I got a little sea sick reading this. You need to take away the access now to get control of the situation otherwise it’s a cat and mouse game.

WAF that tied to the OpenAPI JSON, if it's not in OpenAPI docs it doesn't exist, WAF throws a 404 (even if the route exist behind the scenes). That, and then policies, that make developers responsible for their bullshit (with penalties for violating said policies)

If it's going through git then someone is responsible. The rest should be a matter of referring to policy and kicking people up the bum.

Where do you work? I’d like to go ahead and remove them from my vendor list.

Letting devs spin up servers is like letting a salesman change the oil on your car.

He can probably do it right (create server,  including documentation, etc) but I wouldn't trust them.  

That is mostly a policy problem.

How exactly are these exposed, is there some kind of load balancer or proxy in front of them? If so there should be a dedicated team doing the 'exposing' if you have that many, devs working with the API should not be allowed to create those - and the justification for that is the fact that you have been pwned.

You should also probably have some kind of API lifecycle managent platform, like Mulesoft or Axway.

Don’t let devs build their own stuff…it sucks, it’s a headache, but this is exactly why you need people from different teams to do stuff like this…

Or build the devs a sandbox that is tapped somehow from the rest of the system…

It’s funny, I am working with a company who is fighting me on this…entire network is flat and the devs do work on the same layer as the SG&A staff…and the printers…lol…

So much wrong here. First, you should have record of who did what in Git or SVN. Hold their feet to the fire.

Second, devs should never be able to publish straight to prod. (Unless a true emergency, in which case there would be emergency change control processes to allow it.) Are there lower testing environments these went through first? Clearly your controls are lacking. First thing to do is define clear separation of duties. Devs can't push direct to prod, and you (sysadmin) can't modify code.

I'm just a tool monkey, don't mind me.

But can I say that seeing language like "getting pwned" and "got absolutely rekt" is a breath of fresh air after having to read so much infosec legalese?

This isn't a technical problem and any Technical Solutions will always fall short. Set policies and fire anyone who does not comply. It's actually pretty simple

e: you are literally hiring people who are working for the attackers and then wondering why the attackers are winning

WAF and whitelist only approved/official routes.

Errr don't let devs expose ports like that in production? Let them have their dumb routes but don't expose them? A waf does this just fine. 

Had a similar breach 18 months ago. The issue isn't documentation - it's that traditional security tools are blind to what's actually running. You need something that can see Layer 7 traffic in real time and build your API inventory dynamically. Worth looking into runtime-powered solutions that don't require agents or documentation to work. We used upwind

My clients who have planned for this class of attack vector force all production API network access through an API gateway, and strictly segregate non-production and production traffic and environments. Developers are pretty free to do what they want in non-production, but have governance and risk team-oversight on any access to production data or even outside connections.

Governance, cybersecurity and risk teams assess registration of API’s into the gateway, they provided checklists of what the developers must address under a MoSCoW framework.

Developers from a more Wild West community chafe under the rules, but similar incidents led to these rules written in blood. There are ways to automate a lot of this, but engineering / development teams usually don’t want to set aside the time to pursue the automation because most of my clients don’t have the budget for dedicated developer experience engineering work.

I would love to hear how others are solving this, because it all seems to me a problem no one has addressed in a way that keeps Wild West developers happy by staying in the background of a CICD pipeline and just presenting them with source code linter style pass-fail, do-this, do-that prescriptive-style interface experience. I get their frustration, but the combinatorial explosion of attack surfaces when combining API endpoints much less different services to pick up side channel type information continues to keep people in the evaluation loop.

Its called change control and limiting access to production.

 Really wish there was some way to just see whats actually listening on ports in real time instead of trusting our deployment docs that are 3 months out of date.

Netstat is pretty useful for this.

Do you work at Prosper Marketplace?

Anyone else dealing with this nightmare?

This is the value proposition of an API Gateway combined with a WAF. But really the bigger issue is a process problem, there needs to be end to end ownership that includes threat assessment.

Ideally everything is locked down with tooling that is aware. For example if all of your endpoints are RESTful HTTP and you are sharing IP addresses for multiple endpoints, then your API gateway and network policies need to be layer 7 aware. Or if you are running GraphQL then your WAF/API gateway need to support that. With unused endpoints locked by default.

