API Security and Zombie APIs: Best Practice Recommendations for API Discovery and Tracking

APIs are deployed everywhere, creating blind spots and the fear of not knowing about all active APIs. These APIs are finding their way into public and private cloud environments, distributed across data centers. As a result, most DevOps and security teams are uncertain about whether or not they are aware of all exposed APIs—internal and external.

Because of this, security teams need to put in the work in order to eliminate those blind spots and identify all APIs, including shadow APIs and old versions accidently left active during an application migration. Hackers look for these APIs and exploit them to breach organizations and steal data or to take over accounts for financial gains. Such mishaps have occurred among social networks, financial, healthcare and retail verticals.

So, what can you do to keep your enterprise safe from letting bad actors in through vulnerable APIs? It all comes down to understanding where the risks lie and how to implement API security best practices—including API discovery and tracking—in order to protect your network.

APIs can lead to enormous economic benefits for businesses. But, they don't come without risk, and certain types of APIs prove to be more risky than others.

To start, a zombie API is a forgotten API left behind to typically handle migrations from one version of an application to another. An example would be the release of a new application version, which because of its enhanced capabilities, required a new API. To ensure a smooth migration, the old API is maintained "active" to give developers time to phase over to the new API. The challenge for the security team is to track those "old" APIs and deactivate them in time. Most often, they are just forgotten and are a great entry door for hackers to use. 

A shadow API is most often the name given to an API that was created outside of the traditional DevSecOps process. As a result, they are also called "rogue APIs" and are not tracked by the security team, which increases the risk of a breach.

If any of these APIs are not discovered and tracked by the security team, they have the potential to wreak havoc on your business.

The best way to mitigate risks that come with shadow and zombie APIs is to follow best practices surrounding API security, which can often be carried out through good DevSecOps processes and the deployment of domain specific solutions.

For instance, tools such as PingOne API Intelligence are available to automatically discover and track active APIs. This solution detects new APIs, shadow APIs, old API versions and in general, all forgotten APIs that are still active, so that security can be added before hackers discover them.

Effective monitoring of an API infrastructure also requires tracking each user's activity across all APIs, regardless of the API location, cloud or API gateway used. This monitoring essentially reports on what each user is accessing, from the APIs and URLs used, along with tokens, cookies, API keys and IP addresses, which entails linking all API traffic to the identity of each user and having that information available via dashboards and reports.

Finally, best practice for API security would also require the use of an AI/ML-based solution to detect and block abnormal activity on APIs, such as those associated with hackers "working" on an API to breach, or a partner misusing or abusing an API. API cyberattacks bypass traditional security measures, as hackers look like normal users with valid credentials.

Therefore, the use of AI/ML has become critical to counter "free-styled," constantly changing API attacks that are specific to the API targeted. You could think of each attack as custom crafted for the specific API targeted, and that is why signature and rule-based security—such as those used in WAFs—do not offer protection against most API attacks.

APIs bring time-saving results and efficiency to your business overall, but unless they are properly protected, they can also greatly expose your organization to cyber crimes. It is therefore imperative to adopt security best practices like API discovery and tracking to ensure the protection of API infrastructures. By optimizing your security in this way, you can continue to use APIs to your advantage, while ensuring that unknown or forgotten APIs won't pose what would otherwise be a preventable risk for your enterprise.

In addition: API Security: The Definitive Guide