Application Programming Interfaces (APIs) have played a key role in the digital transformation of organizations, particularly so over the last few years. Open networks and connectivity remain key catchphrases and as their momentum builds, so will API growth. However, as we’ve seen in previous blogs on API security, this same open nature exposes APIs to potential attacks and security threats.
At the heart of any robust API security process lies visibility. The idea behind API visibility is relatively simple – you cannot protect something you can’t see, or don’t know about. Therefore, visibility matters. Any organization, even one with API security practices in place through the Application Lifecycle Management (ALM) process, could find itself with a whole bunch of APIs it didn’t know existed if it doesn’t follow best practices.
APIs are essential building blocks for applications today, and can be created with relative ease and speed, adding to volumes. To complicate matters from a security standpoint, API activity volumes are not governed by an increase or decrease in manual factors, such as launching new applications or adding new users. Given the machine-to-machine nature of APIs, activity volumes can spike at any time regardless of manual factors, both for legitimate as well as malicious reasons.
This is why it’s extremely important to stay on top of API infrastructure in terms of visibility, monitoring, logging, and inventory. Focusing on API visibility gives a clearer picture of what’s going on, prepares companies to identify potential security threats, and helps them link it all back to business impact.
Shadows, rogues & zombies
Whenever organizations are tackling API visibility from a security standpoint, it’s better to start with internal APIs and then move to third-party APIs. Both are equally important for security purposes, and neither should be neglected or treated casually. When it comes to API visibility, there are a few ‘characters’ you need to watch out for, including rogues, zombies, and shadows.
Those with malicious intentions could use these types of APIs to launch attacks on organizations. Why? Because these APIs are typically unknown to the organization, i.e. companies or enterprises may not know of, or may have forgotten about, their existence leaving them vulnerable to attacks. What exactly are shadow, rogue, and zombie APIs?
Shadow APIs
Shadow APIs underscore the importance of ensuring visibility into internal APIs. These are classified as APIs that are unprotected, or not managed, by the organization using it. While they could arise out of any situation, shadow APIs typically occur when there are silos between the developer teams, IT/security teams, and other departments involved in the creation and use of APIs.
Let’s say Developer A has been asked to quickly create an API for a particular internal use by a business development team, without the involvement or knowledge of the IT or security teams. The API is created and used. Then, Developer A quits the organization and there are leadership changes on the business development side. Perhaps, a few months or years later, the API could still be active but, crucially, it remains an unknown to the IT and security teams.
In such a scenario, the API would be termed a shadow API, i.e. one that operates in the dark without the knowledge of the right teams at an organization.
Rogue APIs
Rogue APIs are loosely classified by some as being akin to shadow APIs, i.e. they are those that may have been authorized by the organization but are unknown to security teams. Others term rogue APIs as those that were never really authorized by the organization whose data is being accessed. In either scenario, what makes rogue APIs important from an API security point of view is that they, too, operate in the dark.
Zombie APIs
Zombie APIs are those that have outlived their purpose and have either been abandoned, neglected, or forgotten by organizations that commissioned them. As with shadow APIs, zombies can also be created when newer versions of an API replace an older one. Zombie APIs are typically created when APIs are not retired in an effective manner and removed properly when their purpose is served.
Visibility into shadow APIs, rogue APIs and zombie APIs are crucial for API security. These are APIs that have been left out of the purview of an organization’s security processes and practices. They are not being monitored, maintained, updated, or protected and are, therefore, more vulnerable to attacks. The only way to identify these shadows, rogues and zombies is to have adequate API visibility and API discovery and inventory tools and processes in place.
API discovery and inventory
In simple terms, API discovery is about finding all the APIs in use by an organization. API discovery is closely linked to API inventory management because once you discover all the APIs, you need to catalogue it, monitor it, and maintain up-to-date records of it. In other words, the end goal of API discovery is creating an API inventory. Comprehensive records for API inventory management purposes should contain all manner of information on the APIs, their use, users, challenges or limitations, and security profile.
API discovery and inventory includes processes that are crucial for API security management such as pinpointing shadow, rogue, and zombie APIs. It spans API endpoint discovery, identifying where sensitive data resides, API documentation, developer-activity based identification, and managing the APIs that are discovered through the entire process.
However, API discovery and inventorying have other, non-security uses too. Those include aspects that make it easier to create new APIs, integrate pre-existing APIs into new ones, enhance API capabilities, and improve compatibility. The process of API discovery can be either manual or automated. However, the manual process is viewed as being a slower, resource-consuming approach when compared with using automated API discovery tools.
API discovery tools & strategies
There are different types of API discovery tools that companies can use. Some of those include API directories and marketplaces, automated scanners, documentation platforms, API security platforms and tools, API security and API management platforms, cloud security providers, and individual technology-specific platforms (for example, AWS and Microsoft Azure have their own API marketplaces).
Using these tools come with a lot of advantages for API security management, and help minimize potential attack vectors by improving API visibility. In turn, it also helps organizations manage risk better, remain compliant with any potential regulatory requirements, and use resources more efficiently.
While there are tools out there that can automate the API discovery and inventory process, there are a few good practices and strategies that organizations themselves can implement to make it more efficient. For example, ensuring proper API documentation, automation compatible, using API directories, and incorporating SEO keywords into your documentation and inventory process.
All of this will, ultimately, help create a more robust API visibility process in organizations which will, in turn, bolster API security.