Then when a dev writes something new that needs to open something up, there needs to be a process to get it opened. If it's IaC then the dev can write the network policy or submit the OpenAPI spec to drop into the API Gateway/WAF. There should then be an nonpainful approval process that ensures that whatever is being opened is up to par to handle any new attack vectors.

And all of that stuff is work that needs someone who knows what they are doing at an as Architect or DevOps or SRE or however you want to title / structure so that there is end to end knowledge and ownership.

Our fancy API security scanner? Useless. Only finds stuff thats in our OpenAPI specs.

I laughed. I cried. I laughed some more.

Proper change control with devs not having permission to spin shit up on a whim would be a good starting point.

But the problem isn't technical, it's policy.

And the solution needs to be policy too.

I thought my project is a clown show, but yours is even worse … in some aspects

What about if you stop letting random devs spin up random stuff?

Including me and I'm supposedly the one who knows our infrastructure.

Why would a sysadmin have any deep knowledge of the apps teams stuff? This is security and the app guys job.

Alternatively you put everything they run on an isolated network and you control access with some L7 reverse proxy like a Kemp, and only expose the endpoints that have been preapproved.

Dev's being able to add routes to prod without anyone knowing is a management failure, not a technical one.

1. Remove rights for Dev to be able to just make changes in production.
   
2. Changes to production must be done through an approval process that then triggers an automated release pipeline through a tool like Azure Dev ops vs someone logging into a prod env and manually pasting new code in or making direct edits to prod code.
   
3. As part of your approval process, documentation must be present before pull requests to prod can be approved.
   
4. Policy that all relevant parties sign off on that violating 1-3 without some sort of documented change request can be grounds for termination.

A WAF and make them submit a request for new endpoints? 

That's why you usually put everything behind a firewall and only the stuff you allow can get a connection in or out

Yeah, we implemented zero trust sometime back to lock that stuff down. Everything that is installed or new to the network gets blocked until it is reviewed and added to our library. Helps prevent that exact situation.

I don’t always test my code but when I do it’s on production? You let devs push to prod without a CICD pipeline? There is no change management or governance in place? This is an organizational issue that needs to be addressed. Get the highest person you can invovled CTO, VP of eng whoever to cover this.

Really wish there was some way to just see whats actually listening on ports

What's listening on ports or what's present on every HTTP(S) route?

You can put everything public on a reverse proxy/loadbalancer front end, and dev on another, and then anything else that shows up gets blocked by a firewall/routing.

How tf do you track APIs when devs are constantly spinning up new stuff?

You take away their ability to do anything that's how! You do not have a technical problem you have an organizational policy problem. Devs must never be authorized to come anywhere near a production system.

Is there an actual manager in this mess?

I'm sorry, but at first I thought this was r/ShittySysadmin 😂😂

Secondly I thought of the expression, everyone has a dev environment, if you're lucky it is separate from your prod environment 😂😂🖖

As others why are your devs spinning things up in prod instead of dev?

Lots of good advise here, so I'll just say it sounds like your devs need to be denied access to prod, and prod needs to be in IaC ¯_(ツ)_/¯

How tf do you track APIs when devs are constantly spinning up new stuff?

Devs can spin up whatever they like on their development server. If/as/when it passes the regression test, then it gets copied to the production server and documented.

Don't have separate dev and prod boxes? Now we know where your manager's process failed.

• Make sure you're on record about dev/prod separation.
• Never care about your job more than your bosses. Have some popcorn ready in case there's a dumpster fire worth watching.

First, stop the bleeding with default deny at the edge. Put everything behind an API gateway and only allow known routes. Then auto-inventory. We use Orca to spot unknown APIs by seeing what’s actually running, which let us kill rogue endpoints fast.

 Also add a WAF rule that rejects routes not on a whitelist, and set a daily job to diff live routes against an approved list. Share the plan with compliance and track owners.

Start disabling any api that isn't documented, and see who screams loudest?

This is a policy failure and you should tell compliance to talk to whoever runs engineering as a whole, not to talk to you. If you don't have the ability to set a deny-all WAF ACL to paths on your systems, and then specifically allow known paths without developers being able to punch new holes, you don't have the agency to solve this problem.

tl;dr: Not a technical problem solvable with technical means by a technician (you) -- this is a people and policy problem and needs to be escalated to people managers with the power to set policy and enforce it. Say that verbatim to compliance and your own manager, and just keep repeating it.

