One of Gartner’s 2022 security predictions is focused on the adoption and growth of APIs, which will require improvements in management and security. There were some interesting planning assumptions in this research note about the challenges organizations will increasingly face in 2022 and beyond. For example, “By 2025, less than 50% of enterprise APIs will be managed, as explosive growth in APIs surpasses the capabilities of API management tools,” and “By 2025, the percentage of third-party APIs used in applications will average 30%, up from less than 10% in 2021, complicating dependency management.”
The growth, lack of management, and increasing complexity associated with using APIs means more attack surface for security teams to contend with and more opportunities for attackers to breach organizations. If APIs were properly managed and secured, then this wouldn’t be such a big deal. However, as with other IT and digital assets in an organization, APIs are no different. They get created, deployed and used without awareness of security teams. Lurking there without being seen, waiting to be attacked–we call them “shadow APIs.”
Eventually, “zombie APIs” also emerge as new API versions get deployed, and legacy APIs are not shutdown or deprecated. They are the APIs that have been forgotten and neglected, leading to potential soft targets in your attack surface that attackers are constantly seeking to exploit.
So why worry about shadow and zombie APIs? Because attackers love them. According to Salt Security’s API Security Trends research, API attacks were up 348% in the first six months of 2021, and API usage had increased 141%. Salt also reported that 94% of respondents said they experienced an API security incident in the last 12 months. API usage isn’t slowing down, and it’s safe to assume that attacks will continue at the same or greater pace.
So how do you combat shadow and zombie APIs? First, you need visibility of the APIs that are exposed and could be abused by attackers. Second, you need assurance that the APIs are resilient to attack.
But traditional application security solutions alone are not enough to protect APIs; if they were, the problem would be much less acute. The Bugcrowd Security Knowledge Platform offers a Pen Testing as-a-Service solution for APIs, and a Bug Bounty solution that can include APIs in its scope, as proven, think-outside-the-box ways to proactively find API risk before it bites you. That’s a potent combination for protecting your APIs, getting security assurance, and earning trust from customers and partners. (Add a Vulnerability Disclosure program, and now you’re really covered.)
Furthermore, Attack Surface Management solutions on the Bugcrowd Security Knowledge Platform are highly effective at rooting out zombie and shadow APIs that are lurking out there in your environment. ASM – Asset Inventory provides continuous monitoring and visibility of the external IT and digital assets across your attack surface. ASM – Asset Risk applies the power of the crowd to give you the same view of your attack surface that attackers have, and more. The combination of these Attack Surface Management solutions will help discover the shadow and zombie APIs in your environment, and let you take action to make them more resilient to attacks.