An Open-Source Antidote for a Growing Problem: API Security

By: Brianna Blacet

Nov 29, 2022

In an effort to support continuous development and release of new features at the lightning speed of today’s market, forward-looking organizations have been moving to cloud-native architectures in droves. The reasons are obvious: these decentralized applications were built for agility and availability. In contrast to the “olden days” of monolithic architectures, microservices allow development teams to patch, upgrade, and replace components of their applications without the massive releases (and rollbacks) that used to be “business as usual” before Docker, Kubernetes, and similar technologies emerged.

New tech, new problems

Yes—cloud-native technology is great, but it’s not all sunshine and roses. In fact, one insidious problem has slowly been building as more and more enterprises adopt microservices: API sprawl.

What’s so bad about the proliferation of APIs? A lot.

  • It’s a management nightmare. It’s hard to keep track of all that code, enforce compliance guidelines, and manage the communication between microservices.
  • In the interest of speed, organizations often end up with APIs that are implemented inconsistently and with little or no documentation. (API documentation, besides describing expected behavior, can also give new developers a way to get intelligence on how the applications is communicating with the APIs).
  • With third-party APIs, there’s the problem of ensuring visibility into the supply chain.
  • The proliferation of APIs also exponentially increases the number of attack surfaces, making it more difficult to monitor for and prevent security breaches or penetration.  

To scale our efforts, we need tools that will not only give us visibility with less effort, but will also help us monitor API usage, sync with OpenAPI spec docs, and ensure API security.

We’ve got a tool for that!

The open-source tool, APIClarity, was created as an antidote for these issues. It gives you insights into your running applications and the APIs they are communicating with. It also syncs your current API usage with existing OpenAPI specs. This is important because it detects shadow APIs, undocumented APIs, and zombie (deprecated) APIs—all vulnerabilities that could lead to exploits—and alerts you when it finds them.

APIClarity can also detect drift in API usage, defined by aberrant behavior of known APIs or input/output data that differs from the API spec. This may be an indicator that the API code has changed and has not been assessed for the new behavior. Drift in API usage can cause malformed requests that may become exploitable vulnerabilities.  

Don’t have an OpenAPI spec available? That’s okay. APIClarity can watch traffic flows over a certain period and reconstruct the OpenAPI spec for you. This helps you upgrade your API services to utilize OpenAPI spec docs, so you can provide better-documented APIs for your developers and customers. APIClarity also helps monitor API usage and utilization by using service-mesh technologies, like Istio, to capture API endpoint traffic without modifying existing APIs.

API Clarity has a web UI that gives you a view of your API activity. You can filter and manage this view to give you insights into the API and non-API events between monitored applications. You can also visualize trends with graphs (the events are linked to an automatic entry into an API inventory that discovers APIs and indexes the API paths for those services). As APIClarity “learns” by monitoring your traffic, it produces more and more accurate API spec outputs. You can review the automatic suggestions and customize these specs for your unique environment. After your review, you can approve the specs and immediately view them using Swagger UI.

Ready to improve your API Security?

Check out the APIClarity docs, and visit the GitHub repo. There’s also a Cisco DevNet repo you can use to build a private Kubernetes cluster using K3s and GitLab from scratch and then run through the processes described earlier to deploy a sample app with GitLab CI/CD.

Of course, API security is just one of a number of cloud-native application security challenges out there. That’s why we created the open-source suite of tools—OpenClarity. In addition to APIClarity, it includes FunctionClarity (for securing serverless functions) and KubeClarity (for SBOMs, Kubernetes and containers).

If you like the sound of all this and are interested in having this functionality in your production environment, we’ve built it into our cloud-native application security product, Panoptica. Panoptica also scans your serverless functions, Kubernetes environment, and containers, and generates software bills of materials (SBOMs). You can use it free (forever!) for 15 nodes and one cluster—no credit card required. Sign up and get started in minutes with our Quick Start Guide.