Application programming interfaces (APIs) play a central role in modern software by enabling systems to read from and write to one another. APIs are heavily used in business operations to boost functionality. For example, developers can use the Jira REST API to allow users to create Jira tickets within a Slack application.
Shadow API refers to any API deployed by developers that is not secured, registered, or monitored by an organization’s IT team. Shadow APIs represent a serious security threat, as they open attack vectors that can lead to breaches (such as the case of an API leak from PandaBuy) and system inefficiencies.
This article explains what shadow APIs are, highlighting their associated risks. We’ll also walk through how to identify them and how to mitigate their risks using discovery and inventory tools.
What is a shadow API?
A shadow API is an API created without any involvement or oversight from the security or IT team. These APIs are not necessarily malicious; rather, developers likely create them for the sake of speed and convenience, ignoring the inherent risks of bypassing established organizational IT processes for procuring and managing software.
Traditional vs. shadow APIs
In an organization, a traditional API with proper management has documentation and governance. The IT team has approved the API and can track and monitor its risk profile. Documentation helps with collaboration — other members of the organization can use the API too — and governance helps the organization with compliance audits and certifications.
On the other hand, shadow APIs emerge within organizations when:
API documentation and registration processes are overly burdensome
Developers are unaware of API security and compliance requirements when developing a new API
Formal API documentation and management processes are lacking
The lack of oversight for shadow APIs means that they might be nonstandard, noncompliant, and insecure, introducing significant risks to an organization’s threat posture.
2024 Threat Hunting Report
In the CrowdStrike 2024 Threat Hunting Report, CrowdStrike unveils the latest tactics of 245+ modern adversaries and shows how these adversaries continue to evolve and emulate legitimate user behavior. Get insights to help stop breaches here.
Download NowRisks associated with shadow APIs
Shadow APIs expose organizations to a range of risks, including security vulnerabilities, compliance issues, and operational disruptions.
Security vulnerabilities
Shadow APIs may be missing certain security measures, and their lack of oversight within an organization can introduce significant vulnerabilities. For example, an API that doesn’t have multi-factor authentication set up may allow attackers to use vulnerable credentials to gain access. Another example might be an API that runs code with a known vulnerability, enabling an attacker that chances upon the shadow API to wreak havoc. These vulnerabilities create the potential for data breaches and unauthorized access.
Compliance issues
Another reason that every API used in an organization should be part of an API management system and have associated documentation is so that the organization can adhere to regulatory requirements. The discovery of undocumented APIs during an audit can result in significant penalties, including fines and certification revocations. In the case of FedRAMP, for example, noncompliance could lead to a loss of government contracts and customers.
Operational disruptions
If systems rely on undocumented and unmonitored APIs, system performance and reliability might suffer. For example, consider a critical business process that uses a shadow API. If that API fails, identifying the source of the problem — since the API is undocumented and unknown — can be extremely difficult. This complexity hinders effective incident response and troubleshooting, leading to prolonged downtime and business disruption.
Identifying shadow APIs
In light of these risks, what measures can you adopt to identify the presence of shadow APIs in your organization?
Use API discovery tools: Leverage purpose-built tools to discover APIs that aren’t tracked in any form of API inventory management. One such example is Salt, an easily implementable, automated API discovery tool that can find shadow APIs.
Implement an API inventory: Systems built for managing API inventories, such as Postman or MuleSoft, give organizations a single system to register and document APIs. API inventories are essential for compliance reporting, and they provide a central dashboard for developers to make it easier to identify issues and integrate with existing APIs.
Perform continuous discovery and assessment: Developers can deploy a new API at any moment, so it’s important to have discovery tools run continuously to check for new APIs or for older APIs that are no longer used. Perform regular assessments on these APIs so that the introduction of new APIs does not compromise your regulatory posture or operational excellence.
Mitigating the risks of shadow APIs
Mitigating the associated risks of shadow APIs is an essential component of modern cybersecurity practices. The following practices can help your organization in this effort.
Practice #1: Establish governance policies
Organizations that want to guard against the existence of shadow APIs can start by developing guidelines for API development and usage. For example, introduce a standardized process for deploying new APIs. This process should involve registration with the IT and/or security team and writing API documentation. Another important step is to implement an API management framework. This will make it easier to view all APIs in one place and register new ones.
Practice #2: Adopt security best practices
Perform regular assessments of your API infrastructure. This can include penetration testing as well as process assessments, such as ensuring dependency scanning is implemented across the organization. It is important to ensure that basic security best practices are in place for all your APIs. These include:
Requiring strong passwords
Requiring multi-factor authentication
Enforcing reasonable token expiration times
Adopting the principle of least privilege
Practice #3: Implement proper monitoring and logging
Real-time API monitoring is vital for establishing baseline usage, which can help security teams detect and alert on suspicious activities (such as an API being called from an unusual location or at odd hours). Logging is a simple way to track API calls and usage, and it can help developers and security personnel debug issues as they arise.
Lucia Stanham is a product marketing manager at CrowdStrike with a focus on endpoint protection (EDR/XDR) and AI in cybersecurity. She has been at CrowdStrike since June 2022.
