Explore the public API attack surface with the new Spyder API
Today we are proud to announce the availability of API Spyder, the latest addition to the Cequence Unified API Protection (UAP) solution. API Spyder is the latest offering from the Cequence Unified API Protection solution. Cequence Unified API Protection is the only offering on the market today that protects your APIs from attackers and eliminates unknown and unmitigated API security risks that can lead to data loss, fraud and business disruption .
Agentless API attack surface discovery
Most organizations lack visibility into their public-facing API attack surface. Attack surface management products discover publicly accessible resources such as exposed ElasticSearch servers, S3 buckets, and IP address ranges. However, they do not discover API servers or endpoints hosted on them, such as login and authentication endpoints or health monitoring endpoints. Runtime API security products such as Cequence API Sentinel discover and catalog the inventory of runtime APIs after applications are integrated. take advantage of the traffic data of these applications.
API Spyder complements Sentinel API runtime discovery by discovering public API servers without requiring changes or deployments across the organization. It is a multi-tenant SaaS service that only requires the user to enter a top-level domain (TLD) name and then crawl that domain to find API assets that are visible under this TLD. This can include GraphQL servers, REST servers, assets hosted on various IaaS/cloud providers, and those behind a Content Delivery Network (CDN) or Web Application Firewall (WAF). All at the user’s fingertips, in minutes.
Predictive mining to discover public API resources
API Spyder uses the user-provided TLD to discover publicly exposed API servers under that domain. It crawls each of these servers with smart crawling technology that can discover common exposed API paths, including login/authentication endpoints, health metrics, exposed files, and other common implementations of API servers. Regular web crawling, like what bots like Google Bot do, does not discover API servers or endpoints. It is incredibly difficult to find API endpoints using just a server name without knowing the API specification (as defined by OpenAPI/Swagger). API Spyder overcomes this hurdle with an intelligent crawling technology called Predictive Crawling that discovers API endpoints under each server, without any knowledge of that API server.
API Spyder reveals the following information about an organization’s API attack surface:
- API Hosting Providers – providing data on CDNs, Infrastructure-as-a-Service (IaaS) providers, and Software-as-a-Service (SaaS) solutions, where APIs are hosted.
- API Servers – providing the names of servers found to host APIs along with the API endpoints they host.
- Security issues – including vulnerabilities such as Log4j, LoNg4j and exposed non-production APIs which are further categorized as high, medium and low severity issues.
Automated scans and notifications
One thing for sure about attack surfaces is that they are never constant. Application teams are constantly integrating new applications into different environments – on-premises or in the cloud. As a security leader, it’s hard to keep up with these new apps that pop up daily.
API Spyder mitigates this problem by automatically crawling organization domains and determining if new API servers, hosting providers, or security issues such as Log4j vulnerabilities are discovered. If found, notifications are automatically sent to admin users alerting them to new discoveries.
This proactively brings attack surface discovery changes to the user’s fingertips instead of having to hunt for changes manually.
Summarize results in reports
The results can be summarized in an easy-to-generate summary report for security managers to analyze where their API servers are hosted and any immediate actions they need to take to address security issues. This helps companies prioritize remediation of pressing security issues such as Log4j vulnerabilities.
API Spyder is the latest offering from the Cequence Unified API Protection solution. Cequence Unified API Protection is the only offering on the market today that protects your APIs from attackers and eliminates unknown and unmitigated API security risks that can lead to data loss, fraud and business disruption .
You can get started with API Spyder by requesting a 10-day free trial
The post Discover Public API Attack Surface with new API Spyder appeared first on Cequence.
*** This is a syndicated blog from Cequence’s Security Bloggers Network written by Subbu Iyer. Read the original post at: https://www.cequence.ai/discover-public-api-attack-surface-with-new-api-spyder/