Whether you’re developing a software program or building a website, you may often find yourself, either as a front-end or back-end developer, requiring an application programming interface (API). APIs are the protocols, routines, and utilities that work behind the curtain to facilitate communication among web and mobile apps, and they’ve completely changed how we use mobile and web apps. They’re the key integration point, and you can usually find an API for almost anything such as current local weather information, Netflix content, or Google search information.
The global API management market is expected to grow from USD 1.2 billion in 2018 to USD 5.1 billion by 2023, at a compound annual growth rate 32.9 percent. The key drivers for that include increased demand for API-led connectivity and the need for public and private APIs to accelerate digital transformation. Three significant shifts in the industry have led to this amazing growth:
- Consumer shift from single-device to multi-device usage
- Architecture shift from monolithic devices to microservices
- Infrastructure shift from on-prem to cloud
Along with these shifts in the industry have come ever-increasing complexity, lack of clear visibility into API access, and challenges in terms of new and increased levels of attacks on APIs.
In this post, we will look at the Citrix’s API security offering. We will also examine the security issues that shadow APIs can pose to organizations and how API discovery can help eliminate the security risks associated with shadow APIs.
Citrix API Security
Citrix API security offers comprehensive protection for your APIs so that you can secure your organization’s valuable app and data assets. Because our API security is built on top of Citrix ADC, it delivers a level of performance and security built up over two decades.
Citrix API security front ends API services and acts as a gateway and single point to enforce security policies on the APIs. Citrix API security works in conjunction with Citrix Application Delivery Management (ADM) to provide insights into API performance and to help you make more informed decisions. The API gateway provides a single point of entry for API calls, and it helps you to configure, manage, and secure API endpoints. It can perform rate limiting, authentication and authorization, content routing, and additional tasks to ensure secure, reliable access to back-end services via your APIs.
You can use Citrix ADM to manage your API gateway, and Citrix API security uses machine learning in Citrix ADM to thwart cyberattacks like excessive data exposure (OWASP API-3) and attempted account takeovers.
Shadow APIs and API Discovery
Agile development processes help software teams to make smaller incremental changes to code at a rapid pace, and APIs enable DevOps to focus on accelerating the pace of innovation by continuously delivering new apps and APIs. However, this speed of innovation can create silos, especially in organizations in which multiple teams are involved.
When those shadow APIs are created and/or deployed outside of an organization’s documented publication process, when specifications are not conformed to, or when older versions of APIs are not end-of-lifed properly, they can introduce potential security risks that can lead to data loss, fraud, or abuse. Shadow APIs or deprecated APIs may not be subject to an organization’s normal security policies, and they may transmit sensitive information or confidential PII data with no security oversight. Auto API discovery, inventory, and assessment of your APIs eliminates security risks associated with shadow APIs.
Citrix API Discovery and Analytics
Citrix API security learns about APIs by onboarding API definitions from an OAS file. OAS (OpenAPI Specification) is a community-driven open specification within the OpenAPI Initiative, a Linux Foundation Collaborative Project. OAS defines a standard, programming language-agnostic interface description for REST APIs.
The ability to onboard APIs from an OAS file dramatically speeds up configuration of your Citrix API security functionality. What used to be a time-consuming, manual process is simplified and automated with Citrix ADM. It will accept new API definitions from an OAS file and lets you configure your API gateway policies and then deploy them to Citrix ADC in a matter of minutes, enabling you to deploy new apps securely and quickly.
Follow these steps to create an API Definition in Citrix ADM:
- Navigate to Applications → API Gateway → API Definitions.
- Click Add.
- To Create your definition using the API Specification file, click “Upload OAS Specification” to browse and upload the API specification (Swagger 2.0 or OpenAPI 3.0). This will parse and autopopulate the required information to create your API Definition.
- Alternatively, you can manually input the required API information, all resource paths, and the methods to create your API Definition manually. Select Create Your Definition and specify the following required API information to create your API definition manually:
- Name – A name for the API definition.
- API Definition – A definition must include title, version, base path, and host. You can specify a domain name or IP address in the Host.
- API Resources – Add multiple API resources to your definition. Each resource has a path and supported method.
- Click Create.
Citrix API Discovery
Citrix’s integrated API discovery offering helps to make your API security more effective and simpler to deploy and makes automating and centralizing visibility of all of your APIs easy. API discovery enables you to create an inventory of all APIs and delivers insights into API usage and security metrics.
API discovery identifies the REST/HTTP API traffic transactions as seen by the Citrix ADC (API Security/Gateway) data plane for the selected duration. All virtual servers and API deployments that have API traffic are displayed.
When you select a specific virtual server or API deployment, you’ll get an inventory view of all API endpoints and methods for which the API traffic was observed with the following information:
- Method – This displays the method used in an API endpoint (for example, the GET and POST methods).
- Total requests – This displays the count of API requests on the API endpoint.
- Response statuses – This displays the count for each response status (for example, 2xx, 3xx, 4xx, and 5xx).
- Found in Spec – This column appears only for API deployments. Sometimes, the internal APIs that aren’t part of the API definition might receive traffic from outside. This column helps you identify whether the API endpoint and observed method are part of the API definition. This column helps you identify API resources and methods that are not present in your onboarded API definition, thus it helps you discover shadow APIs or unpublished APIs. Here you should check for the presence ofsShadow APIs. Analyze the APIs to ensure that they conform to your specifications, that they are not deployed outside of your documented publication process, and that no older versions or end-of-lifed versions improperly display. If you find shadow APIs, they can be properly mitigated before they lead to data loss, fraud, and app business logic abuse.
- API deployments – This displays APIs that are deployed from Citrix ADM using an API definition. The API deployments tab discovers the API endpoints when API deployments receive API requests for the specified period. The Found in Spec column of API deployments can help you to discover Shadow APIs and mitigate them in a timely way to prevent security threats.
You can also select the required API endpoint to view its detailed analytics report. The detailed analytics report provides API endpoint performance and usage data such as response time, bandwidth consumption, geo locations from where the API endpoints were accessed, and HTTP response status of API endpoints. API analytics enables visibility into API traffic and allows IT administrators to monitor API instances and endpoints served by an API gateway.
Learn More
Effective API security requires that multiple tools work in concert. Citrix’s API security solutions can protect your most important assets from harm and help you to ensure your workforce can be productive from anywhere. To learn more about how Citrix’s API security solutions can protect your APIs, see:
- Citrix Web App and API Protection
- Citrix Web App and API Protection: Meeting future security demands today
- Machine learning and anomaly detection for app and API security
