Getting Started With API Discovery: A Comprehensive Guide From CDN to Application-Level Insights
Building on an insightful dialogue at The European Identity and Cloud Conference, I had the privilege of sharing the stage with industry experts Ingo Schubert (RSA), Ward Duchamps (Thales Digital Identity and Security), and Mark Haine (OpenID Foundation). With stimulating questions from Martin Kuppinger and Mike Schwartz, we dug deep into contemporary topics. Continuing from our previous panel-related post, this post presents the next chapter of our in-depth conversation.
API discovery is a fundamental part of the API security journey, yet it often gets overlooked. As businesses become more reliant on APIs for their core functions, ensuring a robust and secure API ecosystem is no longer optional, it’s a necessity. This guide will walk you through the initial steps of API discovery, from auditing and whitelisting APIs in the Content Delivery Network (CDN) to application-level authentication analysis.
CDN — The Starting Point
The journey of API discovery begins at the CDN level. As Mark Haine, Distinguished Engineer at OpenID Foundation, highlighted in a recent panel discussion, “It’s crucial to start with an API inventory at the CDN level.” This process involves auditing your CDN for all existing APIs and establishing a whitelist. It’s a foundational step in achieving visibility and control over your API ecosystem.
“APIs are now the primary interface for software. It’s as if we’ve taken all the internal methods of our classes and made them public,” said Ingo Schubert, a Global Cloud Identity Architect at RSA. This increased exposure necessitates careful API management, starting with discovery and monitoring at the CDN level.
Authentication Assessment
Once you’ve established your API inventory and scrutinized it at the CDN level, the next step is a closer look at the authentication level of each application. Mayur Upadhyaya, CEO at Contxt, emphasized the importance of this step: “We give API developers the keys to the kingdom. And one of the challenges you have in an enterprise is there is a clear owner for identity, a clear owner for security, but who in the enterprise owns APIs?”
By conducting an in-depth assessment of your API authentication, you can ensure you’re not only monitoring your APIs but also managing their security effectively. As Mike Schwartz, Founder of Gluu, warned, “Even if you’re certified and we certified more than anyone, you’ll still find that it doesn’t give you a level of assurance about security.”
This journey from CDN to application-level insights is key to unlocking the full potential of your APIs and ensuring their security. As you traverse this path, remember these wise words from Ingo Schubert: “Just because you’re using a standard doesn’t mean it’s secure and vice versa. It makes things easy in some sense for the developers, but it doesn’t mean it’s a secure system out of the door.”
Remember, your journey doesn’t end at discovery, but it’s a great place to start.
Originally published at bycontxt.com on May 25, 2023.