I believe we need automation, continuous discovery and as much visibility as you can get into where these interfaces are being published, how they change and how these changes impact enterprise risk. There’s no way to keep up with this manually and many APIs are either not documented at all, or poorly documented.
How do we catalogue and manage APIs on a day-to-day basis? With as much visibility as possible, through multiple lenses and then aggregate the population and telemetry about them into a single repository. This type of visibility and updated inventory is foundational to all other aspects of API management.
Open standards are increasingly important and we are working with industry groups to further this objective. Standardisation leads to a better understanding of the security and threat models facing critical APIs, such as the Financial Grade API (FAPI) for open banking… and can lead to a more robust understanding of the security vulnerabilities and defences that entities need to put in place and validate for proper function.
Without some standardisation, each API will remain its own unique population of zero-day weaknesses, making attack surface and vulnerability management increasingly more difficult and complex.
So how do we achieve unified monitoring of APIs from a security perspective?