Global API Landscape: Uncovering and Fortifying Hidden Risks for a Fortune 500 Financial Services Corporation
A multinational Fortune 500 financial services company, operating in over 80 countries, confronted the formidable challenge of identifying and safeguarding its extensive global inventory of APIs. Collaborating with AlphaRidge, a preeminent cybersecurity firm, the company embarked on a systematic project to uncover, assess, and secure both recognized and uncharted APIs, ultimately diminishing the organization's attack surface. Through a multi-phased strategy, AlphaRidge successfully pinpointed hundreds of previously unidentified APIs and conducted extensive penetration testing on both discovered and known APIs. This approach allowed the organization to secure their web-application infrastructure in real-time, empowering the company to centralize remediation initiatives and bolster its security posture.
Looking for the Right Solution
The organization's security leadership aimed to enhance the company's security posture and establish trust among stakeholders following the rapid exhaustion of its HackerOne bug bounty program. A central issue was the absence of a unified or current list of active APIs across the organization's software applications, which posed a significant security risk. To address this challenge, the company initiated a project to enumerate and identify all active APIs, perform vulnerability scanning, automated testing, and manual penetration testing of the API infrastructure.
The Challenge
The company, with over 30,000 unique domain names, lacked a centralized inventory of APIs across all software applications at an enterprise-wide level. This deficiency in a comprehensive API inventory impeded the ability to update and secure undiscovered APIs.
CHALLENGES AT A GLANCE
+ No centralized inventory of APIs across global organization.
+ Impediments to update and secure undiscovered APIs.
+ Disparate teams/resources created hurdles to collect data.
"We knew going in that the project was going to call for specific skill-sets, and a lot of flexibility to manage the 'unknown' - but this is exactly what our team thrives on - the chance to tackle tough challenges head on."
Kyle H. | Sr. Director of Technology
A Custom Approach
AlphaRidge employed a bespoke word-list of prevalent paths utilized in API tooling, such as identifying swagger files, to enumerate the domains potentially hosting publicly exposed API endpoints. The project comprised three phases, beginning with an exhaustive discovery of both known and unknown APIs, followed by vulnerability assessment and penetration testing.
The Approach
Operating in over 80 countries and integrating technology portfolios presented significant challenges in gathering accurate, up-to-date data on software inventory.
AlphaRidge led break-out sessions with individual application teams to spearhead data gathering—this collaborative approach proved crucial to overcoming resource and time constraints.
Implementation
AlphaRidge utilized an intricate combination of identifying the ASNs of the 30,000 domain names to locate other domains on the same ASNs. Custom postman scripts were used to ping URL paths and endpoints to validate their existence based on responses. Approximately 350 custom word lists were tested, and over 11 million unique responses were analyzed using PowerBI and PowerCharts to discern patterns. Tools such as Aquatone were deployed in a Linux environment to produce visual validation and map API topology by webserver technology used for hosting and IP clustering.
Critical Outcome
Following an extensive three-month discovery process, AlphaRidge ascertained the presence of 978 previously unknown APIs, including critical infrastructure in Hong Kong and Kazakhstan. The identification of tooling and deployments impacting multiple applications facilitated the client to significantly reduce individual team security efforts and centralize a coordinated remediation process. Moreover, the extensive penetration testing conducted by AlphaRidge on both discovered and known APIs enabled ABG to secure their web- application infrastructure in real-time, further strengthening their security posture.
Conclusion
The organization's successful enumeration of its API attack surface permitted security teams to obtain a unified view of all API assets for the first time in the company's history. This comprehensive understanding, coupled with the extensive penetration testing conducted by AlphaRidge, enabled them to address the escalating risks reported through the bug bounty program and concentrate on testing and securing the most sensitive applications in real-time, ultimately delivering a high ROI impact for the organization's leadership and