Shadow APIs: An Overlooked Cyber-Risk for Orgs

Share This Post

Organizations shoring up their API security need to pay particular attention to unmanaged or shadow application programming interfaces.

Shadow APIs are Web services endpoints that are no longer in use, outdated, or undocumented, and therefore not actively managed. Application and security teams need to find such APIs and ensure each one is either documented or decommissioned to mitigate the significant risk they present, says Rupesh Chokshi, senior vice president, application security at Akamai.

The Risk From Unmanaged APIs

Chokshi is scheduled to present a talk on the topic at the upcoming RSA Conference 2024 in San Francisco next week. In a presentation titled “The Secret Life of APIs: Latest Attack Data Shows What Your APIs are Doing,” Chokshi identifies shadow APIs as one of several postural — or implementation-related — issues that organizations must prioritize when tackling API security.

One of the biggest surprises for enterprises that increase their visibility into API activity is the sheer number of shadow endpoints in their environment that they were previously unaware of, Chokshi says. The first step to enabling better API security is to discover these shadow endpoint and either eliminate them or incorporate them into the API security program, he notes.

API security has become an increasingly pressing challenge for IT and security leaders. In recent years, many organizations have deployed APIs extensively to integrate disparate systems, applications, and services in a bid to streamline business processes and boost operational efficiencies. APIs have also played a central role in enabling digital transformation initiatives by giving companies a way to modernize legacy applications, adopt cloud services, and engage more efficiently with customers, partners, and other third parties.

The API Proliferation Challenge

The resulting proliferation of APIs has significantly expanded the attack surface at many organizations and exposed them to greater risks, Chokshi says. He points to research from Akamai earlier this year that found that 29% of all Web attacks in 2023 targeted APIs. Common attack vectors included SQL injection, cross-site scripting, session hijacking/session manipulation, and data harvesting attacks. Attackers targeted organizations in certain sectors more frequently than others. More than 44% of all Web attacks in the e-commerce sector, for instance, targeted APIs. Similarly, nearly 32% and 19% of the Web application attacks that business services organizations and healthcare organizations, respectively, encountered last year targeted application programming interfaces.

Chokshi says the API security challenges that most organizations encounter fall under two broad categories: postural and runtime related. Postural issues result from implementation weaknesses, such as those related to shadow APIs. An October 2022 research report from Cequence Security identified more than 31% of all malicious requests — or some 5 billion of 16.7 billion — targeted unknown and unmanaged APIs.

Other common postural problems include unauthenticated resource access, sensitive data in the URL, overly permissive cross-origin resource sharing, and excessive client errors, which can include issues like improper authentication.

The most common runtime problems — or active threats — that organizations typically encounter include unauthenticated attempts to access sensitive API resources; API activity with unusual JSON payloads, like unexpected data types; unexpected or malformed data as part of API requests; and data scraping attempts.

Given the rapidly evolving nature of the API threat landscape, organizations need to ensure they have proper visibility over their API environment, Chokshi notes. In addition to detecting and decommissioning shadow APIs, organizations need to maintain an inventory of their APIs. They also need to harden their API posture by, for instance, correcting flaws in API code and addressing misconfiguration issues; bolstering threat detection and response capabilities; and establishing an API threat hunting capability.

https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/bltd5e736e94dc27eb9/6632a1e57bed0fb3b861e1c2/api_Wright_Studio_shutterstock.jpg?disable=upscale&width=1200&height=630&fit=crop

This post was originally published on this site

More Articles
Article

Navigating SEC Regulations In Cybersecurity And Incident Response

Free video resource for cybersecurity professionals. As 2024 approaches, we all know how vital it is to keep up to date with regulatory changes that affect our work. We get it – it’s a lot to juggle, especially when you’re in the trenches working on an investigation, handling, and responding to incidents.
Article

BFU – Seeing is Believing

Oh no, the device is in BFU. This is the common reaction; a device needs extracting, and you find it in a BFU state. Often, there’s an assumption that a BFU extraction will only acquire basic information, but that isn’t always the case.

Report

Harassment or bullying behavior
Contains mature or sensitive content
Contains misleading or false information
Contains abusive or derogatory content
Contains spam, fake content or potential malware

Block Member?

Please confirm you want to block this member.

You will no longer be able to:

  • See blocked member's posts
  • Mention this member in posts
  • Invite this member to groups
  • Message this member
  • Add this member as a connection

Please note: This action will also remove this member from your connections and send a report to the site admin. Please allow a few minutes for this process to complete.

Report

You have already reported this .