Projecten

Finding API

Started in March 2024

Through APIs (both in the internal network and internet facing), sensitive data is communicated. This makes them an evident target for cybercriminals. Therefore, the security of APIs needs to be enhanced. The first step towards securing them is to find them. We have identified the lack of visibility of APIs as a major problem in large organizations. Thus, we propose Finding API, a solution complementary to traffic based API discovery, which not only finds APIs but also extracts important properties from them. 

https://pcsi.nl/uploads/projects/Finding-api.png

Project proposal 

The goal of the project is to develop a platform that automatically find APIs through code and extracts relevant characteristics for each API such as:

  • The protocols it uses.
  • The level of exposure.
  • Encryption.
  • Transport methods.

These are examples of a more comprehensive list of characteristics that were deemed relevant for API security by our partners.

Expected benefits of the Finding API project 

The PCSI partners will have increased insight in which APIs are in use and what the characteristics are of those APIs, so they can take appropriate security measures for each API, thereby increasing their resilience level. 

Further, the approach allows to discover APIs before deployment, allowing for a faster identification of vulnerabilities.

Why do we want to work on this idea within the PCSI? 

The need for more API visibility was identified by all partners. However, their infrastructure and business logic differs. Therefore, this allows us to tackle the challenge in a broad way and develop a solution that is general enough to function under different circumstances. Collaboratively, the individual partners can produce an innovative solution much more effectively. 

Our use-case:  

Insufficient insight into which APIs are in use, not clear overview of which APIs are most sensitive. An alternative to traffic-based API detection.

Project results 

  • Successful API retrieval and property extraction in a large open source tool.
  • Successful test of API extraction in real partner data.
  • Launch of a Beta version of the platform.

Activities in Explore phase 

State of the Art in automatically locating APIs in IT infrastructure. What is out there in the world (not re-invent the wheel) and what remains unexplored: 

  • Investigate existing Frameworks.
  • Research best practices.
  • Test existing tools and methods.
  • Understand the needs of the industry.
  • Propose a novel approach for API discovery.

Activities in PoC phase 

Test a novel approach at API discovery: 

  • Develop a minimum viable product for code based API discovery, using Artificial Intelligence.
  • Combine the automatic discovery process with human expertise. 
  • Test the platform in open-source APIs.

Activities in Pilot phase 

Improve the API discovery tool:

  • Further develop AI model for API information extraction. 
  • Test the tool in partner code.
  • Experiment with more powerful AI models.

Activities in the Exploit phase:

  • Deploy finding API in real partner data.
  • Organize a workshop to showcase the tool to market players with a need of AI discovery.

PCSI Security Radar Trend: API Security.

Beeldmerk PCSI
PCSI is een samenwerking van
    ABN-AMRO Achmea Belastingdienst ING TNO