Getty Images/iStockphoto
How to discover and manage shadow APIs
Connecting applications, especially if external-facing, with unapproved APIs is a recipe for disaster. Detecting and managing shadow APIs is vital to keeping the company secure.
Access to APIs -- connectors that enable disparate systems and applications to share data and communicate -- is business-critical. And because APIs have access to sensitive information, it's important that security teams know about every API in use -- yet this isn't always the case.
Employees commonly use technologies and tools without the security team's sanction -- known as shadow IT -- and APIs are no different. Like other unauthorized components, shadow APIs are created or deployed outside of official processes, often by internal teams, contractors or legacy systems.
Security teams need to know how to prevent, identify and manage shadow APIs to avoid the significant security threats posed by these undocumented and frequently unmonitored interfaces.
The problem with shadow APIs
The number of APIs in organizations is skyrocketing. According to API platform Postman, each business application is powered by 26 to 50 APIs, and API intelligence platform Trebble estimated the average enterprise maintains more than 1,000 APIs, most of which perform in-house functions.
The numbers seem unmanageable even before shadow APIs are considered. The dynamic nature of DevOps and microservices make shadow APIs even more prevalent through continuous integration/continuous delivery (CI/CD) pipelines.
While shadow APIs are not necessarily malicious, they are a prime target for attackers because they bypass governance and security controls. Shadow APIs are problematic for the following reasons:
- They can expose sensitive data, leading to data loss and exfiltration and compliance violations.
- They operate without proper authentication, leading to compliance violations and breaches.
- They could inadvertently enable lateral movement within an organization, resulting in business disruptions and cyberattacks.
- They could be subject to vulnerabilities that remain unpatched because they aren't under the purview of the security team.
Several high-profile breaches in recent years, including the January 2024 data scraping attack on the Trello project management platform, have been traced back to unmanaged APIs. Without the ability to track these hidden endpoints, security teams can't accurately assess risk, apply controls or ensure regulatory compliance. Discovery and ongoing monitoring are therefore critical to maintain an accurate and secure API inventory.
How to discover shadow APIs
To identify shadow APIs, organizations should adopt a multilayered approach that relies on both network traffic analysis and integration with their existing development and cloud infrastructures.
Follow these key steps:
- API traffic inspection. Use API gateways, web application firewalls or cloud-native tools to inspect network traffic for unknown endpoints. API security platforms provide deep visibility by analyzing live traffic and identifying undocumented APIs.
- Log analysis. Mine logs from load balancers, proxies and firewalls to reveal patterns of API usage, including requests to unregistered endpoints. Integration with SIEM systems and log analytics tools helps correlate these findings.
- Cloud configuration scanning. Cloud security and posture management and cloud-native application protection platforms (CNAPPs) scan cloud environments to detect misconfigured services that expose undocumented APIs.
- Code and repository analysis. Review source code and CI/CD pipelines using CNAPPs or static application security testing tools to uncover API calls and endpoint definitions not reflected in central documentation.
- Attack surface management. Use external ASM tools -- or even tools such as the Shodan search engine -- to simulate attacker perspectives and identify APIs exposed to the public internet.
How to reduce shadow APIs
With shadow API discovery completed, implement a combination of policy, governance and technical enforcement to manage and reduce shadow API usage. Do the following:
- Establish clear API policies. Define mandatory registration, versioning and approval workflows for all API deployments. Require teams to use sanctioned API gateways and document interfaces as a part of the policies or standards definitions. Educate and align developers with these policies and standards. Conduct regular training and embed security champions in DevOps teams.
- Promote a security-as-code culture. Ensure secure APIs are part of build pipelines. Use centralized API gateways to enact controls that enforce security policies, such as authentication, rate limiting and schema validation. Once these controls are in place, use API security platforms to perform continuous monitoring, anomaly detection and drift detection from the API baseline.
- Conduct regular audits. Periodically scan and validate the API inventory against runtime traffic and source code to ensure alignment.
Shadow APIs are an inevitable byproduct of modern development, but they don't have to be a liability. Organizations can rein in these unauthorized interfaces by employing real-time shadow API discovery techniques, a strong governance model and a collaborative DevSecOps culture.
Dave Shackleford is founder and principal consultant at Voodoo Security, as well as a SANS analyst, instructor and course author and GIAC technical director.
