Professional Documents
Culture Documents
Table of Contents
Course Overview and Objectives ............................................................................................................................... 3
Managing API Assets .................................................................................................................................................... 5
Vulnerable API Conditions ........................................................................................................................................... 7
API Asset Management ................................................................................................................................................ 9
Asset Inventory ............................................................................................................................................................. 10
API Asset Control ......................................................................................................................................................... 12
API Gateways................................................................................................................................................................. 14
API Documentation ..................................................................................................................................................... 16
Identify and Order Steps ............................................................................................................................................ 18
Course Summary .......................................................................................................................................................... 19
Thank You ...................................................................................................................................................................... 21
Page 1 of 21
API 214 – Mitigating APIs Improper Asset Management
Narration
On screen text
API 214
API 214 Mitigating APIs Improper Asset Management
Page 2 of 21
API 214 – Mitigating APIs Improper Asset Management
Narration
This course is designed for NICE Workforce roles Software Developer (SP-DEV-001) and Secure Software
Assessor (SP-DEV-002). The objectives of this course align with OWASP Top 10 API Security Risks and
the NIST Cybersecurity Framework.
Upon successful completion of this course, you should have the knowledge and skills required to
understand the importance of proper API asset management; gather and maintain an inventory of all
vulnerable assets; determine API access requirements based on scope, API type, and user roles;
understand the benefits of using an API gateway; and create documentation for the information
gathered about your organization’s APIs.
On screen text
Designed for the Software Developer (SP-DEV-001) and Secure Software Assessor (SP-DEV-002) roles.
Objectives align with OWASP Top 10 API Security Risks and the NIST Cybersecurity Framework.
Page 3 of 21
API 214 – Mitigating APIs Improper Asset Management
Page 4 of 21
API 214 – Mitigating APIs Improper Asset Management
Narration
Managing assets across your network is an integral part of API security.
Without knowledge of all API endpoints in your organization, it is impossible to ensure proper security.
Asset management is essentially keeping track of your organization’s API endpoints.
APIs are pervasive in modern computing environments: in-house development, third-party applications,
microservices, container platforms, and many other APIs may be available on a typical network.
If not properly secured and kept-up-to date, an API could be a potential attack vector or allow access to
sensitive data.
On screen text
• In-house development
• Third-party applications
Page 5 of 21
API 214 – Mitigating APIs Improper Asset Management
• Microservices
• Container platforms
• Many others
Page 6 of 21
API 214 – Mitigating APIs Improper Asset Management
Narration
When penetrating network security, an attacker will look for the most compelling targets—looking for
common mistakes that provide the easiest gains.
The most serious—and yet still common—mistake is an API that an administrator is not aware of. If an
API is unknown, undocumented, or forgotten, then it is also likely unprotected. This is a common
situation because a developer might have an API installed that no one uses, or a server application by
default might provide an API that administrators might not be aware of.
Outdated software can be another common problem, especially for internal applications that might not
get as much scrutiny as an application exposed on the internet.
Likewise, a development or staging environment might not have strict access controls but still works
with sensitive production data.
Any of these conditions could easily lead to a security compromise or allow parallel movement on a
network.
On screen text
Unknown?
Page 7 of 21
API 214 – Mitigating APIs Improper Asset Management
Undocumented?
Forgotten?
Outdated?
Dev Server?
Page 8 of 21
API 214 – Mitigating APIs Improper Asset Management
Narration
Ensuring proper API asset management is not difficult, but it does require a thorough and continuous
effort.
The most important steps are to: build and maintain a comprehensive inventory of all API assets,
establish and enforce appropriate access controls for API access, centralize all API traffic through an API
Firewall or Proxy, and finally, accurately and thoroughly document all API assets.
On screen text
Page 9 of 21
API 214 – Mitigating APIs Improper Asset Management
Asset Inventory
Narration
It is critical to create and maintain an accurate inventory of all API hosts and endpoints, including
development, deprecated, and unused APIs.
Discovering these endpoints might require reviewing server applications, scanning for network services,
or sniffing the network for possible API traffic. On a large network, this could be a significant
undertaking if no inventory currently exists.
