What is an API schema?
The RESTful API design pattern is in use by a vast majority of enterprise software projects that rely on machine-to-machine communication. The OpenAPI standard, now in its third revision, OAS3, defines functionality built into RESTful APIs, allowing automatic documentation, test case creation, and general “discoverability” of resource specifications and application definitions. API services. Colloquially, this OpenAPI standard definition is called API schema.
API schemas are central to microservices mesh architecture, client-server architecture, and a host of automated tools and build system automation. They are also quite useful for adding another layer of security to your APIs.
API schemas give you the ability to define the expected use of API endpoints and then allow you to compare that definition to how they actually run. With this information, you can find the places where expectations and reality don’t match and make informed decisions about how to respond.
API Schemas and the API Discovery Problem
Every development team operates a little differently and they all exist on a spectrum of maturity. Some projects have generated API schemas automatically. Some don’t. And, what is worse, some have partial schemes.
This patchy documentation of endpoint behavior exacerbates a common problem, one we often hear about from our customers: security teams don’t have visibility into production API endpoints.
Large companies have multiple API gateways, multiple hosting providers, multiple technology stacks, and multiple development teams. API endpoints are peppered in this heterogeneous environment, and it can feel like development teams are exposing a new attack surface with every software release.
Operational security teams simply don’t know how many API endpoints they have, and they certainly don’t have complete schematic definitions of how those endpoints should interact with clients.
Best practices for using API schemas to secure APIs
We’ve broken down a few steps to try to help make sense of this issue and how to resolve it to protect your API endpoints.
Step One: API Discovery
A good first step is to have some kind of API discovery tool, so you can get a good idea of:
- How many API endpoints do you have
- How the APIs are used
- Which methods, calls, and data components are exposed
- Who (which clients) are making those calls
Whether you have a schema or not, API discovery is a great first step in understanding your overall exposure.
Step Two: Compare API Discovery to API Schema
A good second step, once you have a list of exposed endpoints based on actual traffic, is to connect that view of the world with the schematic view, created by your build systems. In practice, that list of exposed endpoints describes a scavenger hunt: tracing schemes, understanding intended behavior, and comparing and contrasting it with actual traffic.
This means that your API discovery tool must have the ability to ingest an OAS3 schema file.
But, there is a catch! We often hear from customers that their application teams are not on top of their scheme game; they don’t have schema files, or what they do have is incomplete or out of date. In this case, it is important to break down the observed traffic into methods and parameters, and view it in what I call a “pseudo-schema”. This allows both developers and security administrators to understand what APIs you have and what risk they expose. Understand the methods and data components they should support.
Step Three: Address non-compliant API traffic
Once you have a pseudo-schema, you have a solid foundation for analysis. You can see if your customer’s traffic passes the “trace test” and then you can make informed decisions about whether or not to block risky or suspicious (or outright malicious) traffic.
This last step allows you to make accurate security decisions against imprecise API definitions and prevents a host of API attacks, such as those associated with BOLA, broken authentication, and excessive data exposure.
This means that your API discovery tool must also be able to block traffic in real time.
For more information
For more information about best practices for API discovery and protection, see A security professional’s guide to API protection.
The charge How to use the API schema to improve API protection first appeared in ThreatX.
*** This is a syndicated Security Bloggers Network blog from Web Application and API Protection Blog written by Tom Hickman. Read the original post at: https://www.threatx.com/blog/how-to-use-api-schema-to-improve-api-protection/