API sprawl: navigating the web of connectivity and security challenges

In today’s fast evolving digital space, the proliferation of application programming interfaces (APIs) has been nothing short of explosive. One forecast predicts there will be nearly 1.7 billion active APIs by 2030 which ushers in unparalleled opportunities for innovation and connectivity.

APIs act as a crucial bridge between software applications. They function below the application presentation layer, orchestrating data exchanges between software systems. However, as the API ecosystem expands, so too do the challenges, in particular introducing new vulnerabilities and greater risks for data exposure which attackers can exploit.

The API explosion and security implications

Managing APIs, from their build to the security mechanisms, has become a significant challenge and teams are faced with managing the timing of deployment and retirement for APIs as well as the data exposure risks they create.

One significant hurdle in managing the security of APIs is the disconnect between security teams and developers. Often, security experts lack the advanced insights required to scrutinize the APIs woven into applications and, if documentation of APIs is not in place, it can be more difficult to manage both the deployment, version and control and retirement of APIs.

Recent reports indicate that as many as 40 to 50 percent of organizations have suffered the consequences of API breaches in the past year. Last year, a major telecommunications company in the Asia Pacific region fell victim to a security breach in which cyber criminals accessed the data of over 10,000 customers, including personal information, through an unprotected internet-facing API. The data wasn't merely stolen but actively exploited and some users also received an email demanding a $2,000 payment to delete their information.

The risks of API sprawl

Incidents like this highlight the importance of managing and securing APIs, however it’s easy for their use to lapse into a state of uncontrolled growth, known as ‘API sprawl’. Adopting an excessive number of APIs without proper tracking and management can quickly start impacting security.

"Zombie" and "shadow" APIs are key issues adding to the risk. Zombies are obsolete APIs that remain within the infrastructure unnoticed after being replaced and which therefore aren’t being patched or updated. Shadow APIs, those which are beyond the organisation's visibility and governance protocols, also pose a significant risk. These uncharted APIs are under the radar of conventional security solutions like DAST, WAFs, or API gateways, designed to protect known elements. They create a blind spot that exposes organizations to unforeseen security threats.

As businesses continue their API journey, addressing the issue of ‘sprawl’ is a challenge that needs to take center stage to ensure that the power of APIs is harnessed responsibly and securely.

Internal vs. External APIs

The security challenges of API sprawl include both internal and external APIs, each presenting its own unique set of risks. Internal APIs, those crafted in-house to knit together microservices and applications, aren't immune to exploitation. Attackers with a keen eye can pinpoint vulnerabilities within these internal pathways and potentially exploit them.

External APIs, supplied by third-party services, enable developers to seamlessly incorporate their applications with external systems. However, this visibility and accessibility also makes them prime targets for malicious actors. A breach in an external API can have far-reaching consequences, affecting not just a single application but the entire ecosystem of integrated systems.

This means vigilance is paramount for external APIs. IT and security teams need to have a good understanding of which APIs are deployed across the business, and how they operate and interact with other systems. Having a clear picture of current APIs and their connections ensures that businesses can swiftly respond to any security incidents whether they stem from internal or external APIs, safeguarding the integrity of their network and data.

Securing the expansive API environment

An effective approach to API security should start with focusing on the code developers generate. With this strategy, vulnerabilities, data sensitivity issues, and exploitable flaws in API code can be readily pinpointed by examining code stored within a repository. This proactive approach enables teams to identify security concerns well before APIs enter the production phase, the stage at which it’s easier and less costly to fix issues. Alongside this, the sensible course of action for organizations is to set out API governance policies on the permitted use of internal and external APIs while specifying mandatory security procedures for developers. These protocols should align with recommendations outlined by OWASP API security guidelines. Governance policies must stipulate the use of comprehensive documentation on API usage, to help with the identification of systems that are susceptible to potential API security vulnerabilities.

Additionally, it is important to regularly monitor external APIs for disclosed security issues and teams should be ready deal with third-party security issues as soon as they are reported. This, combined with proactive and continuous API monitoring should be implemented to detect unusual usage patterns that might signal malicious activity. These practices, when rigorously applied, will allow businesses to harness the full potential of APIs while proactively mitigating the risks posed by sprawl.

We've featured the best encryption software.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro