01
|
The Curious Case of Unprotected APIs
UNPROTECTED APIS
CONTEXT
Most enterprise cores are as so and chewy as the center of a candy bar. That means that
once inside, an attacker has free reign. Therefore, the API layer is a table-pounding, must-have
security priority.
VULNERABILITIES IDENTIFICATION & TRACKING
REST, SOAP and other APIs that make access
available to back-end systems lack access
control, monitoring and management
Build a service repository or API catalog
Keep repository up to date to reflect changes
COUNTERMEASURE(S)
Enforce access policy to all APIs through a central chokepoint such as an API gateway. Implement an
API gateway to:
• Mediate and monitor all access requests to the API layer
• Enforce API access control policy
• Ensure the system does not expose unprotected assets via APIs
ASSURANCE
Use dynamic scanning tools to look for exposed APIs. These scanning tools should run
continuously.
