API catalogue
API catalogue provides complete visibility into the APIs discovered for the protected application. APIs cataloged in AppSentinels Security Platform are tagged by their characteristics (authentication status, security status, origin status, etc.), assigned a Risk Score based on their characteristics, and tracked for their activity (discovery and last seen). Also, operational data such as API call volume, data transfer volume, and error volume are accumulated over time.
API catalogue is accessible from the API Catalogue tab in the left navigation menu. API catalogue is displayed in two views: Summary view and APIs List view.
| Summary view is a collection of widgets with Context, Risk Distribution, Activity Distribution, Method Distribution, and other statistics. APIs List view is a listing of the discovered APIs with their characteristics, activity details, Risk Score, and other operational data. |
|
In the List view, the APIs are listed with the following data:
API Characteristics
| Characteristic | Description |
|---|---|
| Shadow API | API is not present in the AppSentinels-generated or predefined Open API schema. Such an API is usually hidden from the purview of security tools and API gateways and may also have been created and published without a security review. |
| Privileged API |
API is used for privileged tasks such as signing up, logging in, resetting the password, or used by privileged users |
| Unauthenticated API |
API is called without an authentication token |
| Authenticated API |
API is called using an authentication method |
| Unused API |
API has not been seen in the environment for the last 30 days |
| Sensitive API |
API has Personally Identifiable Information (PII) and sensitive data |
| Public API |
Calls to the API are made from the public network |
| Internal API |
Calls to the API are made from the private network |
| API protocol type |
Type of protocol the API is using (REST, GraphQL, and so on) |
| New API | API was discovered in the last seven days |
| API training stage |
Stage of AppSentinels AI training the API is in (In Progress or Completed) |
Endpoint
The URL for the service offered by the API. For example, POST /rest/user/login.
Host
The domain name or IP address of the host that serves the API. For example, juice-shop:8000.
First Discovered
The date and time when the API was discovered.
Last Observed
The date and time when the last call for the API was made.
Auth
Whether the service offered through the API uses authentication methods— No, Unknown (to AppSentinels), and Yes (for example, bearer.jwt)
Risk Score
AppSentinels assigns a Risk Score to the API based on the following risk attributes: Access mechanism (public or internal), Use of authentication method, Shadow status, Privileged status, Sensitive data in the API, and the API method.
| Risk Score | Criteria |
|---|---|
| Critical | API has been under attack by one or more threat actors |
| High | API has Passive scan or Active Scan vulnerabilities |
| Medium | API has more than two risky attributes |
| Low | API has up to two risky attributes |
Calls
The number of calls made using the API.
Content Transfer
The volume of data transferred for API calls.
Client Error
The number of client-side errors seen when calls were made using the API.
Server Error
The number of server-side errors seen when calls were made using the API.
P90
The highest latency (in milliseconds) seen to serve the responses for 90% of the calls made using the API.