How to detect and control the spread of shadow APIs
It’s no secret that malicious attacks on applications and software systems are commonplace. What is less well known, however, is that APIs are regularly at the center of major breaches and outages, with unsecured APIs being one of the most vulnerable and exploited vectors for a variety of attack types.
In 2022, a study published by cybersecurity firm Cequence specifically listed shadow APIs as a factor in nearly 31% of the 16.7 billion malicious transactions covered in the study. And unsurprisingly, organizations that fail to implement proper inventory management, quality assurance, and versioning practices suffer the most from shadow API-related issues.
Let’s take a closer look at the types of vulnerabilities Shadow APIs introduce and the potential damage they can cause. We’ll also look at some ways to spot shadow APIs, some strategies for dealing with them effectively, and some of the tools available to help.
What are Shadow APIs?
Shadow APIs are third-party APIs that are outside of an organization’s control but are implemented quietly by developers that save time on a repetitive task, eliminate dependency on other teams, or fill a gap in the organization’s existing catalog of approved APIs want to close. As benign as the intentions of these developers may be, these unregulated APIs can create serious security vulnerabilities if left loose in the company’s software environment.
Attackers are often quick to spot untraceable APIs that can force them to accept specific parameters, data requests, or other manipulative input. This allows these malicious actors to modify this API’s data, access sensitive API endpoints, and breach security controls. In short, shadow APIs provide easy access to your system and the sensitive data it contains.
Additionally, attackers can use shadow APIs to do invasive things like access private user accounts, modify or delete user information, or even change their existing credentials undetected. This can lead to even more pernicious compliance issues when attacks via shadow APIs affect transactions governed by HIPAA, GDPR, or other important privacy regulations.
How to detect shadow APIs
APIs are a necessity for application development as they enable rich functionality and data integration at scale, which means that using shadow APIs is always a risk. Fortunately, there are a few practices that can help you quickly spot suspicious API activity on your system:
- Monitor outbound proxies. Intercept every outgoing API call through API proxies. These outbound proxies also record all API logs, including requests and responses, to look for unrecognized API transactions, unusually slow response times, strange spikes in resource allocations, or other activity that may indicate the presence of a shadow API.
- Commit to log analysis. Providing powerful logging tools can help you keep a close eye on all endpoints, APIs, and response data. Register logs at regular intervals (or ideally, in real time) to assess end-to-end application performance and look for suspicious API activity.
- Implement live monitoring. Use live monitoring tools or tactics to consistently identify API calls as they occur. This can be an especially big benefit for automatic performance identification when implemented at the API gateway level.
- Scan code frequently. You can detect and fix shadow APIs before they go into production by scanning the source code to identify any traces of APIs that don’t belong in your system.
What to do when shadow APIs infiltrate your software system?
Even with proper monitoring, there is still a chance for shadow APIs to find their way into your software system. Therefore, it is important to have a remediation strategy to minimize the impact of shadow APIs once they are discovered. Here are some things you can do:
- Implement strict standards and policies. Implement a strict API filtering process through well-defined standards and guidelines governing implementation and usage. This should include criteria such as compliance with relevant data protection regulations and specific user privacy requirements set out in service level agreements.
- establish observability methods. Implement code scanning and live monitoring processes as part of your regular development process to ensure your established standards are met for each API used.
- Check your system regularly. Automated audit exercises can significantly improve API security and visibility. Because auditing is a collaborative endeavor, all developers gain visibility into potential issues related to shadow APIs and ways to improve application performance and security.
Tools to combat shadow APIs
The right tools can significantly reduce the risk of shadow APIs by providing appropriate security mechanisms, constant monitoring, and broader observability. Here are some Examples of tools and platforms The offer The skills required combat shadow APIs:
- APIsec. This API security testing platform provides vulnerability scanning tools and built-in support for DevSecOps initiatives.
- wall arm. This API security testing platform focuses on supporting both legacy applications and cloud-native APIs.
- Apigee Sense. Powered by Google, this behavioral detection tool tracks API inventories, keys, and transactions and automatically analyzes for anomalies.
- flare up again. This general software security platform provider offers tools for real-time API traffic monitoring, transaction encryption, automated policy management, and reverse-engineering mechanisms that mitigate the damage of API attacks.