In an age of information overload and rapid data transmission, vast amounts of sensitive data—including personally identifiable information (PII), medical records, financial transactions, and lifestyle consumption details—are continually shared and circulated online. This mass amount of data is enough to outline the profiles of hundreds of millions of internet users, and the critical channel enabling the efficient transmission of this data is the API.
Long-forgotten and neglected APIs are often referred to as “zombie APIs”. Because they remain unnoticed by security and maintenance personnel, they frequently harbor unpatched vulnerabilities. In the realm of cybersecurity, these zombie APIs often serve as entry points for attackers seeking to breach systems.
The Necessary to Protecting Sensitive API Data
Data is the core resource of the digital economy and information society, profoundly impacting national governance, economic operations, and our daily lives. Data creates value through its flow, sharing, processing, and handling, but this value creation depends on ensuring data security. Recent research shows that APIs account for over 83% of internet traffic, meaning the security of internet data largely relies on the security of APIs.
Fortunately countries and industries worldwide have established clear data security requirements to fully protect citizens’ privacy rights online. Regulations like the ‘California Consumer Privacy Act (CCPA)’ the ‘Personal Data Protection Act (PDPA),’ and the ‘EU General Data Protection Regulation (GDPR)’ have elevated data security to a higher strategic priority.
Why Full API Visibility is Crucial for Security
According to the Q1 2022 edition of the Salt Labs State of API Security Report, 43% of respondents identified zombie APIs as their top API security concern, significantly more than issues related to account takeover and abuse. Additionally, 83% of respondents expressed doubts about the completeness of their API inventory.
Why are companies so concerned about zombie APIs and the completeness of their API inventories? Security risks often lie in the “unknown.” Zombie APIs, shadow APIs, and sensitive data exposures all result from a lack of understanding of the full API asset landscape. Forgotten API assets are difficult to control, and their unpatched vulnerabilities often attract attackers.
Surveys show that while companies are increasingly aware of zombie APIs, they often overlook the hidden risk of zombie parameters. Unlike entirely forgotten zombie APIs, these zombie parameters can still exist within currently used and maintained APIs.
Common zombie parameters include debugging parameters and system attribute parameters used during development and testing. Although these parameters are not exposed to users once the interface goes live, attackers can still exploit them, for instance, by using vulnerabilities like batch assignment to obtain unauthorized responses. If these unknown API vulnerabilities are exploited, sensitive information, such as core business data, can be compromised.
Traditional API Gateway Management Model
How can we effectively manage the entire landscape of API assets, not just the “known” ones? Traditionally, this is done by managing and updating assets through an API gateway. Business developers must promptly register new APIs in the gateway during development and update the API definitions when their content changes. This approach relies entirely on manual management, affecting the accuracy and timeliness of the asset inventory.
As companies grow rapidly, developers must deliver more features and accelerate release speeds to keep pace with the constantly changing market. This leads to the creation of numerous new API versions, placing high demands on developers for daily maintenance. If manual maintenance slips, issues like zombie APIs and zombie parameters will accumulate, increasing the difficulty of maintenance.
It is important to note that security personnel typically focus on forgotten or shadow APIs for security reasons, while the API gateway is maintained by the business department. This means that API security measures taken by security personnel depend on the asset maintenance carried out by business personnel, often leading to efficiency barriers in cross-departmental collaboration.
A Modern Approach to Managing API Assets and Enhancing Security Collaboration
How can we reduce the high costs of manual maintenance and mitigate the risks to asset accuracy and effectiveness while balancing collaboration between the security and business departments in API asset management? The traditional API gateway management model is no longer effective. A new management model is needed — CDNetworks API Shield.
API Shield offers a robust solution for managing API assets more efficiently and securely. It leverages traffic data analysis to inventory API assets in real-time without altering the existing user deployment architecture. Let’s take an in-depth look at how it enhances API security.
Fully Automated Real-Time API Asset Management and Inventory
- Using traffic data analysis, API assets can be inventoried in real time without altering the existing user deployment architecture.
- Automatically organize a comprehensive API asset inventory, including API lists, parameters, calling methods, and more.
- By combining CDNetworks’ predefined API traffic request characteristics with machine learning-based API traffic baselines, API resources in the traffic can be continuously captured.
- Extract various API architecture styles and characteristics, quickly capturing API asset lists through the traffic identification engine. This includes API lists from API gateways, local documentation, and even forgotten or deactivated zombie APIs.
- Further analyze the complete API asset list to show the active status of interfaces, including their request trends, response statuses, and calling methods, making the API asset list clear and understandable.
- API Parameter Asset Inventory: For the captured API list, establish a baseline for user data transmission to identify required parameter names, positions, types, and whether they are mandatory. Additionally, extract the data structure of the request body.
By using these methods, companies can ensure a comprehensive inventory of all API assets and parameters, making it impossible for zombie parameters or malicious parameters created by attackers to go unnoticed.
Optimizing API Management: Folding Overlapping Endpoints for Improved Efficiency
API endpoints such as api/test/111, api/test/112, etc., often have highly similar paths, differing only in fixed path parameters, which can number in the hundreds or thousands. If these overlapping API endpoints are not consolidated, it can result in a massive API asset list, leading to data redundancy and increased management difficulty, making manual verification challenging.
During the API asset discovery process, CDNetworks continuously analyzes these highly overlapping API endpoints, consolidates the API asset list, and standardizes the variables in the path as path parameters. This approach allows subsequent protection modules to perform parameter compliance checks more effectively.
Ensuring Data Privacy: Identifying and Managing Sensitive Data Exposure
During transmission, various types of sensitive data flow rapidly. Some of this data is necessary, while other sensitive data may be exposed unnecessarily due to excessive interface exposure. Conducting a sensitive data exposure inventory can prevent this. The CDNetworks Sensitive Data Identification Engine can identify sensitive information in request and response data in real-time, recognizing data such as ID numbers, phone numbers, and bank card numbers. This enables the statistical analysis and assessment of the overall state of API-sensitive data.
This helps companies identify which APIs are exposing sensitive data, the types of data exposed, and the sensitivity levels. Through detailed exposure inventory and analysis, companies can effectively address the risk of data leaks and avoid overlooked vulnerabilities.
From automated API asset inventory to API path normalization and sensitive data exposure inventory, CDNetworks API Shield ensures comprehensive knowledge, visibility, and control over API assets.