Resources Plans

API Security is Now Available on Panoptica!

author_profile
Meenakshi Kaushik
Monday, Feb 27th, 2023

Panoptica is a user-friendly Cloud-Native Application Security Platform that reduces tool sprawl and offers an integrated suite of tools to identify, assess, prioritize, and remediate security vulnerabilities. Panoptica supports DevSecOps, Platform, and Compliance teams in securing and protecting their cloud native applications throughout the CI/CD pipelines and in production environments. Panoptica makes it easy to secure  containers and serverless functions, improve Kubernetes security posture, and manage software bills of materials and supply chain security  

With the addition of API Security capabilities, Panoptica enables customers to safeguard both their applications and the APIs that transmit data into them.

Unlike API Security solutions that solely focus on API security, Panoptica adds another layer of security by integrating workload security with API vulnerability detection. API Security is now available  as a feature  in Panoptica.

API Security

Let’s take a look at what API Security enables in a bit more detail.

API Security_09

Pre-Production Vulnerability Scanning and Fuzz Testing

In pre-production, Panoptica helps DevSecOps teams discover vulnerable APIs through API scanning and fuzz testing, ensuring secure APIs are deployed in production. During the Continuous Integration (CI) phase, customers can perform OpenAPI specification scans, evaluate OpenAPI definition files, and report on security best practices. Panoptica's OpenAPI security scan has three stages: verifying API validity and structure, assessing security definition such as authentication and authorization methods, and reviewing API data definition schemas and parameters. During the staging phase, customers can configure Panoptica and perform API fuzz testing, a critical approach to improving the efficiency of their testing efforts.  API security fuzz testing simulates attacker behavior and can identify and help resolve security weaknesses without the need for production deployments.

Vulnerability Scanning and Fuzz Testing

Discover and Catalog all APIs to Identify Blind Spots, Risk Exposures and Sensitive Data

Security, DevOps, and Compliance Teams can utilize Panoptica's API Security and continuously catalog API posture for three broad use cases: first, identify blind spots in APIs by cataloging internal, third party, shadow, zombie, and deprecated APIs; second, classify the risk exposure of all APIs; and third, identify sensitive data exposure in APIs. 

Panoptica API Security helps DevSecOps tackle API proliferation and blind spots by cataloging internal and external/business partner APIs and detecting discrepancies between OpenAPI specs (or reconstructed specs) and actual traffic flow that may expose shadow, zombie, or rogue APIs.  Panoptica’s probes can catalog APIs from anywhere such as  service meshes, gateways, load balancers, and more in self-managed, cloud, or SaaS environments. API catalog helps customers gain visibility into their API landscape, understand the relationships between different APIs, improving API security and governance.

Panoptica identifies API vulnerabilities through continuous API trace analysis and then computes risk scores to assist security teams in managing their risk exposure. For internal APIs, Panoptica collects runtime traces and looks at API usage behavior for vulnerabilities, such as weak authentication methods like weak password and and guessable ids. For third party APIs, Panoptica gathers information from reputable databases and identifies network endpoints and its SSL/TLS vulnerabilities,  missing API security headers  and  protocol software CVEs. Next for each API, Panoptica computes the risk score based on probability and impact of the vulnerabilities and classifies them as critical/high/medium/low. Risk score helps customers understand which of their APIs are most vulnerable to abuse and requires immediate attention.

Panoptica enables compliance, risk and privacy teams to constantly monitor API traffic for sensitive data, such as personally identifiable information (PII), and determine which APIs require increased security measures to safeguard both the organization and its data against potential threats and abuse.  This leads to greater efficiency in the auditing and compliance process.

Catalog all APIs

Automatically Detect API Abuse and Misuse

Panoptica offers real-time API protection by detecting potential exploits and anomalous behaviors, such as those listed in the OWASP API Top 10 authentication and authorization threats. It accomplishes this by monitoring the communication between API endpoints and application services, and flagging any deviations from the baseline. Furthermore,  it reduces false positives by correlating workload security risks with API security risks. 

For example, Panoptica detects broken object-level authorization with events such as when the user creating an object is different from the user accessing the object and when guessable identifiers are used. It also detects broken user authentication with events such as the reuse of the same username and password for different services. And, it detects broken function-level authorization with events such as when the API trace scope is broader than the API specification and when suspicious sources outside of the baseline are detected. This API protection gives the security team the ability to take action on any potential threat event happening at runtime.

Detect API Abuse and Misuse

Conclusion

In conclusion, the integration of API security in Panoptica has opened up new avenues for customers to secure their cloud native applications, APIs, and sensitive data. Panoptica's API security solution is an all-in-one tool that combines API scanning and fuzz testing, API cataloging and risk exposure assessment, and real-time API protection. It covers all phases of the API lifecycle, from pre-production to production, and helps DevSecOps, Compliance, and Risk teams to address its API security challenges  Stay tuned as we will be adding exciting new capabilities in the upcoming months, continuously expanding the Panoptica  functionality with weekly production pushes! Finally, give it a try with a demo or free trial