API Governance: Bring Your Endpoints Out of the Shadows
API Governance: Bring Your Endpoints Out of the Shadows
Introduction
Cybersecurity regulations are becoming more stringent by the day and the penalties for noncompliance are no joke. The New York Department of Financial Services (NYDFS) recently dinged Carnival Cruise Lines (as an insurance provider) $5 million for a series of cybersecurity events and compliance violations, while Robinhood Crypto got slapped with $30 million in fines for cybersecurity violations and running afoul of other regulations.
NYDFS is proposing a new amendment to its 2017 Cybersecurity Regulation 23 NYCRR § 500 that is likely to guide national and perhaps even international laws governing the banking, insurance, and financial services industries. Compliance, security, and development teams should be particularly concerned about one of the areas covered in the new amendment – the requirement to maintain an accurate and up-to-date asset inventory, which includes API endpoints according to many security analysts. This is a tall order since most organizations have APIs they don’t even know about. And you can’t inventory what you don’t know is there.
The case of the shadow APIs
It’s virtually impossible to know the existence and location of every API endpoint (internal APIs, remote APIs, web APIs, REST endpoints), especially for large enterprises with a blend of new and legacy software. Application interdependencies, the use of open source and third-party services libraries, and intentionally exposed APIs create complex webs of interfaces. Some APIs don’t even show up until source code is compiled or when called during runtime. And yet endpoints are among the most vulnerable to attack, especially the invisible “shadow APIs” that aren’t easily accounted for by the teams using them.
With their existing tools and capabilities, companies find themselves in a no-win situation: they must comply with regulations to know and document all endpoints – or face steep fines if they don’t – but they simply don’t know what they don’t know. They have a huge blind spot when it comes to APIs that aren’t recognized by existing API management tools like those from MuleSoft, Google Apigee, and Kong.
These tools do an adequate job of governing API endpoints in modern, microservices development environments. But large financial institutions typically have complex business-critical applications that have been in place longer than these API tools have existed. Making things even more difficult, the people with detailed knowledge of this legacy software are likely long gone and documentation may not be much help.
API management platforms aren’t equipped for the level of discovery and documentation needed across the full portfolio of enterprise applications. Manual inventories take massive amounts of time and manpower that most teams can’t spare, and human effort on this scale is virtually guaranteed to include errors.
At first blush, some type of source code scan or code walk might seem like the best way to approach API endpoint discovery. However, this won’t surface all interconnected APIs; for example:
- Third-party and open-source libraries don’t have the required source code; they only have executable binaries that API management tools and manual processes can’t scan.
- Many APIs call services that, in turn, contain other endpoints that won’t be visible to source code scanning.
The good news is that there is a way to automatically and continuously find and document those elusive API endpoints, whether they’re in source code or binaries.
Bringing APIs out of the shadows with code binaries and runtime profiling
CodeLogic’s Continuous Software Intelligence (CSI) platform helps companies easily inventory REST API endpoints across portfolios of thousands of modern and legacy applications. It uses sophisticated binary and runtime scanning to analyze the architecture of software applications.
Going far below the surface of source code and documentation, CodeLogic deeply examines post-compile binaries, runtime application behavior, database schemas, stored procedures, calls to cloud services, and other points of communication between applications and services. Once CodeLogic scans applications, it’s simple to produce a report of all API endpoints that have been discovered.
CodeLogic lets organizations automatically and continuously maintain awareness of all their API endpoints, ensuring compliance with the strictest regulations – and significantly improving security, too.