APIs make for very handy shortcuts in application development. Under normal circumstances, this would be a great thing for companies; the APIs save time and resources at minimal cost. However, developers do not always inform the IT department (or the IT department finds the security protocols of the API in question to be insufficient and doesn’t approve).
This results in shadow APIs, or APIs that IT doesn’t know about and are not properly secured. You don’t want these in your applications as they are prime targets for attackers. Your best bet is securing API dependent applications and creating an inventory of all APIs to facilitate monitoring and patching.
What is a Shadow API?
To understand shadow APIs, it helps to understand shadow IT. shadow IT refers to IT assets not managed by the IT department or security staff. For example, if IT does not approve the use of a laptop but a user stores company data and completes work on this device anyway, the device falls into the Shadow IT category. Some other examples include using a personal file sharing account for work files, meeting on an unapproved platform, or creating accounts on productivity tools not used by the company.
Similarly, a shadow API is a type of application programming interface (API) that is not officially approved, documented, maintained, or secured by an organization’s IT department. APIs enable two pieces of software, like applications, to communicate through set protocols. So, a shadow API means that someone within an organization is using a third-party app or software component to integrate new applications. Possibly, a developer is using an unapproved API to improve functionality in an app he is building.
Shadow IT has security risks, but shadow APIs can be more dangerous because they are more deeply integrated into an organization’s infrastructure. A developer using a shadow API introduces unknown factors into the security environment, and IT departments are then unable to accurately assess risk and maximize data security.
The Security Risks of Shadow APIs
IT departments manage many APIs, many of which are not often monitored or audited, which makes them vulnerable. This low visibility makes them desirable targets for hackers, who can manipulate the APIs and use them to access private data or sensitive information. To comply with data privacy regulations and avoid potentially expensive cyberattacks, companies need to minimize the number of shadow APIs lurking within their infrastructure.
Just as forgetting about data has security implications, failing to document APIs can have dire consequences. A 2022 study showed that shadow APIs account for around 31% of malicious transactions. Although developers who use shadow APIs are rarely acting maliciously, the shortcut can cost their organizations. When IT departments and security teams don’t know about an API, they will not include it when prioritizing patches and updates. The API will not be protected with firewalls, and any suspicious activity will not trigger alerts.
This will result in a security breach sooner or later. Because there are no alerts or monitoring, attackers can use shadow APIs to access sensitive data or customer information, impersonate users, and infiltrate administrator accounts. They can also be used to find information about the security environment for future attacks. Any of these activities could create problems for your organization, especially if the attacker is able to access consumer data and you are in an area with strict data privacy laws. If you aren’t sure whether you have shadow APIs in your organization, first, assume that you do, and second, take steps to secure all APIs in your environment.
Securing All of Your Organization’s APIs
It is essential to identify and secure all accessible APIs, whether they are currently in use or not. An old, out-of-date API is a potential access point for an attacker, so it must either be patched and updated or purged as soon as possible. Create a comprehensive list of all APIs being used in your organization, and ensure that they are properly monitored and protected.
You might be wondering how you’re supposed to track down hundreds of potential shadow APIs. You can use API discovery tools to track down all APIs in your environment, and then compare the list generated by the discovery tools to your IT department’s API inventory. Any APIs not listed in the inventory are shadow APIs, and you should take steps to secure them immediately.
You can also manually search for shadow APIs by intercepting outbound API proxies, looking for unusual transactions, response times, or resource use. Use logging tools at endpoints and live monitoring to look for these activities. Scanning the source code may also reveal some previously unknown APIs.
Once you’ve tracked down and inventoried all of your shadow APIs, you should be sure to implement standard monitoring and protection measures. It may also be useful to have a chat with your developers to make sure they do not continue to pump your environment full of shadow APIs in the future. At the end of the day, remember that it’s more important to have a fully secure environment, controlled by your security teams, than it is to generate applications quickly. From a security perspective, shadow APIs are the last things you want (aside from an actual data breach).