Skip to content

Building a modern API security strategy — API inventory

Building a modern API security strategy — API inventory

Part one of the five-part series, Building a modern API security strategy.

You can't secure what you don't know. That’s why you need an inventory process. 

Most organizations are only aware of a fraction of their APIs. Typically, they grossly underestimate the actual number. Many try to catalog their APIs and even add details and descriptions, but it’s impossible to tally a moving target. Often, APIs are added or changed on a weekly basis, meaning that passive tools or scanners can’t paint an accurate portrait of what’s happening throughout the software development lifecycle (SDLC), from design to production. What results is a pockmarked inventory that only captures a portion of APIs in use. 

While it’s important to be able to inventory everything, that's not where API security starts and ends. There’s a lot of noise in the market that mainly focuses on inventorying everything, but, while generating an inventory is useful, it doesn’t actually make anything more secure. As well, existing approaches to inventory don’t work very well. 

Traditional API security has involved techniques that suffer from these problems:

  • Passive — It’s difficult to set up and impossible to get it in enough places 
  • Static — It’s difficult to map source code repos to actual production APIs
  • Dynamic — It’s hard to attack APIs and detect vulnerabilities from the response
  • One-time discovery process/static documentation — Can’t keep up with the fluid nature of quickly added and modified/updated APIs

Organizations should establish an infrastructure that allows them to continuously discover APIs and then track them over time in order to maintain an up-to-date API inventory — one that prioritizes or risk-ranks your API portfolio in order to help you focus your efforts on the biggest API security risks.  

Contrast focuses on runtime inventory 

The modern approach to API security is to get very close to the code: to instrument every layer of the stack. There are products that work at the network layer, host layer, application layer, container layer and API layer. 

Contrast tackles the issue of trying to track the moving target of API inventory by zeroing in on runtime inventory.

The Contrast platform works at the application level, automatically identifying any running APIs and apps. That means instrumentation of the entire application layer, including runtime platform, API server, API framework, open-source libraries, custom API code, virtual machines (VMs) and containers. This enables you to automatically maintain a complete inventory of all APIs and exactly what their attack surface looks like. 

Five parts of API security

Stay tuned: Next week, we’ll be looking at API security testing and how modern API security embeds security into development for better visibility and accuracy than legacy scanning tools. 

For a guide to all five parts of Contrast’s series on forging a modern API security strategy, check out this overview

Also, be sure to check out this discussion between Jeff Williams, Co-Founder & CTO, Contrast Security, and Melinda Marks, Senior Analyst, ESG Research, where they unravel:

  • What the future of API security holds for enterprises.
  • What you need to know to secure your APIs.
  • Strategies to stay ahead of the CI/CD lifecycle game.
  • The path forward to building unified developer and security teams that can build secure APIs. 

To download the recorded webinar:



Jeff Williams, Co-Founder, Chief Technology Officer

Jeff Williams, Co-Founder, Chief Technology Officer

Jeff brings more than 20 years of security leadership experience as co-founder and Chief Technology Officer of Contrast Security. He recently authored the DZone DevSecOps, IAST, and RASP refcards and speaks frequently at conferences including JavaOne (Java Rockstar), BlackHat, QCon, RSA, OWASP, Velocity, and PivotalOne. Jeff is also a founder and major contributor to OWASP, where he served as Global Chairman for 9 years, and created the OWASP Top 10, OWASP Enterprise Security API, OWASP Application Security Verification Standard, XSS Prevention Cheat Sheet, and many more popular open source projects. Jeff has a BA from Virginia, an MA from George Mason, and a JD from Georgetown.