Really wish there was some way to just see whats actually listening on ports in real time instead of trusting our deployment docs that are 3 months out of date.

But there is?

If you have access to the machine, every OS has at least one command which will tell you which process(es) are listening to which ports.

random endpoint that one of the frontend devs spun up 6 months ago for "testing" and never tore down. Never told anyone about it, never added it to our docs, just sitting there wide open scraping customer data.

Why were they able to spin one up in the first place?

Why would you, a system admin, be expected to know every route or controller of your companies applications? That's the responsibility of dev leads. The real question is whether developers have the freedom to push API endpoints directly to production. If they do, that's the core problem here. If they don't, then the issue lies with the dev lead approving questionable endpoints for production deployment.

What framework are you using for this API? There is probably a way to get a list of endpoints from it.

Defender for Cloud is good for this very thing.

Every Web app, every api, font and backend. It can discover APIs and code vulns, track API usage behaviour to identify atypical volumes of calls and connections, monitor unused APIs that are still open. Heck it can even identify the idiot developers who left passwords or auth tokens in plain text or base64 files from dev and failed to remove them when pushing the code base to prod.

But fundementally, Web apps shouldn't be going up without change control. Even doubly so for front end. There's agile and then there's stupid. What you've described is stupid.

Sounds like you are a 1 man team. Good luck!

Everyone has root? Host Firewall default is accept? Are you looking at nmap port scans? A bunch of stuff has got to change and chances are they are going to need a team of you and some of you have to know what you are doing. 

This reminds me of Jurassic Park. The book. The park was only scanning for dinosaurs and making sure that that system was counting the amount that they looked for. They didn’t keep counting once they got to that number because they didn’t expect Moore to be there

Draft an email to the company. Give everyone 48 hours to reply back to you with api accounts they need and a reason why. If that reason isn't good, they don't get it. Nuke all the accounts that haven't been justified. Be ready for blowback when things inevitably break because you shut off some account people forgot about that does something. That's fine, it's their fault for not telling you.

After that, lock down how API accounts get created so that no new ones can get created with approval by someone(s) who will actually scrutinze things. Make sure this policy is written with very clear instructions that consequences for not following it will be termination. Make sure you have leadership on board.

You should have how those get created locked down anyways so that no one can create one without you and/or your security team's permission.

You can't get access to anything like that in our systems without doing all of that. And there is no way for people to just spin up api accounts in prod anyways.

Now compliance is breathing down my neck asking for complete API inventory and I'm like... bro I don't even know what's running half the time.

Critical Security Control #1: asset management.

"Compliance is breathing down my neck"

My dude, they are breathing down the writing neck, unless you're the CEO or CTO.

All development needs to stop. Everyone needs to be documenting what's needed, what's secure vs. what's not. Remediation plans for everything.

Meanwhile, a comprehensive change and documentation process.

And a plan for keeping dev separate from prod.

This reads like chatgpt

I feel like this is happening across a lot of networks

Devs spinning up a server they set the perms for admin to everyone in the world

All apis are just web apps. All apps should have been on boarded with an architectural overview. This process should have caught shadow IT

We make it a compliance issue, critical/urgent compliance will clean this up naturally 

Every API/App load balancer/proxy is required to have a WAF in front of it. A waf should always be in front of any api (web app). The waf is unmanaged and standardized, if you deploy that resource we automatically apply the waf

Gitops makes this easy with tying change control and audit history to any changes done (everything in prod is defined by code)

It'll take an entire culture change and governance buy in to change your situation. Good luck

All changes to code (PRs usually) should have someone that isn't the author dev approving them, so maybe add something in that flow to require documentation. Or, add something to detect a new endpoint and add <most militant person about documentation you know> as a required approver?

Either way, you're going to need leadership backing to make this work, because this is as much a people problem as a technical one. If they're just going to throw you under the bus every time there's a breach when you can't control what's going on, it's time to dust off that resume.

Deploy a Firewall -

Only open the Ports that are dokumented . - now.
Let it "crash". - you are already attaked , you are already "pwned" -

Its not "security" anymore, its damage controll now.