While gathering API endpoints, the most basic information to gather is host name (or address) and
network port. If possible, try to identify the software and version. Other important information to gather
might include:
What protocol the API uses
What role the API plays in the organization, or is it even in use?
The type of environment, such as development, testing, staging, or production.
What data the API accesses and whether any of it is sensitive
How will it be exposed on the network?
Which user roles should have access to the API?
On screen text
Asset Inventory
Page 10 of 21
API 214 – Mitigating APIs Improper Asset Management
Create and maintain an accurate inventory of all API hosts and endpoints.
Page 11 of 21
API 214 – Mitigating APIs Improper Asset Management
Narration
An important part of an API inventory is to know which networks, hosts, and users should have access to
each API.
The things to consider are:
Access scope. Some APIs will be for internal use only, others internal and partner use, and others for
public use. This will help determine routing, firewall, and VPN configuration.
Type of API. The main concern here would be whether it is for general use, development, or
administrative purposes.
User roles. At times you may wish to restrict access to an API based on user roles, department, or
organization. Being aware of which user roles access the API can help with access control configurations.
On screen text
API inventory includes which networks, hosts, and users should have access to each API.
Page 12 of 21
API 214 – Mitigating APIs Improper Asset Management
Access Scope
Internal use, internal and partner use, or public use
API Type
General use, development, administration
User Roles
Restrictions based on user role, department, or organization.
Page 13 of 21
API 214 – Mitigating APIs Improper Asset Management
API Gateways
Narration
To manage APIs in your organization, consider using an API gateway, sometimes called an API firewall.
An API gateway is like a reverse proxy but specialized for handling API calls. The gateway will handle all
incoming calls and route them to the appropriate endpoints, even if they use different protocols and
syntax.
An API gateway allows decoupling the API interfaces from their backend services, centralizing
authentication and policy enforcement, and creating a chokepoint for security and access control. They
can also integrate with web application firewalls to help prevent attacks.
By establishing a policy that all API access must use the API gateway, you can better track API usage,
authentication, and access rules. And with inventoried APIs using the gateway, this may help to identify
unknown API connections that do not go through the gateway.
On screen text
API Gateways
Page 14 of 21
API 214 – Mitigating APIs Improper Asset Management
• API usage
• Authentication
• Access rules
Page 15 of 21
API 214 – Mitigating APIs Improper Asset Management
API Documentation
Narration
The final step in managing API assets is documentation. Thorough, updated documentation of hosts,
integrated services, and API endpoints is critical for proper asset management.
Although some organizations may require multiple variations of the documentation, the two basic
categories are administrative and developer documentation.
Administrative documentation should include the host and port, the environment, the data sensitivity,
and network and user accessibility.
Developer documentation should include descriptions of all API functions, parameters, data types, API
responses, and any errors they might return.
On screen text
API Documentation
Page 16 of 21
API 214 – Mitigating APIs Improper Asset Management
Developer Documentation
• API functions
• Parameters
• Data types
• Responses
• Errors
Page 17 of 21
API 214 – Mitigating APIs Improper Asset Management
Narration
The most important steps for managing API assets are found in these tiles. Drag the correct tiles to the
right to complete the diagram.
On screen text
Question The most important steps for managing API assets are found in these tiles. Drag the
correct tiles to the right to complete the diagram.
Options Secure Centralize Document Access Review Build and
(Tiles) Services Traffic Assets Controls Development Maintain
Page 18 of 21
API 214 – Mitigating APIs Improper Asset Management
Course Summary
Narration
In this course, you learned about mitigating API’s improper asset management.
Included in the topics discussed were understanding the importance of proper API asset management;
gathering and maintaining an inventory of all vulnerable assets; determining API access requirements
based on scope, API type, and user roles; understanding the benefits of using an API gateway; and
creating documentation for the information gathered about your organization’s APIs.
On screen text
Course Summary
In this course, you learned about mitigating API’s improper asset management.
Topics included:
Understanding the importance of proper API asset management
Page 19 of 21
API 214 – Mitigating APIs Improper Asset Management
Page 20 of 21
API 214 – Mitigating APIs Improper Asset Management
Thank You
Narration
Thank You
This concludes the Mitigating APIs Improper Asset Management course. Thank you.
Click the “Take the Exam” button to proceed to the exam.
Page 21 of 21