Why it’s time to put a stop to API sprawl

Technology

Organisations can use APIs to such a large extent that they struggle to keep track of which ones they are using, and which security vulnerabilities they may be open to. Yoav Ziv at Checkmarx explores the problem

Application Programming Interfaces (APIs) are the digital building blocks that enable applications to interact seamlessly, automating workflows and breaking down silos. They make a developer’s life easier by providing the ready-made building blocks for their software, accelerating innovation and operational efficiency.

However, as organisations integrate more services, applications, and data sources, they face an escalating challenge — API sprawl. This is the uncontrolled growth of APIs that are deployed ad hoc without proper governance or documentation.

According to Google Cloud’s 2022 State of the API Economy report, businesses are finding it increasingly difficult to manage the sheer volume of APIs they are responsible for, putting them at a higher risk of security vulnerabilities.

These issues extend from tracking and monitoring to governance, affecting both internal APIs developed in-house and external APIs from third-party vendors. Given this rising complexity, companies must understand and navigate the intricacies of API management or risk being easy targets for cyber adversaries exploiting these vulnerabilities.

Managing security in the age of APIs

API sprawl poses a unique challenge for businesses, involving both an increase in the number of APIs and the complex web of relationships among them. APIs are often interdependent, calling upon one another to perform various functions.

For instance, a single mobile application may rely on different APIs for payment processing, user authentication, and data storage. These APIs may, in turn, depend on other internal or third-party APIs to fulfil their roles. The relationships can be hierarchical, peer-based, or even circular, creating a complex network that can be difficult to manage and secure.

Without effective management, these challenges can often lead to major security incidents. In fact, 92% of businesses have experienced an API security incident in the last 12 months. These incidents can range from data breaches to unauthorised access, all of which threaten the integrity of an organisation’s cybersecurity posture.

Good API governance is essential to reduce these risks. This goes beyond documenting APIs; it involves tracking their usage, monitoring real-time activity, and enforcing security policies. It can also include implementing an API gateway to centralise these functionalities and to serve as a critical junction for all API traffic. It also helps to deploy security features like rate limiting, access control, and data encryption more conveniently.

API security starts at a code level

Alongside effective governance, keeping tabs on API security vulnerabilities is essential. Tools such as API security scanners and threat protection systems can identify risks proactively. These tools enable organisations to catch vulnerabilities like exposed endpoints or insecure data transmission before they escalate into larger issues.

Given the likelihood of regulatory action relating to API security – particularly in industries like healthcare, where great amounts of personally identifiable information is being shared – the use of technologies that discover, map, and track APIs across systems is highly advisable.

Traditional approaches that focus on runtime security mechanisms are also falling short. While this can detect malicious activities in real time, solutions lack the foresight to spot data sensitivity issues or vulnerabilities in the API implementation process. This reactive model leaves organisations perpetually on the back foot.

There are also the risks of "zombie" and "shadow" APIs. Zombies are outdated APIs that have been replaced but remain in the ecosystem. Shadow APIs are third-party programs outside the organisational network’s visibility and beyond the scope of governance protocols.

These undocumented APIs can’t be protected by existing API security solutions, such as DAST, WAFs, or API gateways, designed to protect only what they know. This blind spot leaves organisations vulnerable to unforeseen attacks.

Traditional API security tools often focus on examining the active traffic of APIs that are already in use. This means they might miss detecting ’zombie’ and ’shadow’ APIs, which are undocumented and could pose unseen risks

Many organisations lack a single point in the application infrastructure that can see all API traffic, exacerbating the problem. The shortcomings of these solutions highlights the need for a comprehensive "shift left and integrate right" approach that starts with scrutinising source code to identify and inventory API endpoints and associated vulnerabilities.

Businesses should implement solutions that can automatically scan the source code to build a central API inventory. This identifies vulnerabilities and assists in the documentation of API risks.

For organisations with an API-first approach, this enables the validation of API documentation during the design phase and helps to identify discrepancies when compared against implementation. For code-first organisations, it allows for the discovery and inventory of every API in source code, even without proper initial documentation.

Further, developers should keep a change log that can provide a full history of each API, giving them and AppSec managers the confidence to repurpose existing APIs effectively. This history can be particularly useful for identifying recent changes that may have added sensitive data to a public-facing API.

Most importantly, a consolidated view of all API risks is essential. Businesses should implement solutions with API Security scan engines that can aggregate and correlate results from internal and external APIs.

AppSec teams can then prioritise the most critical API vulnerabilities based on their real-world impact and risk. This single, comprehensive view is crucial for managing API risks effectively across various projects.

Overall, organisations need clear visibility of their API attack surface and must initiate security measures at the source code level. This proactive approach facilitates early vulnerability detection, allows for the secure reuse of existing APIs, and significantly reduces both costs and risks.

Yoav Ziv is Chief Customer Success Officer at Checkmarx

Main image courtesy of iStockPhoto.com