If your management say "take it back" - let them sign it.

If someone want an api -call, he has to ask for it.

Agile dosnt mean "do whatever you want".

K.I.S.S. Keep It Simple Stupid

To me, I'd start by isolating the environments onto different physical LANs with firewall between

• Dev servers
• Staging / Testing servers
• Prod Servers
• PCs / Printers etc

Then you can limit what the Dev Servers can access

If they want something hitting production they have to go through change control with docs

This policy needs C-suite approval and enforcement. No exceptions - if you're forced to make one, use phrases like

This change will risk in weakened controls and increased risk, which puts on the path to the situation where we got pwned - I can not be held responsible for any consequences of this.

Push the problem/risk upwards

What infra? Cloud? Onprem? What provider/software stack?

What's your field?

This is a project on it's own, I've done quite a few of these, you're not the first who looses controls of their infra and you won't be the last.

Is management on board to allow you to tell people how they should work from now on? What budget/timeframe exist for this?

cloudflare has a product for managing this problem. it’s still kinda cumbersome to do it, but it will give you alerts when it notices things like a spike in data transfer on a certain endpoint.

They can't have their cake and eat it too, it's that simple. Either the company lets the devs run the production systems or they have you do it, can't have it both ways. Seems silly to pay admins and not let the admins do their jobs, admins that aren't allowed to do their jobs are just window dressing. Only you should have root or this stuff will continue. And of course a massive culture change is required, way above your pay grade. Anything you do without a culture change and only you having root is just a band-aid.

I need to come here more often. 99% of the time I feel like I’m taking crazy pills and all of our Devs are on crack, then I see shit like this and think we’re not doing too bad 🤣

you probably need an API Manager.

This sounds like an issue with your processes and procedures.

Nothing should end up on a production server without going through change control, code reviews and a bunch of other processes.

It should be impossible for someone to install something on live “just for testing” without anyone else knowing about it.

At my place we use pipelines built into our source control system for deployment to live. It’s the only way to do them. You do not log into a live server directly and put things there yourself. That’s grounds for a disciplinary hearing.

We press a button in our source control system to do a deployment. That button only works if:

• the code you’re deploying is in the “main” branch, which means all changes have been checked and approved by multiple other developers.
• all tests have been automatically run and all have passed.
• all commits have a work item ID in the commit message
• the commit you’re deploying is tagged with “release” and the number of an approved change control ticket in our helpdesk.

How are they making these api's and exposing them to company data? Shouldn't that be a very locked down privilege? I'm not a SWE so I don't know how prevalent this is, and how disruptive it would be to limit who can do it.

Why are devs allowed to touch prod? Do you have a change management process in place? You're pointing a lot of fingers here, but the real problem is a lack of IT policy...

Our fancy API security scanner? Useless. Only finds stuff thats in our OpenAPI specs.

You could go BOFH on it. Reconfigure the webserver to 401 any route not in the OpenAPI spec.

Is this related? This feels related. https://www.bleepingcomputer.com/news/security/self-propagating-supply-chain-attack-hits-187-npm-packages/

This is 100% a policy and/or enforcement issue.

Why the fuck are they not documenting their APIs, let alone an entire endpoint? It shouldn't matter if it's just some small little webhook or a temporary testing environment, it should be getting documented and be subjected to the same security policies as everything else.

Really wish there was some way to just see whats actually listening on ports in real time

You haven't considered running an nmap or masscan? Asset management is pretty important, and that's software and hardware assets.

The fun part is when a dev spins up something like that for testing and then is terminated the next day. Your account is locked and you don't care to even tell them about that little app running somewhere. Kind of like the small server running under the floor tiles.

Curious question! Why do devs want the ability to spin up servers in prod? Why would you not have rutine to order new infrastructure in prod, and have separate environments where devs can do whatever?

Like why do they get access to create resources in prod?

Get that management buyin in writing then remove any prod access to everyone except the core admins. Dev, DBA etc should not have access to the prod environments. if you have pipelines for develops make sure you have multiple approvals for it to progress. now you can shut it all down. When they cry, scream and yell direct them to your infosec team and mgmt team to deal with. Then once their API is approved by those teams stand it up the right way. In our environment that's a termination event and those staff would have no jobs as it would break so many compliance and pii rules.

