Introduction

APIs are entry points into cloud-native applications. They connect services, apps, and data, making them an entry point for attacks. API Security posture is the first step in assessing the risks associated with APIs, helping in prioritization of your most critical cloud application risks.  API security posture management helps protect APIs by assessing risks and misconfigurations.

One of Microsoft Defender for Cloud's main pillars is cloud security posture management (CSPM). CSPM provides detailed visibility into the security state of your assets and workloads, and provides hardening guidance to help you efficiently and effectively improve your security posture.

The Defender Cloud Security Posture Management (CSPM) plan in Microsoft Defender for Cloud offers API posture and risk assessments for your Azure API Management APIs. This provides insights into risks, sensitive data exposed via APIs, Security recommendations, and aid API led attack path analysis.

The integration of API Security Posture into Defender CSPM enables customers to unify and automatically onboard all the Azure API Management APIs with detailed security insights including identifying APIs that are unauthenticated, inactive or dormant APIs, and externally exposed APIs. With full contextual mapping of APIs and their backend hosts, customers can now contextualize their API driven application security risks, visualize the topology powered by APIs within Cloud Security Explorer, and perform end-to-end analysis of data exfiltration scenarios.

Capabilities

API security posture in Defender CSPM plan helps customers jumpstart their API security posture by automatically onboarding all APIs within the subscription, with a single click, in a safe manner at no additional cost.   API security posture management in Defender for Cloud offers the following capabilities:

• Centralize visibility into your  Azure API Management APIs. Gain visibility into APIs across all your organization's Azure API management services.
• Assess API security recommendations  with risk factors to:
• Identify and fix unauthenticated API risks.
• Detect inactive or dormant APIs.

Note: There are currently 8 API recommendations with 2 API Security recommendations being enabled specifically with Defender for APIs

• Identify APIs exposed to the internet.
• Discover of sensitive data within API request bodies, response payloads, URL paths & URL query parameters (integrated with Microsoft Purview).
• Understand cloud application exposure risks by linking APIs to backend environments like virtual machines, storage and databases, and AI applications hosted on virtual machines.
• Address API-driven attack paths and prioritize mitigation with cloud security explorer and API-led attack path analysis.

Enabling API Security posture management

With Defender CSPM you can seamlessly onboard your APIs and regularly check for risks and sensitive data exposure. This functionality can be enabled within the settings of your Defender CSPM plan.

Prerequisites

• You need a Microsoft Azure subscription. If you don't have one, you can sign up for a free subscription.
• Enable Defender for Cloud on your Azure subscription.
• Enable Defender Cloud Security Posture Management (CSPM) on your Azure subscription.
• The Subscription Owner must enable the Defender CSPM plan to access all features.
• Ensure the APIs you want to protect are published in Azure API Management. Follow the instructions to set up Azure API Management and publish an API in API Management.

Follow  steps here for instructions on how to enable the API security posture management extension.

Unified Inventory

Defender for Cloud continuously discovers APIs published within your Azure API Management Service. You can view all APIs with posture insights in the Defender for Cloud asset inventory and API Security dashboard. This helps you address API risks efficiently.

View API Inventory

APIs onboarded to the Defender CSPM plan appear in the API security dashboard under Workload protection  and Microsoft Defender for Cloud Inventory .

     1. Navigate to the Cloud Security section of the Defender for Cloud menu and select API                 security under Advanced Workload protections.

     2. The dashboard shows the number of onboarded APIs, broken down by API collections,                 endpoints, and Azure API Management services. It includes a summary of APIs onboarded           for threat detection security coverage with Defender for APIs workload protections plan.

     3. To see APIs monitored for security posture, apply the filter Defender plan == Defender             CSPM.

     4. Drill down into the API collection details page to review security findings for specific API           operations. These are visible in the side context pane when you select an API operation of           interest.

Prioritize and implement API security best practices

Assess and secure your APIs against high-risk issues like broken or weak authentication. Get insights on inactive APIs and those exposed directly to the internet. Defender for Cloud scans for API risks, considering potential exploitability and business impact. Security recommendations are prioritized based on these factors, allowing you to fix critical vulnerabilities first.

Investigate API Security recommendations

API endpoints are continuously assessed for misconfigurations and vulnerabilities, including authentication flaws and inactive APIs. Security recommendations are generated with associated risk factors like external exposure and data sensitivity risks. The importance of the security recommendations is calculated based on these risk factors. Learn more about risk-based security recommendations.

To investigate your API security posture recommendations:

1. Navigate to the Defender for Cloud main menu and select Recommendations.
2. Toggle on Group by Title and apply the Resource Type filter, selecting API Management Operation.
3. Review the security recommendations, affected resources, risk factors, and risk levels. Take actions to remediate API posture risks.

Explore API risks and remediate with attack path analysis

The cloud security explorer helps you identify potential security risks in your cloud environment by querying the cloud security graph.

1. Sign in to the Azure portal.
2. Navigate to Microsoft Defender for Cloud > Cloud Security Explorer.
3. Use the built-in query template to quickly identify APIs with security insights.

     4. Alternatively, build a custom query with Cloud Security Explorer to find API risks and see               API endpoints connected to backend compute or data stores. For example, you can see               API endpoints routing traffic to virtual machines with remote code vulnerabilities.

Attack path analysis in Defender for Cloud addresses security issues that pose immediate threats to your cloud applications and environments. Identify and remediate API-led attack paths to address your most critical API risks that can significantly threaten your organization.

1. In the Defender for Cloud menu, go to Attack path analysis.
2. Filter by resource type API Management operation to investigate API-related attack paths.

      3. View the security recommendations for your API endpoints in scope and remediate the               recommendations to protect your APIs from high-risk attack surfaces.

API Mapping to backend compute

Contextual analysis of attack paths and visibility into backend data stores enables simpler understanding and security of API attack paths. With this context you are able to prioritize vulnerable APIs which allows you to focus on securing your most important vulnerabilities. Ultimately reducing your overall attack surface. This mapping to backend compute also helps you get a better understanding of an attacker’s perspective helping to proactively mitigate vulnerabilities in your backend data stores. This ultimately enhances your ability to lower your exposure risks and prevent data breaches.

Conclusion

API security posture management is now natively integrated into Defender CSPM and available in public preview at no additional cost. This integration provides comprehensive visibility, proactive API risk analysis, and security best practice recommendations for Azure API Management APIs. Security teams can use these insights to identify unauthenticated, inactive, dormant, or externally exposed APIs, and receive risk-based security recommendations to prioritize and implement API security best practices. 

P.S. Subscribe to our Microsoft Defender for Cloud and Microsoft Defender plans Newsletter to stay up to date on helpful tips and new releases and join our Tech Community where you can be one of the first to hear the latest Microsoft Defender for Cloud news, announcements and get your questions answered by Azure Security experts.

Additional Resources

• Overview of Defender for APIs
• Review of security recommendations.
• Identify and remediate attack paths.
• Monitor API threats using Defender for APIs Workload Protection
• Protect Against OWASP API Top 10 Security Risks Using Defender for APIs