May 1, 2024 at 05:14PM
Organizations focusing on API security must prioritize identifying and managing shadow APIs, as they pose significant risks if left unaddressed. Rupesh Chokshi from Akamai highlights the prevalence of these endpoints and emphasizes the need to either document or decommission them. He also outlines the broader challenges and attack vectors associated with API security.
From the meeting notes, it is evident that organizations face significant challenges in managing and securing their API environment. Rupesh Chokshi emphasized the importance of addressing unmanaged or shadow application programming interfaces (APIs). These are endpoints that are outdated, undocumented, or no longer in use, posing a substantial risk to organizations.
Chokshi is scheduled to present on this topic at the upcoming RSA Conference 2024 in San Francisco. He highlighted the surprising discovery of numerous shadow endpoints in enterprise environments, which underscores the urgency for organizations to identify and either eliminate or incorporate these endpoints into their API security program.
The proliferation of APIs has expanded the attack surface for organizations, exposing them to greater risks. Research from Akamai indicates that a significant portion of web attacks target APIs, with common attack vectors including SQL injection, cross-site scripting, session hijacking, and data harvesting.
The challenges in API security fall into two broad categories: postural and runtime related issues. Postural weaknesses stem from implementation flaws, such as shadow APIs and unauthenticated resource access. In contrast, runtime problems involve active threats, such as unauthenticated attempts to access sensitive API resources and data scraping attempts.
To address these challenges, Chokshi stressed the need for organizations to maintain visibility over their API environment, including detecting and decommissioning shadow APIs. Additionally, organizations should maintain an inventory of their APIs, correct flaws in API code, bolster threat detection and response capabilities, and establish an API threat hunting capability.
In summary, the meeting notes provide an overview of the significant risks posed by unmanaged APIs and the essential measures organizations need to take to mitigate these risks and secure their API environment.