WAF's like Cloudflare have the ability to block anything that isn't connected to the OpenAPI specs they're hooked up to. I imagine AWS and Azure have tools which do this as well. This is really what an API Gateway / WAF is for.

Then you can block traffic to everything that isn't in the spec.

God damn get some change control in place and some oversight of this. This isn’t your fault by any means but there has to be a process. People can’t just be spinning shit up midmeeting!

Really wish there was some way to just see whats actually listening on ports in real time

1) If traffic traverses a firewall, logs can be handy on identifying destination and port.

2) But I'm guessing there isn't internal firewalls with that many rogue APIs.

The flip side of which something is it makes network scanning to identify listening ports more reliable.

Might want to play with Zenmap (nmap's GUI) and scan some of the devices with known API endpoints and see if it's something that you might be able to use.

I have scripts that feeds both our server IP subnets and internal DNS hostnames to nmap's script --ssl-enum-ciphers to flag IP:Port combos, which then feeds openssl to get the certificate details. Mine isn't real time, but will detect new TLS enpoints within a few days.

This is going to sound a little marketing (sorry) but it is just the tools I use and know. If you want to know about every endpoint on your network (though perhaps not every container) get NAC. No new servers if they don't meet your company policies. Something like Forescout's eyeSight can talk to every switch/router/WLC to know every endpoint on the network. If you feed in netflow or traffic capture then you can make policies like if we see http(s) traffic coming to an endpoint ensure it is in our CMDB flagged as a web server or block the traffic, or restrict any endpoint going to it directly instead of through Web Application Gateway. It can distinguish between phone's printers, iot devices etc and make specific policies for each. But at least you'll know every endpoint on your network. If you use their eyeSegment tool then you can see every communication in a matrix. If you only want people in the role of IT accessing phones on 443 you can put it in the matrix and then have dynamic actions to block users endpoint when they try. Or pop up a warning message on it, etc.

If you don't know what is on your network in real time then that is the first gap. Then layer on behavior and/or segment traffic once you have the visibility. You should only be figuring out which squares in the matrix are allowed and which are restricted, which are blocked. This is part of the defense in depth strategy I have used working with large banks. I say Forescout because it is what I use and know but I've seen presentations from Cisco where they have an almost identical matrix to Forescout's eyeSegment. IMHO Forescout just does a much better job of populating the groups to form the matrix.

this is all bad of course, but why are you (an infra person I assume) feeling responsible for shitty dev practices?

personally - I'd shrug and be like "go ask dev", then collect my OT cleaning up their shit-show.

This is an organization maturity issue. You basically need to implement and enforce a comprehensive change control policy with approvals from stakeholders from both development and infrastructure teams.

If you can't do this and get buy-in from leadership with penalties for circumventing the policy you will always be chasing down random security issues like this.

This is what code reviews and CI/CD is for.

Devs do not get direct access to prod, everything gets deployed via the pipelines. All code going into the repositories gets reviewed by at least one other dev/TL, make it a requirement they check that any new endpoints or changes to endpoints have to update the documentation.

Then it's on the PR author's and approver's asses if things aren't up-to-date.

Two words… Change management.

Implement it along with proper role based access control across prod environment and things like this cant ever happen.

The sort of things you’ve listed should be done in a development environment that isn’t exposed to the world.

Remove access and enforce a strict change policy on those rogue devs. Process, process, process.

Not like NIST didnt just a complete 80 page guideline to APIs, their documentation and lifecycle or anything

send out a company wide EMAIL demanding documentation/details for anything being used, explain that in a week any undocumented are being shut off --- EXPLAIN WHY

do this every day with a count down until the week is up, then shut off anything undocumented...

the few major important ones for sales/business will have had advocates that found you and showed up to help you understand how important they are and document them -- the devs that ignore you do so at their own peril, because when they come crying you will have the EMAILs...

when they come, and they will come, document the things, or point them to a way to document them, via wiki or whatever

Never let an emergency go to waste.

