Security code on a computer display showing Shadow APIs and API security

Shine a Spotlight on Shadow APIs To Improve Security

Application programming interfaces (APIs) have accelerated companies’ digital transformation. They control how software interacts and is found across the web, Internet of Things (IoT), mobile, and SaaS applications. APIs link internal systems, enable close connections with other businesses and facilitate co-innovation with partners.

Yet, APIs are also a weak link when it comes to cyber security. APIs are being deployed so fast and at such scale that companies risk both not knowing what they have, and losing control of them, including exposing vital data and processes. It’s never been easier to implement APIs. The Programmable Web lists over 24,000 public APIs. Technology powerhouses including Microsoft Azure, Amazon Web Services, and Google Cloud are foundries for APIs and their marketplaces are growing rapidly.

The growing risks of poorly secured APIs

Such growth has led to the rise of shadow APIs – third-party APIs and services that a company uses, but does not track. Companies may use hundreds or even thousands of APIs, many of which IT teams don’t know about. In addition, developers may forget to decommission legacy or “zombie” APIs that have been replaced, but not retired. These unmanaged APIs significantly increase companies’ risks. In 2019, the Open Web Security Project (OWASP) published a “top 10” list of API security vulnerabilities that include broken object-level authorization, broken user authentication, and excessive data exposure. These threat vectors grow exponentially with the extension of “shadow APIs.”

Gartner has predicted that “By 2022, application programming interface (API) attacks will become the most-frequent attack vector, causing data breaches for enterprise web applications.”

Shadow APIs require a new security approach

Much like cloud services, APIs require a multi-layered approach to security. Efficiently and effectively discovering and managing APIs can be done by creating an online directory using a Software as a Service (SaaS) platform. Online tools enable real-time discovery and provide metadata that shows how APIs work in context, whereas static lists represent just a development team’s best guess of these holdings at a single point in time.

Teams that have online catalogs can see the unique business logic of all APIs, as well as the sensitive data flowing to and from them. This vital information enables IT and security teams to implement effective security controls and detection signatures. By detecting which APIs are vulnerable due to design errors or specification faults, teams can proactively secure them. And if they detect a change in API behavior that indicates misuse or an attack, IT and security experts can move swiftly to remediate or decommission them.

Create a new culture of API security

To date, developers have been in a Catch-22 when it comes to API security. Due to their companies’ boundless appetite for digital growth, they’re constantly creating and pushing new code. In the ESG report, “Modern Application Development Security,” although “most [developers] think their application security program is solid though many still push vulnerable code.” The top reasons for releasing code with possible attack vectors include:

  • developers or teams  were under pressure to meet release deadlines
  • the vulnerabilities were low risk and
  • finding the vulnerabilities too late in the software development lifecycle.

The use of an online directory helps create a strong DevSecOps culture, where security is considered upfront, rather than close to code release when the pressure is the greatest. Developers can use the online directory to automatically conduct distributed tracing of an individual application’s request from the user to the edge, data source, and back, across external APIs, internal APIs, and microservices. Aggregated information can be pulled into a data lake for analysis, eliminating manual work such as logging and reviewing activity data. Seeing how APIs behave and interact across applications allows IT and security teams to make better decisions about strengthening controls.

IT and security teams want to collaborate to strengthen organizational, application, and API security. With automated processes and holistic and granular views, these experts can focus on deeper analysis, making sound security decisions, and proactively remediating vulnerabilities. As a result, they can help build their company’s brand in the marketplace as a security-conscious innovator that values protecting data and intellectual property.

Strengthening intelligence leads to better API protection

The fast pace of digitization means that companies will be using more APIs as time progresses. Applications and services will become even more interconnected: internally, with customers, and with partners.

While many companies are taking steps to strengthen application security, adopting zero-trust security models and evolving DevSecOps are ideal.  Unfortunately, poor API security will continue to cause issues such as application exploitation and data exfiltration unless teams strengthen these processes.

Using an online catalog to expose the API ecosystem provides valuable information that teams can use to transform the security of these vital connections. They can discover and manage all APIs, bringing shadow and zombie APIs under control. Teams can analyze the business risk and potential data exposure of each API, and prioritize remediation work. With that, IT and security teams can trace back usage to end-users, determining if APIs are under attack by adversaries and where they’re located.

By deploying an online directory, analyzing intelligence, and evolving processes, companies will create a strong API security culture that pays ongoing dividends. Businesses can achieve their digital growth goals, maintain compliance in all the regions they serve, and develop strong relationships with customers and partners that are based on trust and security best practices.