This week, we have thoughts from Bill Doerrfeld on how API governance is essential to counter technology sprawl. We also have commentary on how API security is essential in the age of digital transformation and another on why APIs are the new battleground for security. We have two articles on AI for APIs: firstly, how to use AI to find API bugs and how AI will enable APIs. Finally, we close with Dana Epp on using JS Miner to detect API endpoints and source code.
Article: API governance to avoid technology sprawl
The first article this week is an excellent piece from Bill Doerrfeld on how API governance is essential to avoid technology sprawl. The article canvasses the views of several industry thought leaders on the proliferation of APIs and how these need to be governed to prevent an unmanageable sprawl of technology, which in turn leads to greater risk to organizations and consumers.
APIs are essential for modern software architectures because they enable data and business services to be integrated across platforms, including mobile and desktop applications. API-first approaches are becoming increasingly popular, providing advantages such as abstraction, automation, and governance. Coupled with this is the fact that new next-generation platforms (LLM-based services or no/low-code platforms) are highly reliant on APIs as their connecting fiber.
To make things even worse from a governance viewpoint is the fact that API ubiquity presents IT management challenges such as inconsistent design patterns, communication silos, access control, documentation hurdles, and monitoring, performance, and scalability concerns. Additionally, businesses must consider the value proposition, target user, business objectives, and marketing/monetization of APIs.
Gartner’s Mark O’Neill feels that consistency is key to governance:
“When good API governance is in place, consistent design means all your organization’s APIs look like they were defined by the same team, even if many teams were involved,”
Successful API governance initiatives should improve design, provide visibility, future-proof IT strategy, and streamline workflows.
The importance of good API governance includes the following:
- Guardrails bring CIOs peace of mind
- Helping to attain business objectives
- Governance guides more confident usage
API governance is critical for a successful API strategy; unfortunately, it is often hard to achieve in practice.
Article: API security in the age of digital transformation
The next article from Business Daily Africa highlights the growing importance of API security in the age of digital transformation, particularly in the financial services sector. As companies increasingly adopt APIs to facilitate communication between applications, the risk of cyberattacks targeting these APIs also rises.
Hackers are attracted to APIs due to the valuable data and functionality they provide, lack of proper security measures, integration complexity, third-party risks, and skills gaps. To address these challenges, the authors emphasize the need for cooperation between cybersecurity teams and software developers to defend APIs effectively.
To ensure API security, reliability, and successful integration, the authors recommend several strategies:
- Implementing strong authentication and authorization mechanisms
- Designing secure APIs and coding standards
- Comprehensive logging and monitoring to identify and respond to security incidents
- Conducting regular security assessments and penetration testing
- Developing incident response plans and disaster recovery mechanisms
By adopting these strategies, companies can mitigate potential risks associated with APIs, provide a reliable experience for users and developers, and ensure business continuity in the face of potential security breaches or disruptions.
Article: APIs are the new battleground for security
Pulling the first two articles together nicely, we have our third article describing why APIs are the new battleground for security. The authors highlight the concerns around API sprawl as a major challenge, with organizations losing track of their APIs and facing difficulties in managing and securing them effectively.
Since APIs provide access to sensitive data and may have vulnerabilities, APIs are becoming increasingly appealing to attackers because of their access to sensitive data and potential vulnerabilities. The lack of standardization in APIs makes it challenging to develop a comprehensive security strategy for them.
The authors highlight best practices for API security, such as:
- Implementing authentication and authorization mechanisms
- Using rate limiting to protect against brute force and DDoS attacks
- Validating input parameters to prevent injection attacks and other vulnerabilities
- Encrypting sensitive data and securing communication with SSL/TLS
- Monitoring and logging API usage to detect and respond to security incidents
- Conducting regular security testing to identify vulnerabilities
- Following secure coding practices during API development
Perhaps most important is the need for a comprehensive API architecture and management framework, including central management tools and the use of API gateways for security checks and monitoring.
Article: Using AI to find API bugs
Previously, we have featured Dana Epp’s thoughts on using Postman’s new AI feature called Postbot to test or attack APIs, and this week we have Edward Lichtner’s views on the same topic. As a recap: Postbot is an AI prompt within Postman that allows for the automated generation of test scripts with Postman. Combining this feature with Postman’s collection runner capabilities provides a very powerful API testing platform.
The author describes some typical scenarios that can be automated, including:
- Scanning for endpoints that include a JWT in the authorization header and a URL parameter, which could lead to broken object-level authorization (BOLA) vulnerabilities.
- Searching for endpoints that return strings formatted as emails or UUIDs in the response body, potentially exposing other users’ information.
- Identifying endpoints with CORS misconfigurations by looking for the “Access-Control-Allow-Origin: *” header.
- Looking for email addresses in the response body.
- Fuzzing an endpoint by looping through numbers 1 to 15 and polluting the “report_id” parameter to identify BOLA vulnerabilities.
The are some limitations of Postman’s free plan, and the author suggests alternatives like ChatGPT, Hacking APIs GPT, and SecGPT for generating test scripts when the Postbot call limit is reached.
Article: How AI will enable APIs
Sticking to the topic of AI, the next article from Nordic APIs takes a forward-looking view of the possibilities of using AI and APIs together.
As the previous article showcases so effectively, AI can easily be used to improve the API development lifecycle itself, including:
- AI algorithms can automatically generate client-side code that consumes APIs and server-side code that exposes APIs.
- AI can be used to improve the layout of API resources, align APIs with industry best practices, and create APIs that are more tailored to specific use cases.
- AI can prevent data breaches by analyzing API traffic and identifying malicious communication patterns. Several existing tools already use AI for API security.
The authors then take a fascinating look at the art of the possible, where AI and APIs combine to create a world where applications are intelligent, personalized, and adaptive. According to them, this will happen in phases of enablement, as follows:
- With APIs, applications can self-integrate, eliminating the need for human intervention.
- The APIs will enable autonomous applications to navigate and adapt to their environments.
- Autonomous business integration depends on APIs for evaluating, entering, and fulfilling contracts.
- The pinnacle of AI interfaces is that they are capable of understanding a user’s input and choosing the appropriate API to complete the task, and the future holds exciting possibilities.
The convergence of AI and APIs holds immense potential to make applications more intelligent, adaptive, and efficient, though it also comes with strategic implications for technology providers to navigate. The two technologies have a bright future together.
Guide: Using JS Miner to detect API endpoints
Finally, let us conclude this week with Dana Epp discussing how to use JS Miner to detect API endpoints. JS Miner is a free Burp Suite Professional extension that finds interesting stuff inside static files like JavaScript and JSON, and it provides the following features:
- It automatically scans for hard-coded secrets and credentials.
- It passively scans for subdomains the web app calls and pulls code and data from.
- It can actively try to construct source code from JavaScript Source Map Files (if found).
- It passively tries to detect API endpoints that use GET/POST/PUT/DELETE/PATCH.
Dana shows how to use JS Miner using the following steps:
- Walk the app to download all static content.
- Let JS Miner scan passively to orient yourself with the app.
- Force JS Miner to run an active scan.
- Check for any JS Source Mapper results to discover any .map files.
- Explore the code and extract routes and endpoints.
Although this plugin requires the Professional edition of Burp Suite, it looks like an extremely powerful tool to be able to reverse engineer APIs from their web front end. Thanks to Dana for another great read.
Get API Security news directly in your Inbox.
By clicking Subscribe you agree to our Data Policy
