Designed to rapidly and seamlessly connect consumers and businesses to vital data and services, APIs power modern enterprises and applications.
APIs are constantly in action, working in the background for when consumers finally book that dream vacation or place an online takeout order after a long workday.
With API usage so widespread, touching every industry, and the vast treasure troves of sensitive data they boast access to, it comes as no surprise that cyber criminals are increasingly exploiting and abusing APIs to execute malicious attacks.
If the name alone doesn't initially spark fear, Zombie APIs are APIs that have become abandoned, outdated or forgotten by an organization.
Similar to a Zombie who revives from the dead in a horror movie, Zombie APIs should be deceased but continue to lurk in the shadows within corporate environments.
Recent research from Salt Security revealed that 54% of security leaders categorize Zombie APIs as their greatest concern when it comes to API security.
As Zombie APIs are essentially forgotten and out of mind, there is no regular patching or updates being made in either a functional or security capacity.
Zombie APIs boast the power to become an incremental security risk.
While Zombie APIs pose significant threats to cyber resilience, there is one other great cause for concern within API security - the presence of Shadow APIs.
Shadow APIs can be defined as third-party APIs that exist outside of an organization's official API ecosystem, remaining invisible to most and void of security controls.
Oftentimes, these types of APIs are created and deployed by well-meaning developers on a time crunch to meet business and application innovation demands.
Despite no ill-intent from a developer, these unmanaged, non restricted APIs have the potential to cause severe vulnerabilities.
The presence of Zombie and Shadow APIs remains widespread across organizations, which in turn creates many opportunities for sly and sneaky bad actors to execute an attack.
Developers and engineers not only have a duty of care to keep a robust catalog of the APIs created and deployed, but also to brief the appropriate parties about deprecated APIs no longer being utilized.
This intel should be continually shared with security teams to ensure API inventories remain complete, make certain appropriate patching and testing initiatives are carried out and allow the complete removal of expired APIs.
Mitigating the volume of Zombie APIs requires developer and security teams to liaise with one another to comprehensively define and articulate robust API retirement policies and procedures and determine who is responsible for executing such activity.
Alleviating the threat of Shadow APIs also calls for deep synergy and collaboration amongst teams and strong DevSecOps practices.
Security teams must work with engineers and developers to define and enforce governance policies for APIs being created.
These policies should clearly describe which individuals can create new APIs, how they should be designed, deployed and utilized, and offer insight into the required testing mechanisms new APIs must undergo prior to being pushed into production.
The existence and proliferation of Zombie and Shadow APIs ultimately comes down to two factors: broken communication and human error.
This Cyber News was published on www.cyberdefensemagazine.com. Publication date: Sat, 13 Jan 2024 06:13:04 +0000