A presentation given by Rob Dickinson, VP of Engineering at Graylog, at our 2024 Austin API Summit, March 12-13. Session Description: Discovering the attack surface presented by your APIs is the first step to improving API security. But APIs are fundamentally dark and constantly changing, which presents serious challenges for security teams trying to assess and manage new risks. There are several reasonable ways to perform API discovery, but each has its own tradeoffs and implications about what is actually being counted. This talk covers taking an API discovery program from start to best-of-breed, and strategies for measuring and monitoring your API attack surface.

1. API
DISCOVERY
FROM CRAWL TO RUN

2. I am Rob Dickinson
VP of Engineering at Graylog
Based in Boulder CO 🏔️ 🇺🇸
robert.dickinson@graylog.com
linkedin.com/in/robfromboulder
2
API discovery from crawl to run
About me

3. 3
Why does API discovery matter?
● API security starts with discovering your attack surface
● Need metrics to quantify risk & alert on changes in risk
● Can’t have metrics without agreeing what to count
We currently have X APIs, where Y are
new, and Z need immediate attention 🤩
API discovery from crawl to run

4. 4
Create an API inventory Track changes to your
API inventory
API discovery from crawl to run
Track changes in risk
metrics for your API
inventory
Stages of API Discovery

5. 5
Challenges in counting APIs
● API best practices are not well-understood ️
● APIs are dark compared to websites & email integrations
● APIs often have a fast rate of change
● APIs have different development cultures ️
● “API” is loosely defined, making them hard to quantify ️
API discovery from crawl to run

6. 6
API discovery example
POST coinbroker.io/user
{
"first_name":”Rob",
"last_name":”Dickinson",
"email":rob@resurface.io”
}
GET coinbroker.io/quote
{
"account_token":"4b86cd
3f-ccaf-445b-b099",
"amount_usd":"6",
"coin_type":"BTC”
}
POST coinbroker.io/order
{
"account_token":"4b86cd
3f-ccaf-445b-b099",
”quote_token":"552cd9da
-2ff4-4dfe-b2eb”
}
HOW MANY APIS ARE PRESENT HERE?
ANSWER: 1
ANSWER: 3 🤔 😖
API discovery from crawl to run

7. 7
Reasonable ways to count APIs
● Count fully qualified domain names (FQDNs)
● Count FQDN + method + path (unique routes)
● Count API hosts/containers (physical & virtual servers)
● Count vendor/supplier/customer integrations (internal vs external)
● Count specifications (OpenAPI) 💪
API discovery from crawl to run

8. 8
OpenAPI to the rescue
POST coinbroker.io/user
{
"first_name":”Rob",
"last_name":”Dickinson",
"email":rob@resurface.io”
}
GET coinbroker.io/quote
{
"account_token":"4b86cd
3f-ccaf-445b-b099",
"amount_usd":"6",
"coin_type":"BTC”
}
POST coinbroker.io/order
{
"account_token":"4b86cd
3f-ccaf-445b-b099",
”quote_token":"552cd9da
-2ff4-4dfe-b2eb”
}
HOW MANY APIS ARE PRESENT HERE?
1 API
3 PATHS 😎
API discovery from crawl to run

9. 9
Tracking changes in APIs
● Now we need to count APIs by lifecycle state
● “Rogue” or “unmanaged” APIs are new & need review
● “Prohibited” or “banned” APIs are not approved for use
● “Monitored” or “supported” APIs are actively maintained
● “Deprecated” or “zombie” APIs have newer versions
API discovery from crawl to run

10. 10
For continuous discovery,
self-describing APIs are best.
Expose an introspection route
that provides the API spec!
GRAYLOG API SECURITY

11. 11
Quantifying API risks
● How have recent changes affected the API attack surface?
● Runtime behaviors/configuration bring unforeseen risks
● Threats can arise from inside or outside the organization
● There is no standard way to calculate risk scores
● Request and response should be included in risk scores
● Risk scores should be calculated across lifecycle groups
API discovery from crawl to run

12. 12
Risk scoring with Graylog
API discovery from crawl to run

13. 13

14. THANK
YOU.
For additional information regarding
Graylog API Security please visit:
graylog.org/products/api-security/