Free Tool Helps Security Teams Measure Their API Attack Surface

0 Comments

APIs — application programming interfaces — are critical to the modern Internet, as they facilitate communications between applications such as data transfers. As developers increasingly rely on APIs to deliver new features across web, mobile, and cloud-native applications, threat actors are also taking advantage of their prevalence to breach organizations and extract data.

Enterprise security teams have the difficult task of managing and protecting these service-based application architectures. Security teams need to know when new APIs are added or existing APIs are modified, as well as what kind of client data is being exposed at every layer of the application stack.

“Gartner predicts that by 2022, application programming interface (API) attacks will become the most-frequent attack vector, causing data breaches for enterprise web applications,” the research firm said in a recent webinar.

The API Attack Surface Calculator is a free self-assessment tool designed to help organizations measure their attack surface, according to Data Theorem, the company behind the service. The calculator asks seven questions and performs a first-level security analysis based on the supplied answers in less than five minutes.

Questions include asking if the organization has APIs for public web and mobile applications, what kind of APIs are in use (REST, GraphQL, etc), which public clouds and cloud services the organization uses, which web application framework the developers rely on, and which regulatory and compliance standards apply to the organization. Data Theorem’s Analyzer Engine takes the answers and generates ratings around potential API exposures across the multiple applications layers: client, data transport, and cloud.

The calculator doesn’t help with API discovery, but it gives security teams a starting point for understanding how their APIs contribute to the organization’s attack surface. A thorough understanding of the type of APIs in use would help security leaders build a modern API security program, Data Theorem says.

Read more here.