API Inventory
Release notes
Get a full API inventory to ensure you have visibility into your API security posture.
What is an API Inventory?
An API inventory, is a foundational component of API Security because it identifies and catalogs APIs and their associated endpoints, functionalities, and data structures. This information helps security teams understand their API attack surface.
"Full inventory means knowing what applications the APIs map to, what data the APIs return and how sensitive it is, and which developers own the APIs" Forrester.
OWASP includes "API9:2023 - Improper Inventory Management" at number 9 on their OWASP Top 10 API Security Risks – 2023 and explains that
APIs tend to expose more endpoints than traditional web applications, making proper and updated documentation highly important. A proper inventory of hosts and deployed API versions also are important to mitigate issues such as deprecated API versions and exposed debug endpoints.
Problem to solve
You can't protect what you can't see. Many security organizations do not have full visibility into APIs their developers deploy. If they don't know the API exists, that API is not undergoing security testing.
Additionally, API inventories are increasingly becoming a part of financial services compliance regulations such as FFIEC and NYDFS.
How widespread is this problem?
Shadow APIs — those that are unmanaged or unknown — remain a top concern.
According to Analyst firm 451,
Many view inventory as a necessary step in all API security approaches, and thus table stakes – a minimum requirement for a product to even be considered. Only 51% of respondents have full confidence in their API inventories; 26% reported that their inventory update processes are manual.
GigaOm explains that today, most customers are
still looking for API inventory and discovery products that would give their IT departments an idea of what is on their networks so they can take the next step and start protecting those assets.
According to the Postman 2022 State of the API Report
97% of respondents did not rate APIs they work with as “very well documented”
By 2025, less than 50% of enterprise APIs will be managed.
Proposal
Provide an inventory list (UI-visible) of all APIs in an organization. The API Inventory list should be more similar to the Dependency list than to the Vulnerability Report. It can be filtered, searched, sorted. The Inventory also maps each API endpoint to an associated GitLab project so that security admins can more easily understand which GitLab projects are associated with greater API security risks.
An API Inventory requires UX design and frontend work to build a new page, as well as backend work to identify APIs that are not documented.
Scope
Must Have
- API Inventory includes all APIs identified from API Discovery (scan GitLab projects to identify all APIs).
- Inventory List is accessible in the UI and can be filtered, sorted, searched.
- Visualizes
- API Endpoints (url)
- HTTP methods (POST, PUT,
- What applications and projects an API maps to
- What data the API returns
- how sensitive the data is - sensitive parameters
- Which developers own the API
- Risk score
- When API Security testing was last performed against the endpoint
- Support for:
- Rest
- SOAP
- graphQL
Won't Have
- Historical change analysis/auditing
- Run-time, traffic capture, Agent, API-gateway method of identifying APIs via integrations
- gRPC support
Intended users
Personas are described at https://about.gitlab.com/handbook/product/personas/