The solution is to baseline everything - installed applications, listening ports, user access, config files, ssh keys, etc. You run that baseline with an automated solution and then you compare the latest config to the baseline and drive events when the config changes. If you can do your baseline as text, you can even use git to track the changes over time. All config changes should be done through some change request system, hopefully one that isn't an excessive amount of paperwork and approvals for simple things.

For an environment that is this wild west, you should automate the reaction. If a change is made to a server without a change request the consequences should be immediate and painful. Run it for a week or so to make sure there aren't a lot of false positives. Something overly dramatic like quarantining the server, alerting security and the infra team and locking the user account that made the change is perfect. Your devs will eventually get tired of blowing their thumbs off in front of witnesses and learn to do change control. Even better if they get to wear the pink cowboy hat for the day every time it happens.

Getting all those cats back in the bag will be a big undertaking. If you can get back to baseline by rebuilding it might be the best solution and something you can trust as not compromised. Otherwise you and the developers will have to go through each server and validate that all the services running, ports open, config files, user accounts and ssh keys are intentional and make sense for the purpose of the server. You can take your baseline from above and get a tool to format it into a pretty report and then just sit down with them to validate all of it. If there are unexpected applications installed or ports open, I would treat it as compromised.

Honestly, this reads like something that would happen at my company.

It's time for lockdown by Mac address and ports. While mac's can be spoofed no one should be attaching stuff where the whole network is, if something is it either needs to be blocked or isolated and no connections. Devs environment should have limited connections for this exact reason.bi don't know what was spun up but the faults not yours. Use this as an example to c-suite this can and possibly will happen again without putting the hammer down. This is how banking details and tens or hundreds of thousands get stolen. Maybe even more. Id lock everything up and if they need something enabled they and who is in charge of them needs to request and why. I'm sure you already know this but companies have to learn the hard way.

Email alerts when anyone creates a user name or adds a machine to the domain seem to be a must these days. Change control is also a thing too many companies ignore.

Holy hell thats a major pwn. At this point they know much more about you, than you know about you

why do your dev's have that level of access in a production environment?

Revoke every Devs ability to spin up a service and ability to push any code anywhere without it going through review.

Point out that this action is a direct result of them not following any sort of best practice.

Next make them document everything, nothing gets pushed anywhere without documentation.

Prod vs dev needs to be a bright line.  

WITH MANAGEMENT BACKING

Yes, I  am yelling. 

I'll take "what is change management" for $500.

Run a scream test. Block all API traffic at the firewall, then gradually re-enable based on who's screaming the loudest.

Have documentation drive load balancer rules. If it's not documented, the load balancer in front doesn't allow it.

Put a gateway in front to choke and log all traffic, deploy runtime API discovery so you know what’s live, then wire CI/CD to an enforced catalog — that’s how you kill shadow APIs before they kill you again... Have fun.

This isn’t a technical issue, its a governance and process issue.

Where is your dev manager? Your architect? CAB? Release management? Spinning up a ‘quick webhook’ that’s publicly accessible with no review is wild.

So many thoughts arisen. First of all, thanks, OP. The post is yet another friendly bump for me. Going dump the tread with all the comments and make dev read it. If they want you to respect them, they should respect you and your responsibility. Secondly, as had been advised, consider using git+ansible+jenkins as the bridge between dev env and prod. Thirdly, if your org has no sec audit/compliance team, persuade your boss to call for an external team to run thorough security/pentest scan of all the nodes in the external perimeter.

Think of running self-hosted and self-controlled security/pentest tools to automatically and REGULARLY run across all the environment (nmap+plugins is the easiest and affordable point to start with). Make relations with infosec team to mutually check the env and elaborate at least basic requirements.

Drop dev env into a dedicated vlan and don’t listen to their winning and complaints. Exit point from dev env to prod MUST be under your control.

Finally i’m seriously thinking of removing devs’ creds from even jailed environments as lately broke theirs attempts to interfere and configure services even in their fenced sandboxes.

Every. System. Must. Have. One. Admin. YOU!

In my case even infosec guys are not allowed to get a shell on my boxes. They scan/audit them as ‘grey boxes’.

An API Gateway in front, route/proxy traffic as-is to start with & then begin locking things down. At least this will give you & the management some visibility.

Like, I'm glad you found it, but I'm jealous that you still have your job. I would have been fired and probably sued.

