Let the Right One In: Are Third-Party APIs Exposing Your Network to Unwelcome Guests?
By Ravi Balupari
Andy Warhol famously said, “one’s company, two’s a crowd, and three’s a party,” but when it comes to third-party APIs you have to watch out for partycrashers. A lack of visibility into third-party APIs may be allowing unauthorized access to valuable enterprise data.
The way that organizations integrate applications and services introduces significant risk, as they consume and expose third-party APIs with little insight into how they operate. In a perfect world, service providers would provide their API specifications, but the reality is that the proprietary nature of applications leaves most organizations in the dark about their behavior. Even if service providers would provide the necessary (OpenAPI) specifications, there is still no guarantee that their APIs are free from vulnerabilities that may exist with the actual implementation.
Even if organizations have the code scanning tools and application development lifecycle management solutions to monitor internal APIs, third-party APIs are practically opaque. But on the other hand, many emerging solutions seem to be ignoring more traditional application environments, creating another API security gap.
Most gateway solutions, such as Web Application Firewalls (WAFs) and API Management gateways, can only detect certain types of anomalous access patterns or prevent already-known attacks. These conventional gateways are only controlling the ingress connection to third-party applications hosted within an organization. Calls to third-party applications hosted beyond the organization’s control are not mediated, let alone managed, by any API aware services.
Even an advanced Web Application and API Protection (WAAP) solution struggles to monitor and security third-party APIs because it lacks access to the API specifications it needs to operate, nor can it detect hidden or modified API parameters.
Know the Unknown — See the Unseen
CloudVector delivers Deep API IntelligenceTM to discover, monitor and secure all APIs, even in complex hybrid environments. CloudVector provides the deepest insights by inspecting the object and parameters of all runtime API calls, even from third-party APIs. Machine learning generates behavioral models, so that API traffic can be monitored for anomalies. CloudVector enables organizations to enforce granular security controls by terminating a single session or an entire application when suspicious or malicious behavior is detected. The passive monitoring of third-party APIs can also guide automatic policies without the user intervention.
Learn more about how CloudVector is mitigating the risk of third-party applications — request a demo today!