Skip links

Managing the hidden risks of shadow APIs

Partner Content Application programming interfaces (APIs) play a significant role in today’s digital economy, but at the same time they can also represent a data security vulnerability.

While APIs serve as building blocks to modern app development, their proliferation and sprawl have also been exploited by bad actors targeting web apps to initiate data breaches, account takeover, fraud and other threats.

API endpoints increase an application’s attack surface area and introduce vulnerabilities and compliance issues that traditional app security tools struggle to mitigate. Compounding the problem are the countless outdated or undocumented APIs, dubbed shadow APIs, that connect to applications which organizations have long forgotten or hardly ever use. Many of these were built to facilitate internal tests or work around various limitations in a bid to speed up the integration of multiple, disparate systems. But without proper management, continuous monitoring, and security controls, they have also introduced persistent risks in real-world deployments and operations.

A discussion at an F5-Google webinar this year explored the difficulty involved in ascertaining whether performance issues and other disruptions occurring in systems and applications were signs that API sprawl was a contributing factor to cyber attacks. What we do know is that organizations commonly struggle with visibility into the state of API security. Security, governance, and efficiency challenges are further compounded by the increased adoption of hybrid cloud infrastructure and microservices. Multi-cloud complexity and multi-app business processes make enforcing consistent security difficult, and vulnerabilities that exist within APIs deployed or integrated into larger applications are hard to mitigate and even harder to remediate.

Key ways to manage shadow APIs entail API documentation and inventory, API Discovery, API validation, and comprehensive visibility into the security of API endpoints.

API documentation and inventory

The F5 Distributed Cloud API Security solution is built to provide deep insights with the use of artificial intelligence (AI) and machine learning (ML) to identify shadow APIs, block API attacks in real time, and eliminate vulnerabilities at their source.

This requires a solid process for publishing APIs with proper documentation which records how the API behaves and how it interacts with other APIs. This approach solves the problem of app developers deploying public APIs, bypassing internally mandated security processes and procedures, and pushing them into production without proper documentation.

With F5 Distributed Cloud Web App and API Protection, security teams can build a comprehensive inventory of all known APIs, their endpoints and expected operations. Since APIs change frequently, the process runs periodically to ensure that the API inventory is up to date.

API discovery and validation

API discovery and validation are complemented by two other fundamental elements of API security – authentication and authorization. Authentication verifies the identity of users or systems trying to access an API based on username/password, API keys, tokens and biometrics. Authorization limits the actions an authenticated user or system is allowed to perform within the API through access control rules, roles and permissions.

The F5 Distributed Cloud Platform automatically discovers API endpoints mapped to applications, blocks unwanted connections and suspicious requests, and monitors for anomalous behavior or shadow APIs to prevent data leakage. To prevent injection attacks and other exploits, input validation rules define what is considered valid data. This process ensures that the data received from external sources, such as user inputs or APIs, are safe, reliable and free from malicious content.

Comprehensive visibility

In today’s dynamic API landscape, maintaining comprehensive visibility into the security posture of API endpoints is paramount.

All critical app and API security controls necessary to protect an app’s entire ecosystem can be deployed and managed through the unified API security console of the F5 Distributed Cloud Platform. This allows DevOps and SecOps teams to observe and quickly identify suspected API abuse as anomalies are detected as well as create policies to stop misuse.

This requires the use of ML models to create baselines of normal API usage patterns. Continuous ML-based traffic monitoring allows API security to predict and block suspicious activity over time. Deviations from these baselines and other anomalies trigger alerts or automated responses to detect outliers, including rogue and shadow APIs.

Dashboards play a crucial role in providing the visibility required to monitor and assess the security of APIs. The F5 Distributed Cloud WAAP platform extends beyond basic API inventory management by presenting essential security information based on actual and attack traffic. Specifically, the API Endpoints Dashboard presents the Top Attacked APIs by percentage of attacks, Top Sensitive Data types found, Total API calls broken down by response code, and Most Active APIs.

Critical information – such as discovered sensitive data types, threat levels determined by attack traffic, authentication status, API category and the API’s risk score – enables DevOps and SecOps teams to quickly identify potential vulnerabilities, prioritize remediation efforts, and make informed decisions to strengthen the security posture of the APIs.

Intelligent risk mitigation

The SaaS-based F5 Distributed Cloud Platform enables users to manage and tap on threat analytics, forensics, and troubleshooting of API communications in modern applications.

AI is used to identify complex attack patterns and zero-day vulnerabilities that traditional rule-based systems cannot detect. Methods such as behavioral analytics to detect suspicious behavior may indicate potential threats from malicious users while risk-based controls step up the authentication process, making it more stringent with any increase in perceived threat level.

The F5 solution scans and tests APIs in a runtime environment to uncover vulnerabilities in APIs before they are in production, where remediation is more costly and frustrating. It detects and blocks attacks listed in the OWASP API Top 10 in real time at the development and production layer.

Ultimately the F5 Distributed Cloud Platform is designed to enable unified management of infrastructure and workloads across multiple compute environments for flexible deployment, secure app-to-app interconnection, and consistent policy enforcement across cloud, data center and edge as well as the application lifecycle.

This approach to API security heralds something of a shift in the common risk management approach, especially with the rise of shadow APIs. Enterprising and innovative organizations now have the power to correlate data insights at scale through comprehensive cross-platform visibility and the intense power of AI and ML.

This article was contributed by F5.