Api 214 - Mitigating Apis Improper Asset Management: Page 1 of 21

API 214 – Mitigating APIs Improper Asset Management
Table of Contents
Course Overview and Objectives ............................................................................................................................... 3
Managing API Assets .................................................................................................................................................... 5
Vulnerable API Conditions ........................................................................................................................................... 7
API Asset Management ................................................................................................................................................ 9
Asset Inventory ............................................................................................................................................................. 10
API Asset Control ......................................................................................................................................................... 12
API Gateways................................................................................................................................................................. 14
API Documentation ..................................................................................................................................................... 16
Identify and Order Steps ............................................................................................................................................ 18
Course Summary .......................................................................................................................................................... 19
Thank You ...................................................................................................................................................................... 21
Page 1 of 21
Narration
On screen text
API 214
API 214 Mitigating APIs Improper Asset Management
Page 2 of 21
Course Overview and Objectives
Narration
This course is designed for NICE Workforce roles Software Developer (SP-DEV-001) and Secure Software
Assessor (SP-DEV-002). The objectives of this course align with OWASP Top 10 API Security Risks and
the NIST Cybersecurity Framework.
Upon successful completion of this course, you should have the knowledge and skills required to
understand the importance of proper API asset management; gather and maintain an inventory of all
vulnerable assets; determine API access requirements based on scope, API type, and user roles;
understand the benefits of using an API gateway; and create documentation for the information
gathered about your organization’s APIs.
On screen text
Course Overview and Objectives.
Designed for the Software Developer (SP-DEV-001) and Secure Software Assessor (SP-DEV-002) roles.
Objectives align with OWASP Top 10 API Security Risks and the NIST Cybersecurity Framework.
Page 3 of 21
• Upon successful completion of this course, you will be familiar with:

• The importance of API asset management
• How to inventory all vulnerable assets
• API access requirements
• The benefits of using an API gateway
• Documentation for information about your organization’s APIs
Page 4 of 21
Managing API Assets
Narration
Managing assets across your network is an integral part of API security.
Without knowledge of all API endpoints in your organization, it is impossible to ensure proper security.
Asset management is essentially keeping track of your organization’s API endpoints.
APIs are pervasive in modern computing environments: in-house development, third-party applications,
microservices, container platforms, and many other APIs may be available on a typical network.
If not properly secured and kept-up-to date, an API could be a potential attack vector or allow access to
sensitive data.
On screen text
Managing API Assets
Managing assets is an integral part of API security.
• In-house development
• Third-party applications
Page 5 of 21
• Microservices
• Container platforms
• Many others
Page 6 of 21
Vulnerable API Conditions
Narration
When penetrating network security, an attacker will look for the most compelling targets—looking for
common mistakes that provide the easiest gains.
The most serious—and yet still common—mistake is an API that an administrator is not aware of. If an
API is unknown, undocumented, or forgotten, then it is also likely unprotected. This is a common
situation because a developer might have an API installed that no one uses, or a server application by
default might provide an API that administrators might not be aware of.
Outdated software can be another common problem, especially for internal applications that might not
get as much scrutiny as an application exposed on the internet.
Likewise, a development or staging environment might not have strict access controls but still works
with sensitive production data.
Any of these conditions could easily lead to a security compromise or allow parallel movement on a
network.
On screen text
Vulnerable API Conditions
Unknown?
Page 7 of 21
Undocumented?
Forgotten?
Outdated?
Dev Server?
Page 8 of 21
API Asset Management
Narration
Ensuring proper API asset management is not difficult, but it does require a thorough and continuous
effort.
The most important steps are to: build and maintain a comprehensive inventory of all API assets,
establish and enforce appropriate access controls for API access, centralize all API traffic through an API
Firewall or Proxy, and finally, accurately and thoroughly document all API assets.
On screen text
API Asset Management
Managing API assets:
Page 9 of 21
Asset Inventory
Narration
It is critical to create and maintain an accurate inventory of all API hosts and endpoints, including
development, deprecated, and unused APIs.
Discovering these endpoints might require reviewing server applications, scanning for network services,
or sniffing the network for possible API traffic. On a large network, this could be a significant
undertaking if no inventory currently exists.
While gathering API endpoints, the most basic information to gather is host name (or address) and
network port. If possible, try to identify the software and version. Other important information to gather
might include:
What protocol the API uses
What role the API plays in the organization, or is it even in use?
The type of environment, such as development, testing, staging, or production.
What data the API accesses and whether any of it is sensitive
How will it be exposed on the network?
Which user roles should have access to the API?
On screen text
Asset Inventory
Page 10 of 21
Create and maintain an accurate inventory of all API hosts and endpoints.
• Review server applications

