Shadow APIs: An Overlooked Cyber-Risk for Orgs

Organizations shoring up their API security need to pay particular attention to unmanaged or shadow application programming interfaces.

Shadow APIs are Web services endpoints that are no longer in use, outdated, or undocumented, and therefore not actively managed. Application and security teams need to find such APIs and ensure each one is either documented or decommissioned to mitigate the significant risk they present, says Rupesh Chokshi, senior vice president, application security at Akamai.

The Risk From Unmanaged APIs

Chokshi is scheduled to present a talk on the topic at the upcoming RSA Conference 2024 in San Francisco next week. In a presentation titled "The Secret Life of APIs: Latest Attack Data Shows What Your APIs are Doing," Chokshi identifies shadow APIs as one of several postural — or implementation-related — issues that organizations must prioritize when tackling API security.

One of the biggest surprises for enterprises that increase their visibility into API activity is the sheer number of shadow endpoints in their environment that they were previously unaware of, Chokshi says. The first step to enabling better API security is to discover these shadow endpoint and either eliminate them or incorporate them into the API security program, he notes.

API security has become an increasingly pressing challenge for IT and security leaders. In recent years, many organizations have deployed APIs extensively to integrate disparate systems, applications, and services in a bid to streamline business processes and boost operational efficiencies. APIs have also played a central role in enabling digital transformation initiatives by giving companies a way to modernize legacy applications, adopt cloud services, and engage more efficiently with customers, partners, and other third parties.

The API Proliferation Challenge

The resulting proliferation of APIs has significantly expanded the attack surface at many organizations and exposed them to greater risks, Chokshi says. He points to research from Akamai earlier this year that found that 29% of all Web attacks in 2023 targeted APIs. Common attack vectors included SQL injection, cross-site scripting, session hijacking/session manipulation, and data harvesting attacks. Attackers targeted organizations in certain sectors more frequently than others. More than 44% of all Web attacks in the e-commerce sector, for instance, targeted APIs. Similarly, nearly 32% and 19% of the Web application attacks that business services organizations and healthcare organizations, respectively, encountered last year targeted application programming interfaces.

Chokshi says the API security challenges that most organizations encounter fall under two broad categories: postural and runtime related. Postural issues result from implementation weaknesses, such as those related to shadow APIs. An October 2022 research report from Cequence Security identified more than 31% of all malicious requests — or some 5 billion of 16.7 billion — targeted unknown and unmanaged APIs.

Other common postural problems include unauthenticated resource access, sensitive data in the URL, overly permissive cross-origin resource sharing, and excessive client errors, which can include issues like improper authentication.

The most common runtime problems — or active threats — that organizations typically encounter include unauthenticated attempts to access sensitive API resources; API activity with unusual JSON payloads, like unexpected data types; unexpected or malformed data as part of API requests; and data scraping attempts.

Given the rapidly evolving nature of the API threat landscape, organizations need to ensure they have proper visibility over their API environment, Chokshi notes. In addition to detecting and decommissioning shadow APIs, organizations need to maintain an inventory of their APIs. They also need to harden their API posture by, for instance, correcting flaws in API code and addressing misconfiguration issues; bolstering threat detection and response capabilities; and establishing an API threat hunting capability.