Improve your API security posture (Preview)

APIs are entry points into cloud-native apps. They connect services, apps, and data, making them targets for attackers. API security posture management helps protect APIs by assessing risks and misconfigurations. The Defender Cloud Security Posture Management (CSPM) plan in Microsoft Defender for Cloud offers API posture and risk assessments for your Azure API Management APIs. This provides insights into risks, recommendations, and attack path analysis.

Note

API security posture management supports APIs in your Azure API Management platform if you have an active Defender CSPM plan.

Capabilities

API security posture management in Defender for Cloud offers the following capabilities:

  • Centralize visibility into your managed APIs. Get a unified inventory by automatically onboarding them into Defender for Cloud.
  • Assess API security recommendations with risk factors to:
    • Identify and fix unauthenticated API risks.
    • Detect inactive or dormant APIs.
  • Identify APIs exposed to the internet.
  • Identify sensitive data exposure in API endpoints, including requests and responses, URL paths, and query parameters (integrated with Microsoft Purview).
  • Understand cloud application exposure risks by linking APIs to backend environments like virtual machines, containers, storage, and databases.
  • Address API-driven attack paths and prioritize mitigation with cloud security explorer and API-led attack path analysis.

Unified inventory

Defender for Cloud continuously discovers APIs published within your Azure API Management Service. You can view all APIs with posture insights in the Defender for Cloud asset inventory and API Security dashboard. This helps you address API risks efficiently.

Prioritize and implement API security best practices

Assess and secure your APIs against high-risk issues like broken or weak authentication. Get insights on inactive APIs and those exposed directly to the internet. Defender for Cloud scans for API risks, considering potential exploitability and business impact. Security recommendations are prioritized based on these factors, allowing you to fix critical vulnerabilities first.

Classify APIs exposing sensitive data

Improve data security by assessing sensitive data exposed in API URL path parameters, query parameters, and request and response bodies, including the source of the data exposure. With Microsoft Purview, you can use custom sensitive information types and sensitivity labels to create a common taxonomy, covering data-in-transit risks.

Sampling

Sensitive data exposure in your APIs is assessed using sampling methods within the Defender CSPM plan. This approach saves both cost and time.

Explore API risks and prioritize remediation

Attack path analysis identifies risks to your API endpoints, especially with multiple security insights like unauthenticated access and external exposure. Use Defender CSPM’s cloud security explorer to enrich API risk exploration by linking APIs with backend compute environments like virtual machines and load balancers. This visibility helps security teams quickly prioritize and mitigate API attack surfaces, offering insight into potential lateral movement or data exfiltration risks.