As seen on Security Boulevard.
When you have a lot of something—of anything—it’s hard to keep track. It could be books, cats, tools in the garage, apps on the phone. And when you can’t keep track, you create some level of risk, likely as a result of poor inventory and control.
Well, this is what we’re seeing with APIs today. A survey conducted by Axway found that while more organizations are adopting hybrid technologies, there is a growing concern about API sprawl.
Brian Otten, VP of the digital transformation catalysts division with Axway, defined API sprawl as “an uncontrolled proliferation of APIs in an organization” that is the result of “uncoordinated API delivery across an organization due to the lack of a well-defined API program and universally-adopted API operational life cycle.”
And, not surprisingly, with API sprawl comes greater risk. We’re regularly seeing data breaches that are caused by vulnerabilities in APIs, with the most recent high-profile API-related breach impacting millions of T-Mobile customers.
Lack of API Inventory
Sprawl is a major reason why many organizations lack a good inventory of their APIs.
“Every day, new APIs are created to connect a business or service to partners and customers. APIs are also created to connect applications internally,” explained Edward Roberts, VP of marketing at Neosec, in an email interview. “And any new business acquisition brings inside another set of APIs that are not documented.”
The growth of APIs and their usage comes in tandem with the increased amount of internet traffic that occurs on them. It becomes a vicious cycle, with the need for more APIs to keep our businesses and personal lives connected but with little accountability for them.
“Because no single person inside an organization controls every API, the sprawl is creating a vast spaghetti bowl of shadow APIs that are unsanctioned (including zombie, rogue or hidden APIs) or out-of-date ones (like deprecated, legacy or orphaned APIs),” said Roberts. “This API sprawl is creating a vast attack surface that must be protected from abuse.”
Security Challenges of API Sprawl
You can’t protect what you don’t know, so the foremost challenge of API sprawl is discovery and inventory. “Getting visibility into the API estate within an organization allows the ability to address the more advanced security problems,” says Roberts.
API sprawl also prevents adoption of new security approaches across the board, Otten pointed out, and this leaves more vulnerable security mechanisms in place.
Auditing for compliance regulations is another challenge. Each API requires documentation that should be up-to-date with the latest version of the API. Without that, you can’t easily audit business controls, and that makes security compliance difficult, if not impossible, to prove.
Finally, there is the challenge of knowing if there is any abuse happening within each API. “Understanding normal traffic behavior versus abnormal abusive traffic is key to seeing if data is being scraped and stolen, user credentials are compromised, or even if usage agreements have been exceeded,” said Roberts. “The ramifications for allowing API abuse are data loss, monetary loss, compliance problems and downtime.”
