AzureFeeds

APIs are the front door to modern cloud applications and increasingly, a top target for attackers. According to the May 2024 Gartner® Market Guide for API Protection: “Current data indicates that the average API breach leads to at least 10 times more leaked data than the average security breach.” This makes comprehensive API visibility and governance a critical priority for security teams and cloud-first enterprises.

We’re excited to announce that Microsoft Defender for Cloud now supports API discovery and security posture management for APIs hosted in Azure App Services, including Function Apps and Logic Apps. In addition to securing APIs published behind Azure API Management (APIM), Defender for Cloud can now automatically discover and provide posture insights for APIs running within serverless functions and Logic App workflows.

Enhancing API security coverage across Azure

This new capability builds on existing support for APIs behind Azure API Management by extending discovery and posture management to APIs hosted directly in compute environments like Azure Functions and Logic Apps, areas that often lack centralized visibility.

By covering these previously unmonitored endpoints, security teams gain a unified view of their entire API landscape, eliminating blind spots outside of the API gateway.

Key capabilities

• API discovery and inventory
  Automatically detect and catalog APIs hosted in Function Apps and Logic Apps, providing a unified inventory of APIs across your Azure environment.


• Shadow API identification
  Uncover undocumented or unmanaged APIs that lack visibility and governance—often the most vulnerable entry points for attackers.


• Security posture assessment
  Continuously assess APIs for misconfigurations and weaknesses. Identify unused or unencrypted APIs that could increase risk exposure.


• Cloud Security Explorer integration
  Investigate API posture and prioritize risks using contextual insights from Defender for Cloud’s Cloud Security Explorer.

Why API discovery and security are critical for CNAPP

For security leaders and architects, understanding and reducing the cloud attack surface is paramount. APIs, especially those deployed outside of centralized gateways, can become dangerous blind spots if they’re not discovered and governed. Modern cloud-native applications rely heavily on APIs, so a Cloud-Native Application Protection Platform (CNAPP) must include API visibility and posture management to be truly effective.

By integrating API discovery and security into the Defender for Cloud CNAPP platform, this new capability helps organizations:

• Illuminate hidden risks by discovering APIs that were previously unmanaged or unknown.


• Reduce the attack surface by identifying and decommissioning unused or dormant APIs.


• Strengthen governance by extending API visibility beyond traditional API gateways.


• Advance to holistic CNAPP coverage by securing APIs alongside infrastructure, workloads, identities, and data.

Availability and getting started

This new API security capability is available in public preview to all Microsoft Defender for Cloud Security Posture Management (CSPM) customers at no additional cost. If you’re already using Defender for Cloud’s CSPM features, you can start taking advantage of API discovery and posture management right away.

To get started, simply enable the API Security Posture Management extension in your Defender for Cloud CSPM settings. When enabled, Defender for Cloud scans Function App and Logic App APIs in your subscriptions, presenting relevant findings such as security recommendations and posture insights in the Defender for Cloud portal.

Helpful resources

• Enable the API security posture extension


• Learn more in the Defender for Cloud documentation