Cover Your SaaS: Ungoverned APIs

October 1, 2016 By David Torre Blog

Ungoverned APIs

Ungoverned application programming interfaces (APIs) are perhaps one of the most common cloud security mistakes I see. While APIs are generally a good thing (they enable automation such as cloud-to-cloud data synchronization and cross-application orchestration) they also provide wholesale access to corporate data.


Perhaps it’s because we’re human ourselves, we tend to focus on what the humans are doing within a given system. Unfortunately, human activity is only half of the equation. APIs are designed to provide broad access to data and business functions within a cloud solution; sometimes without an associated user account. So while end-users enter the system through one door (a web or mobile UI) and use specific authentication scheme (standalone passwords or SAML), the APIs typically have a different entry point (REST, SOAP) and different authentication methods (HTTP Basic, OAuth).


Open / ungoverned APIs can lead to:

  • A bad actor slurping your entire or Google Apps document repository, despite having strong user-level authentication.
  • HR solutions such as Workday or Netsuite being vulnerable to former developers, who still possess legacy credentials, and thus may grab every ounce of employee PII you own.
  • The enterprise’s email solution such as Gmail or Office365 providing full, privileged access to every email, attachment, and address book entry.
  • Video conferencing compromises, whereby APIs are used to record sensitive business meetings.
  • The list goes on and on…


Taking Action

Regularly review your API configurations and lend special attention to enterprise-scoped API keys and tokens. It’s imperative to have accounting around which endpoints are being accessed, and by whom.

Securing your APIs requires different skillsets than that of “traditional” network security teams. Knowledge of programming as well as modern web and mobile authentication methodologies is required.

There are more and more solutions that can help security teams review API posture. Sadly, every cloud solution is just a tad different and thus special tooling is often required to automate the monitoring of API security across the enterprise.


You may unsubscribe at any time by clicking the link in the footer of our emails. For information about our privacy practices, please visit our privacy notice. Note that we use Mailchimp as our email service provider. By clicking subscribe, you acknowledge that your information will be transferred to Mailchimp for processing.

About David Torre

David Torre is a business technology veteran with years of experience coupled with degrees in both information systems and business intelligence. This combination of skills has enabled David to provide enterprise solutions to well-known companies who face some of the toughest challenges in the business world today.

David currently resides in the San Francisco Bay Area where he runs Center Mast, LLC.