Application programming interfaces (APIs) have become a lifeline for businesses striving to stay competitive today. However, along with this innovation comes a darker side – the security issues associated with APIs. These issues have also resulted in disruptions to normal business operations, including application development. According to data from the State of Web Application and API Protection 2022 report by CDNetworks, there has been a significant uptick in attacks against APIs, reaching 58.4% in 2022.
Shadow APIs and zombie APIs, are two such issues associated with APIs, which can go undetected in your digital infrastructure. Shadow APIs, often created without proper oversight, pose security and compliance risks, potentially compromising sensitive data and leaving organizations vulnerable to cyber threats. Zombie APIs, on the other hand, are outdated and abandoned APIs that can become gateways for cyberattacks if left unchecked.
What are Shadow APIs and Zombie APIs?
Shadow APIs are APIs which are unauthorized or undocumented that have not been managed or secured by the organization under which they operate. They are often created by developers or teams during an application development or in the implementation of other business functions. These APIs operate without proper oversight or approval from IT or security departments and hence remain in the shadows, hidden from official monitoring and management. Thus, even if they may not be used for malicious purposes, shadow APIs can pose significant risks to an organization’s data security and integrity.
Zombie APIs, on the other hand, are outdated, abandoned, or deprecated APIs that linger within an organization’s digital landscape. They may already be identified and managed but due to the fact that they are no longer in active use or maintenance, they can become a security liability over time. Zombie APIs may also have vulnerabilities that go unnoticed and unpatched, which attackers can exploit to gain unauthorized access or launch cyberattacks. Think of Zombie APIs as forgotten gateways that can open up a backdoor for malicious actors into an organization’s systems.
How Can Shadow APIs and Zombie APIs Hurt Your Business?
The existence of shadow APIs can lead to data breaches, compliance violations, and operational disruptions. Since these APIs operate outside the official IT framework, they often lack proper authentication, authorization, and encryption mechanisms. This makes them vulnerable to cyberattacks, data leaks, and unauthorized access. In June 2022, for example, Travis CI, a continuous integration development tool, suffered an API breach that allowed anyone to access the company’s plaintext historical logs. This resulted in the business suffering a breach of more than 770 million pieces of user log data containing 73,000 tokens, access keys and other cloud service credentials. Similar cases of API breaches were reported at Hubspot in March 2022, which exposed the sensitive data of 1.6 million users and other companies such as Peloton and Experian.
There is also the problem of lateral movement, whereby Shadow APIs end up acting as entry points for access to other, possibly more sensitive systems and accounts within the organization’s network. Last but not the least, regulatory bodies may also penalize organizations for non-compliance, resulting in costly fines and damage to the company’s reputation.
Zombie APIs may seem harmless as they are no longer actively used, but they are ticking time bombs. Attackers can identify and exploit vulnerabilities in these forgotten APIs, leading to data breaches, system compromises, and financial losses. According to the Postman State of the API 2023 survey, almost 60% of all respondents were concerned over zombie APIs. The presence of zombie APIs can clutter your IT environment, making it harder to manage and secure the active APIs that are critical to your business operations.
How to Identify Shadow APIs and Zombie APIs?
To be able to identify shadow APIs, it is necessary to keep track of your network traffic, especially API calls. Here are some basic steps that can help you discover shadow APIs.
- Monitor your network: Implement network monitoring tools to detect unusual traffic patterns and unauthorized API calls. Look for API endpoints that are not part of the official documentation.
- Conduct log analysis: Analyze logs and access records to identify requests originating from undocumented APIs. Unusual or unauthenticated access may indicate the presence of shadow APIs.
- Review platforms and documentation: Regularly review collaboration platforms, development repositories, and documentation to spot any APIs that have been created without proper authorization or documentation.
- Conduct security audits: Regular security audits and penetration testing can help uncover hidden APIs that may be vulnerable to exploitation.
Since zombie APIs are essentially “forgotten” APIs in an organization, the key to identifying them is to be thorough with keeping and maintaining an inventory of all APIs that are in use. Start with these essential hygiene steps.
- Maintain an API catalog: Maintain a comprehensive inventory of all APIs in your organization. Compare this list with active usage data to identify APIs that are no longer in use.
- Track usage metrics: Monitor API usage metrics and traffic patterns. If an API shows little or no activity for an extended period, it may be a candidate for zombie status.
- Review API documentation and history: Review API documentation and development history to identify APIs that have been deprecated or abandoned. Look for notes or comments indicating that an API is no longer in use.
- Conduct a dependency analysis: Analyze dependencies between APIs and applications. If no active applications rely on a particular API, it may be a zombie.
How to Mitigate the Risk of Shadow APIs and Zombie APIs?
If you work with APIs a lot, you will need strong protection procedures and tools to minimize the impact of shadow APIs. Some of the ways you can do this include:
- API governance: Establish clear API governance policies and procedures. Require developers to obtain approval before creating new APIs, ensuring that all APIs are documented and authorized.
- Conduct regular audits: It is important to audit and test APIs regularly to ensure that they are aligned to the expected result. Make audiots part of the development cycle, including before releases and in between feature tests. Automated tools can also help in flagging shadow APIs based on predefined criteria.
- Authentication and authorization: Enforce strong authentication and authorization mechanisms for all APIs. Implement API keys, OAuth, or other access control methods to prevent unauthorized access.
- Training and awareness: Educate your development teams about the risks associated with shadow APIs and the importance of adhering to company policies and security standards.
And to mitigate the impact of Zombie APIs, here are some steps you can take:
- Deprecate zombie APIs: When you do your inventory and find zombie APIs, make sure you deprecate them so they don’t pose danger in the future.
- Warn users on time: It is also important to give any current users of the APIs clear warning so that they can transition with minimal disruption. Set a hard deadline for the deprecation and inform all customers and API consumers.
- Create replacement APIs if needed: If there are any users who still rely upon the API, make it a point to roll out a replacement before deprecation deadline. Make sure that the new API does not pose any potential security risks in the future.
- Documentation Updates: Keep API documentation accurate and current. Clearly mark APIs that are deprecated or retired to prevent accidental usage.
- Regular Cleanup: Schedule regular cleanup and maintenance activities to remove or archive zombie APIs. Ensure that these activities are part of your organization’s API lifecycle management process.
How CDNetworks Helps You Secure Your Shadow APIs and Zombie APIs
CDNetworks leverages cutting-edge big data analytics and AI technology to automatically discover shadow APIs and zombie APIs lurking within your digital ecosystem. The API Shield solution from CDNetworks brings together a number of capabilities including API Inventory management and API Discovery for defining and managing API privacy as well as discovering unknown API resources. This proactive approach ensures that no hidden threats go unnoticed, providing a comprehensive view of your API landscape.
API Shield is deployed on CDNetworks’ globally distributed PoPs which allows for real-time detection of suspicious API requests before proceeding to block them or take other proactive actions. It also uses a cloud-based big data analytics platform and high-performance analysis cluster, to sift through log files and find trends and patterns to improve your security.