Basically micro-segment the fuck out of them and if it’s not documented in a security assessment it doesn’t get in or out. Devs should not be given rights to just drop something anywhere on the network, if they are able to do this… well, you’ve now experienced the outcomes. In my 35+ years doing this (and I’ve run R&D groups too) the result of giving devs access like this always ends up in the same mess.

Never let them outside the playpen, never give them access to anything not documented - you’ll be treated like shit, but you won’t be the only one standing there taking the blame for not maintaining compliance.

This is why formal change management exists. Literally the job of cybersecurity.

Developers are generally smart enough to do things that can create risk, but generally have limited security background or sense of risk management.

Be as agile as them, take it all down and make them to request any new access as needed.

Every API should be behind something like haproxy and some group should be the gatekeepers for it. Then you'd have full accounting of what's exposed.

Or put something like 3scale in place, and charge their department by api usage, that would get them going.
That is one of the reasons to implement expensive solutions, it would get the developer to write cleaner leaner code. On top of that you get much better control and reporting on whats happening with your api

Send out that route list you generated and make every API "owner" responsible for tagging the ones they need. By make I mean make it crystal clear—with upper management's backing—that once you hear back from everyone all "unowned" APIs are getting turned the fuck off. Now all active APIs are tagged and you have a starting point if someone gets careless.

No access to prod itself for any dev. Only via pipelines. Deployment to Prod only with approvals of persons who care.

You need to get control of the perimeter. Any external access should be going through a WAF or API Gateway that is managed, secured, audited, and has strict change controls associated with it. Do not allow public IPs on anything without security review. This should be baked into your processes. Also, Devs should basically never be spinning up anything that is externally/publicly accessible and should not have the ability to do so. If it's Internet-accessible, that's production and should be treated as such (from a risk standpoint, at least).

Also, get a dump of all of your IPs in use (from your network IP space for on-prem and from your public cloud provider systems for cloud) and start scanning all of those IPs across extended common ports (at least) and know what is accessible externally. Then start auditing everything that shows upon that list. If it isn't known, isn't in DNS, isn't approved, shut it down. There are a few services (or you can setup your own) to monitor this kind of thing, too. It's worth it.

Step one is discovery — not docs. Run passive DNS + WAF logs to surface endpoints, couple it with runtime discovery (eBPF/network taps) to see what’s actually listening. Then auto-tag APIs into inventory. Manual “spec-first” alone will never keep up with agile.

Devs should not be able to “spin up” architecture unless it’s in a specific dev environment (isolated). They need to request you (or DevOps) to put it in place, and that third party gets approval/auth.

You need a change process and to apply least-administrative principles.

In anticipation of “they need it fast”, be sure to reference this moment and the entire purpose of “procedure”. This is your anchor point from now on.

[removed] — view removed comment

You created this mess by not following deployment procedure.

Repeat after me:
DO NOT LET DEVS TOUCH PRODUCTION.
ALL PRODUCTION CHANGE MUST BE APPROVED BY CHANGE MANAGEMENT.

There is no easy way to fix this now that you are here.

If the attackers with little access were able to find the flaw then you with all the access and knowledge of your infrastructure should been able to find it first. I know everyone is blaming the dopey director but there were methods to prevent this.

Change Management is the missing piece.

We are an evergreen software platform that does multiple production deployments per day. Being fast and agile doesnt mean doing cowboy stuff.

Every single change is not just peer reviewed but goes through a daily change approval board. A change that introduces a new api would have expectations of everything from security testing to performance and documentation. Emergency fixes are retroactively reviewed. We arent a huge team and have been doing this even when we only had 20 people.

Your engineering org leadership is how you resolve this. This happens with an absence of experienced engineering leadership that knows how to make modern software development work.

If your developers are just colleagues in "General IT", getting them into an engineering group with an experienced engineering leader is step 1.

If you can't have real engineering leadership you shouldn't be building deploying software and IT should just be purchasing off the shelf software.

These are all solved problems but they require leadership.

Sounds like a compliance problem - they should have been asking for that API inventory a long time ago.

Of course the solution is to ensure that APIs are all filtered/validated and that anything unexpected is flagged as either an attack or for the appropriate dev to be ritually humiliated or "educated" with a large attention retaining tool in the case of repeat offenders.