokens, and Stripe APIs.

  • Example: ThreatNG can discover a mobile app where API keys are hardcoded directly within its publicly available code, exposing those APIs to potential unauthorized access or data exfiltration if the backend API isn't perfectly secured.

3. Reporting: ThreatNG provides clear reports on discovered APIs and their associated risks, essential for inventory, vulnerability management, and strategic decision-making:

• Inventory Report: Can list all discovered external APIs along with their associated domains, subdomains, and technologies, helping to create a comprehensive, attacker-centric API inventory.

• Prioritized Report: Can highlight APIs with critical vulnerabilities or exposed secrets as high-priority risks, guiding immediate security efforts.

  • Example: The report might flag a specific API endpoint due to exposed API keys in public code, giving it a critical priority for immediate remediation.

• Security Ratings Report: Reflects the impact of API-related exposures on the organization's overall external security posture.

  • Example: A low Mobile App Exposure or Cyber Risk Exposure score could indicate widespread insecure API practices, prompting strategic investment in API security.

4. Continuous Monitoring: ThreatNG offers "Continuous Monitoring of external attack surface, digital risk, and security ratings of all organizations". This ensures ongoing visibility of the API landscape, detecting new APIs or real-time changes in their security posture.

• Example: ThreatNG can continuously scan for newly deployed API endpoints that might have bypassed internal security reviews, or detect if a previously secured API suddenly becomes exposed due to a configuration change. This provides real-time alerts, enabling rapid response to emerging API risks.

5. Investigation Modules: ThreatNG's investigation modules allow deep dives into the details of discovered APIs and their vulnerabilities:

• Domain Intelligence (Domain Overview, Subdomain Intelligence): "Domain Overview" includes "related SwaggerHub instances, which include API documentation and specifications, enabling users to understand and potentially test the API's functionality and structure". "Subdomain Intelligence" can identify "Content Identification (APIs)" and "Ports (IoT / OT... Exposed VoIP Services, HTTP Gateways)".

  • Example: An analyst can use Domain Intelligence to discover an organization's public-facing Swagger/OpenAPI documentation, providing a potential attacker with a roadmap to understand API functionalities. Subdomain Intelligence can then pinpoint specific API endpoints on various subdomains and associated open ports.

• Sensitive Code Exposure: Discovers public code repositories, uncovering digital risks, including Access Credentials (API Keys, GitHub Access Token, Google API Key, Stripe API Key).

  • Example: This module can pinpoint exact API keys inadvertently committed to a public GitHub repository, providing attackers with direct credentials for API access, a common source of API breaches.

• Mobile Application Discovery: Discovers mobile apps and analyzes their contents for "Access Credentials (APIs... AWS Access Key ID... GitHub Access Token... Stripe API Key)".

  • Example: This module can reveal if a mobile app contains hardcoded API keys that grant access to backend services, highlighting a significant flaw in mobile-to-API communication security.

6. Intelligence Repositories (DarCache): These continuously updated repositories provide contextual threat intelligence to understand the exploitability and impact of API-related vulnerabilities:

• DarCache Vulnerability (NVD, EPSS, KEV, PoC Exploits): Provides "real-world exploitability, the likelihood of exploitation, and the potential impact" of vulnerabilities affecting APIs or the frameworks they rely on .

  • Example: If an API gateway or an underlying framework used by an API has a Known Exploited Vulnerability (KEV), DarCache Vulnerability highlights this, indicating an immediate threat and potentially providing links to PoC exploits showing how that API vulnerability can be abused.

• DarCache Rupture (Compromised Credentials): Alerts on compromised credentials, including API keys, found on the dark web.

  • Example: ThreatNG can notify an organization if a critical API key for a major service has been found in a dark web dump, signaling an imminent API account takeover risk.

Complementary Solutions: ThreatNG's external API discovery and assessment capabilities can integrate seamlessly with other cybersecurity tools to form a comprehensive API security strategy:

• API Security Gateways/Management Platforms: ThreatNG's discovery of unknown or "shadow" APIs (e.g., forgotten endpoints, unsanctioned mobile app APIs) can be fed into API gateway systems. This ensures all APIs are brought under central management and subject to proper access controls, rate limiting, and Web Application Firewall (WAF) protection.

• API Security Testing Tools (DAST/SAST for APIs): ThreatNG's identification of API endpoints, exposed sensitive data within code, or potential API vulnerabilities (e.g., due to outdated frameworks) can inform DAST (Dynamic Application Security Testing) and SAST (Static Application Security Testing) tools. ThreatNG provides the "what to test" externally, and these tools perform the deeper, authenticated analysis.

• Cloud Security Posture Management (CSPM) Tools: ThreatNG's discovery of publicly exposed cloud-hosted APIs or misconfigured API endpoints on cloud services (via Cloud and SaaS Exposure ) can complement CSPM tools. This ensures that APIs, often a key part of cloud services, are configured securely from both internal and external perspectives.

• Security Orchestration, Automation, and Response (SOAR) Platforms: ThreatNG's real-time alerts on newly discovered or compromised APIs (e.g., exposed API keys on the dark web, a vulnerable API endpoint) can trigger automated playbooks in a SOAR platform. This could involve automatically blocking the exposed IP, rotating the API key, or initiating an incident response workflow.