High Severity Vulnerabilities Reported In F5 BIG-IP And BIG-IQ Devices

Organizations don’t always write all of their own APIs. For many organizations, production APIs in use extend beyond only in-house developed APIs. 3rd party developed APIs (sometimes referred to as ghost or ghostwritten apis) are commonly deployed and used as part of packaged applications (commercial and open-source), SaaS-based services, on-premise and cloud based infrastructure components (such as an admin API on a virtual appliance), and more. Organizations exert no influence over how the APIs are developed and must trust that outside developers followed API security best practices. 3rd party APIs are used daily as part of a functional digital supply chain or serve as critical interfaces to 3rd party infrastructure management. In some cases, 3rd party APIs are unintentionally and unknowingly exposed as part of a packaged application, no code platform, or appliance rollout. In either case, because the 3rd party developed APIs are written and published outside the typical devops cycle that an internally developed API flushes through, they frequently have not been properly inventoried, governed, tested, monitored, and maintained.

This poses a large array of security risks to an application and its underlying infrastructure. At the end of the day, that fact you didn’t write an API that is exposed and in use in your environment doesn’t give you a security pass. 

You are still responsible for ensuring those APIs are inventoried, secured, maintained (kept up to date) and monitored for potential vulnerabilities and abuse.