• Scan network services
• Sniff network traffic
Host name or address

Network port
Software and version
Protocol
Organizational role
Environment type
Data accessed
Exposure on network
User role access
Page 11 of 21
API Asset Control
Narration
An important part of an API inventory is to know which networks, hosts, and users should have access to
each API.
The things to consider are:
Access scope. Some APIs will be for internal use only, others internal and partner use, and others for
public use. This will help determine routing, firewall, and VPN configuration.
Type of API. The main concern here would be whether it is for general use, development, or
administrative purposes.
User roles. At times you may wish to restrict access to an API based on user roles, department, or
organization. Being aware of which user roles access the API can help with access control configurations.
On screen text
API Asset Control
API inventory includes which networks, hosts, and users should have access to each API.
Page 12 of 21
Access Scope
Internal use, internal and partner use, or public use
API Type
General use, development, administration
User Roles
Restrictions based on user role, department, or organization.
Page 13 of 21
API Gateways
Narration
To manage APIs in your organization, consider using an API gateway, sometimes called an API firewall.
An API gateway is like a reverse proxy but specialized for handling API calls. The gateway will handle all
incoming calls and route them to the appropriate endpoints, even if they use different protocols and
syntax.
An API gateway allows decoupling the API interfaces from their backend services, centralizing
authentication and policy enforcement, and creating a chokepoint for security and access control. They
can also integrate with web application firewalls to help prevent attacks.
By establishing a policy that all API access must use the API gateway, you can better track API usage,
authentication, and access rules. And with inventoried APIs using the gateway, this may help to identify
unknown API connections that do not go through the gateway.
On screen text
API Gateways
To manage APIs in your organization, consider using an API gateway.
Page 14 of 21
• Decouples API interfaces from backend services

• Centralizes authentication & policy
• Creates a chokepoint for security & access control
• Integrates with web application firewalls
• API usage
• Authentication
• Access rules
Page 15 of 21
API Documentation
Narration
The final step in managing API assets is documentation. Thorough, updated documentation of hosts,
integrated services, and API endpoints is critical for proper asset management.
Although some organizations may require multiple variations of the documentation, the two basic
categories are administrative and developer documentation.
Administrative documentation should include the host and port, the environment, the data sensitivity,
and network and user accessibility.
Developer documentation should include descriptions of all API functions, parameters, data types, API
responses, and any errors they might return.
On screen text
API Documentation
The final step in managing API assets is documentation.

Administrative Documentation
Page 16 of 21
• Host & port

• Environment
• Data sensitivity
• Network & user accessibility
Developer Documentation
• API functions
• Parameters
• Data types
• Responses
• Errors
Page 17 of 21
Identify and Order Steps
Narration
The most important steps for managing API assets are found in these tiles. Drag the correct tiles to the
right to complete the diagram.
On screen text
Identify and Order Steps
Question The most important steps for managing API assets are found in these tiles. Drag the
correct tiles to the right to complete the diagram.
Options Secure Centralize Document Access Review Build and
(Tiles) Services Traffic Assets Controls Development Maintain
Correct Incorrect. Correct! Correct! Correct! Incorrect. Correct!

Answers
Page 18 of 21
Course Summary
Narration
In this course, you learned about mitigating API’s improper asset management.
Included in the topics discussed were understanding the importance of proper API asset management;
gathering and maintaining an inventory of all vulnerable assets; determining API access requirements
based on scope, API type, and user roles; understanding the benefits of using an API gateway; and
creating documentation for the information gathered about your organization’s APIs.
On screen text
Course Summary
In this course, you learned about mitigating API’s improper asset management.
Topics included:
Understanding the importance of proper API asset management
Page 19 of 21
Gathering and maintaining an inventory of all vulnerable assets

Determining API access requirements
Understanding the benefits of using an API gateway
Creating documentation for information gathered about your organization’s APIs
Page 20 of 21
Thank You
Narration
Thank You
This concludes the Mitigating APIs Improper Asset Management course. Thank you.
Click the “Take the Exam” button to proceed to the exam.
Page 21 of 21

Api 214 - Mitigating Apis Improper Asset Management: Page 1 of 21

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Api 214 - Mitigating Apis Improper Asset Management: Page 1 of 21

Uploaded by

Copyright:

Available Formats

API 214 – Mitigating APIs Improper Asset Management

Course Overview and Objectives

Course Overview and Objectives.

• Upon successful completion of this course, you will be familiar with:

Managing API Assets

Managing API Assets

Managing assets is an integral part of API security.

Vulnerable API Conditions

Vulnerable API Conditions

API Asset Management

API Asset Management

Managing API assets:

• Review server applications

Host name or address

API Asset Control

API Asset Control

To manage APIs in your organization, consider using an API gateway.

• Decouples API interfaces from backend services

The final step in managing API assets is documentation.

• Host & port

Identify and Order Steps

Identify and Order Steps

Correct Incorrect. Correct! Correct! Correct! Incorrect. Correct!

Gathering and maintaining an inventory of all vulnerable assets

You might also like