Posts

Showing posts from April, 2020

API Detection and Assessment: What they don't tell you in class...

Image
API’s   ( Application Programming Interfaces ) are backend services   which expose an interface which can be used to connect to and transact or read/write information to and from a backend system. The are super useful and a great architecture decision delivering flexibility and extensibility of a service. API’s deliver functionality once the client service knows how to “talk” to the API. API’s generally sit behind a HTTP port and can’t be “seen” unlike a website but they may deliver an equal level of value and functionality to the requesting client. Many websites may use an API but the User does not invoke the API directly but rather the Website /App is a proxy for the API. API’s are not built to be human readable, like a website, but rather machine readable. There are two challenges relating to API security assessment: 1. API Discovery : Do we have an inventory of all API’s deployed on the public Internet. You may have API’s hosted on systems behind HTTP ports but ar