CodeLogic for API Endpoint Governance
Think you know where all your REST endpoints are? Think again.
- API governance, a critical function for most organizations, is becoming a legal requirement.
- API management tools lack a complete and accurate view of *all* endpoints.
- Only by performing a deep and thorough API discovery scan can security and legal demands be addressed.
- Further, it’s not enough to know where your API endpoints are—you need to know how, and by whom, they are used.
- Through a unique combination of scanning and profiling technologies, CodeLogic is the only platform able to build a complete API inventory.
Cybersecurity regulations and API endpoints
Cybersecurity regulations, such as those issued by the New York Department of Financial Services (NYDFS), are widely seen as frameworks that guide national and even international laws. Companies in banking, insurance, and financial services will soon be impacted by an amendment to NYDFS 2017 Cybersecurity Regulation 23 NYCRR § 500 that tightens up regulations and imposes stiffer penalties. This pending regulatory update includes a new requirement to compile and maintain a complete asset inventories of all information systems and software – which most security experts understand to include an inventory of APIs. API endpoints are prime targets for bad actors, raising risk levels throughout the enterprise.
How can CodeLogic help ensure endpoint compliance?
The problem with identifying and documenting API endpoints (internal APIs, remote APIs, REST APIs, REST endpoints, and even “shadow” APIs) is that you can’t inventory what you don’t know is there. Better endpoint protection and security starts with understanding the full picture of your software structure. Large organizations grapple with application complexity arising from legacy codebases combined with new development, tribal knowledge that left with developers long gone, and increasing use of third-party services and applications, among other challenges. Nobody can possibly know every application endpoint.
Existing API management tools and source code scans don’t have the capabilities to seek out APIs that may only become apparent in compiled applications. APIs may surface from code injected during or after compilation; external databases, servers, and APIs; and third-party libraries.
CodeLogic surpasses simple API endpoint detection, using proprietary binary and runtime scanning to analyze the architecture of software applications. Going below the surface of source code and documentation, CodeLogic examines everything from post-compile binaries and runtime application behavior to database schemas, stored procedures, calls to cloud services, and other points of communication between applications and services. Once CodeLogic scans applications, it’s simple to produce a report of all API endpoints that have been discovered.
An overview of CodeLogic’s scanning techniques
To provide deeper API endpoint detection, CodeLogic scans and analyzes binaries (interpreted byte code or executable binaries) as well as database interactions and schemas. Additionally, the CodeLogic CSI platform provides unparalleled visibility into system dependencies and code-level interactions.
Binary scans of deployed applications simplify mapping to other services or databases, surfacing external databases, servers, APIs, and even third-party libraries that applications are communicating with.
Runtime scans capture dynamically established relationships and identify API endpoints that are looked up at runtime rather than hardcoded.
Other Scanning Techniques
In addition to scanning source code, CodeLogic can profile other software:
- Relational databases: A CodeLogic agent scans and assesses the database structure and retrieves stored procedures for profiling. CodeLogic agents connect remotely using JDBC drivers and don’t need to be installed on the database itself.
- API scans: CodeLogic REST APIs are used to connect to targets such as ServiceNow and AWS EC2 instances to detect structures in those environments and profile them.
In the Pipeline
To trigger regular rescans from a continuous delivery pipeline, there are two options:
- Binary profiling at build time: An agent installed on the build machine can profile new builds in place, providing rapid structural updates. A single CodeLogic Java or .NET agent can process the builds of many projects.
- Full profiling in a test stage: Runtime scans benefit from the software being broadly exercised. Profiling during a stage of the pipeline where comprehensive functional regression tests are executed is ideal.
CodeLogic IDE plugins and extensions bring impact analysis insight into the IDE where developers already spend a good deal of their time, enhancing existing IDE gestures including the “Find Usages” and “Find References” functionality.