denisismagilov - stock.adobe.com
It's no secret that malicious attacks on applications and software systems are an everyday occurrence. However, what may be less known is that APIs regularly sit at the center of major breaches and outages, with unsecured APIs being one of the most vulnerable and exploited attack points for multitudes of attack types.
In 2022, research published by the cybersecurity company Cequence specifically listed shadow APIs as a factor in nearly 31% of the 16.7 billion malicious transactions covered in the study. And, unsurprisingly, companies that fail to implement proper inventory management, quality assurance and versioning practices tend to suffer the most from issues related to shadow APIs.
Let's look further into the types of vulnerabilities shadow APIs introduce and the potential harm they can cause. We'll also look at a few ways to recognize shadow APIs, some strategies to deal with them effectively and some of the tooling available to help.
What are shadow APIs?
Shadow APIs are third-party APIs that sit outside of a company's control but are quietly implemented by developers looking to save time on a repetitive task, eliminate dependency on other teams or fill a gap in the organization's existing catalog of approved APIs. However, as benign as these developers' intentions may be, these unregulated APIs can create serious vulnerabilities when allowed to freely inhabit the organization's software environment.
Attackers are often quick to identify untracked APIs that they can coerce into accepting certain parameters, requests for data or any other kind of manipulative inputs. This allows these malicious actors to alter that API's data, access sensitive API endpoints and breach security controls. In short, shadow APIs provide an easily accessible entryway into your system and the sensitive data within it.
Furthermore, attackers can use shadow APIs to do invasive things like access private user accounts, alter or delete user information or even change their existing credentials undetected. This can lead to even more damaging compliance issues if attacks through shadow APIs affect transactions subject to HIPAA, GDPR or other important data protection regulations.
How to spot shadow APIs
APIs are a necessity for application development, as they enable varied functionalities and data integrations at scale, meaning that shadow API use will always be a risk. Luckily, there are a few practices that can help you readily spot suspicious API activity within your system:
- Monitor outbound proxies. Intercept every outgoing API call through API proxies. These outbound proxies also record all API logs, including requests and responses, to look for unrecognized API transactions, unusually slow response times, strange spikes in resource allocations or any other activity that may indicate a shadow API's presence.
- Commit to log analysis. Putting capable logging tools in place can help you keep a close eye on all the endpoints, APIs and response data. Register logs at regular intervals (or, ideally, in real time) to evaluate end-to-end application performance and look for suspicious API activity.
- Implement live monitoring. Use live monitoring tools or tactics to consistently identify API calls as they occur. This can be a particularly great asset for automatically identifying performance when implemented at the API gateway level.
- Scan code frequently. You can detect and address shadow APIs before they hit production by scanning the source code to identify any traces of APIs that don't belong in your system.
What to do if shadow APIs infiltrate your software system
Even with proper monitoring, there is still the chance that shadow APIs will find their way into your software system. As such, it's essential to have a remediation strategy in place to minimize the impact of shadow APIs once they are spotted. Here are some things you can do:
- Implement strict standards and guidelines. Implement a tight API filtering process through well-defined standards and guidelines that govern implementation and use. This should include criteria like compliance with relevant data protection regulations and any specific user-privacy requirements outlined in service-level agreements.
- Establish observability procedures. Implement code scanning and live monitoring processes as part of your regular development process to ensure that your established standards are met for every API in use.
- Audit your system frequently. Automated audit exercises can greatly enhance API security and visibility. Since auditing is a collaborative endeavor, all developers will get a view of potential problems related to shadow APIs as well as ways to improve application performance and security.
Tools to combat shadow APIs
The right tooling can significantly reduce the risk of shadow APIs by providing proper security mechanisms, constant monitoring and wider observability. Here are some examples of tools and platforms that provide the capabilities needed to combat shadow APIs:
- APIsec. This API security testing platform provides vulnerability-scanning tools and built-in support for DevSecOps initiatives.
- Wallarm. This API security testing platform focuses on support for both legacy applications and cloud-native APIs.
- Apigee Sense. This Google-backed behavior detection tool keeps track of API inventories, keys and transactions and automatically analyzes for anomalies.
- Reblaze. This general software security platform provider features tools for real-time API traffic monitoring, transaction encryption, automated policy management and reverse engineering mechanisms that mitigate the damage of API attacks.