Wrestling with the Problem of API Sprawl

The API ecosystem is global and rapidly expanding. In its 2021 State of the API Report, Postman reported that its user base spanned 234 countries and collectively made 855 million API requests. Over half of Postman survey respondents also indicated that they deploy new APIs to production once per day, once per week, or once per month. Similarly, Axway reported that API-first enterprises are building APIs in hours or days rather than weeks or months, enabling them to deliver over 40 digital projects in a year. These statistics reflect a rapid delivery cadence and changing API landscape that inevitably results in more APIs and a shifting API attack surface.  

Significant API proliferation has turned into significant API sprawl, which increases operational and security challenges for organizations.  Several factors contribute to API sprawl including:

• Adoption of cloud-native design patterns and microservices architectures
• Use of API-enabled cloud infrastructure
• Support for increasingly mobile consumer and employee user populations as well as machine identities
• Consumption of SaaS-delivered services and mobile applications
• Partner and supplier integrations, commonly referred to as digital supply chains

API protocol disparities also contribute to API sprawl since multiple APIs may need to be built or integrated to support varied clients and service types. REST still dominates much of the API landscape but GraphQL is also gaining adoption, as is gRPC within microservice architectures.

How did we get here?

It’s practically impossible for an organization to satisfy all elements of a customer or employee transaction end-to-end. Nearly every entity, irrespective of industry, works with other suppliers and partners to facilitate functionality or exchange data. Since their widespread adoption in the early 2000s, APIs are the main mechanism to provide functionality and serve data. The resulting API sprawl is an indicator of how effective APIs are for service delivery.

API sprawl introduces significant operational and security challenges for organizations. Pressing concerns include risk of business logic abuse, data exposure, and privacy impacts. With API sprawl, there’s also a high likelihood that a given organization only understands a fraction of its total API consumption. These challenges cannot be addressed using traditional approaches like API gateways or web application firewalls (WAFs). Indeed, most of the API security issues presented in the OWASP API Security Top 10 are not directly solvable with these technologies.

The challenge of API asset management

Many organizations are embracing cloud infrastructure and services in some capacity, and cloud compute has become increasingly abstracted. Organizations also still host a great deal of systems and applications within on-premises data centers. Additionally, many organizations adopt other “flavors of cloud” beyond just infrastructure-as-a-service, including managed container or Kubernetes platforms, low-code application platforms, and serverless or function-as-a-service platforms. Some organizations also frequently consume software-as-a-service offerings to support their business. Kubernetes itself is declarative infrastructure, interacted with via API. And most applications or services being built today are API-enabled or API-first.

An organization’s API inventory is also more than the APIs it mediates with API gateways or the APIs it formally publishes within an API management suite. Often, those APIs only include Internet-exposed APIs where increased observability and access control is desired. Or in the case of APIM, it may only be those APIs that are productized or monetized by the organization. Axway reported that the average enterprise uses three different API management offerings, with the number expected to grow to five for some organizations by 2023. This reality of enterprise architecture and API delivery results in blind spots for organizations with respect to unified API management, visibility, and governance.

The large spectrum of application, compute, and service types makes universal visibility and control difficult for security teams to achieve. Even if an organization could achieve full visibility over all its assets, it won’t have the same level of visibility across all its partners and suppliers and the complete digital supply chain.

Containing the sprawl

Getting visibility into all your environments is central to addressing API sprawl. It’s not enough to deploy an API gateway or perimeter proxy – it will not give you the complete picture of your API traffic. Your systems, applications, and APIs and the data they interact with span many environments. Discovering all API assets requires that the organization gather telemetry at multiple points of its enterprise architecture.

To keep up with API sprawl, organizations inevitably need to seek new tooling that:

• integrates with the numerous technology stacks and varieties of compute that are used across all environments
• works in tandem with pre-existing network proxies and gateways to enforce the most appropriate type of mitigation, in the most appropriate point of an architecture, for a given API exploit or abuse
• is functional “out of the box”
• continuously learns the uniqueness of an organization’s environments and business logic

API Security platforms reduce your risk

Dedicated API security tooling, and specifically platforms that provide full life cycle security capabilities, help organizations that are facing the problem of API sprawl. A given organization’s API inventory must include all internal (private), external (public), partner APIs, and third-party APIs. Continuous discovery of all the APIs that an organization builds, integrates, or consumes enables API teams and security teams to better understand their relative API security risk and prioritize security controls more effectively.  

This end state can only be achieved with security tooling that is cloud-scale itself and that makes ample use of AI/ML (i.e., machine assistance) to analyze all API telemetry, produce meaningful signals for IT teams, and protect APIs accordingly.

Here at Salt, we’re helping customers get a handle on their API sprawl with automatic API discovery, data classification, API attack detection and prevention, and shift-left tactics that identify API vulnerabilities in pre-production. If you’d like to see the platform in action, request a personal demo.

‍

‍

*** This is a Security Bloggers Network syndicated blog from Salt Security blog authored by Michael Isbitski. Read the original post at: https://salt.security/blog/wrestling-with-the-problem-of-api-sprawl