What do you know about your APIs? Why are the vulnerable v2 and v3 still exposed if they are deprecated for almost a year? What else is exposed and you don’t even know? Are Swagger specs up to date? (Teaser: Surely not). A lot of questions, right? Meet Wallarm’s latest feature for API Discovery and Observability to better understand and protect your APIs in cloud-native environments.
What is Wallarm API Discovery?
Wallarm API Discovery identifies all APIs including shadow and zombie APIs and gives you up-to-date specs — based on the actual API usage.
When the API Discovery feature is on, Wallarm Nodes not only inspect traffic to identify API-specific attacks but also reconstruct API specs and behavior based on the traffic.
So how where exactly can API Discovery help? There are two major ways:
- Firstly, API inventory. The larger the company, the fewer the people that actually know what you have exposed. Different endpoints are owned by different teams. Add here multiple versions of APIs — some that are already deprecated and some still maintained — and this very soon becomes a total mess. You can easily have some outdated (and vulnerable) version of the API method exposed — and nobody will even know! It’s called a Shadow API. The only way to get full visibility is to see what APIs are actually used and how they are used, based on the traffic.
- Secondly, up-to-date API specs. We bet you wouldn’t be surprised that specs are very often behind. It’s a life after all and docs are rarely properly updated. But you would be amazed by how significant the difference between docs and reality can be. For some APIs, you can have no Swagger at all. Or, you can have docs that clearly say that /checkout method has five parameters. Meanwhile, real traffic can show that there are plenty of requests that actually have six parameters, with one of them optional. Think of it as Swagger / OpenAPI specs generated based on the traffic.
See Wallarm API Discovery in action
This is our Demo environment that we usually show during demo calls. We have an instance of the Splunk applications. Traffic is inspected with Wallarm Nodes that are deployed in AWS. All the traffic stays in the demo (customer’s) environment and is never exposed to the Wallarm Cloud.
We usually demonstrate different kinds of API threats against the Splunk application in real-time. Now with the Wallarm API Discovery on, everybody can explore API profiles that are created based on the traffic.
In Wallarm Console, we open Menu -> Profile & Rules and can now inspect the whole structure of the Splunk application and APIs presented as an interactive tree. You can explore a tree of all GET and POST methods:
API Discovery calculates statistics for every API parameter, decides whether it’s a required parameter for this request or not, and adds this information into the API profile. Click on any of the methods to get more details including required and optional parameters:
Endpoints in the profile contain information about input parameters GET, POST, HEADER.
The algorithm used in the API Discovery feature allows to make hypotheses about the structure of the application and test them on real traffic. The resulting specs’ accuracy depends on the diversity of traffic. The more intensive and varied the traffic, the faster and more accurately the API profile will be built.
When API updates happen and there is a change in the traffic patterns, Wallarm updates API specifications automatically. How do those changes correlate with the developers’ specs? We’ll soon provide a solution to compare Swagger/OAS and API Specifications and find any inconsistencies.
Ready to see your APIs?
With API Discovery, DevSecOps and other stakeholders always have an up-to-date APIs map and specs updated in real-time. Join our early access program and we’ll enable API Discovery for your existing account or will create a trial account.
Want your personal API Discovery demo? Schedule it right now: