The Security Challenges of API Sprawl

When you have a lot of something—of anything—it’s hard to keep track. It could be books, cats, tools in the garage, apps on the phone. And when you can’t keep track, you create some level of risk, likely as a result of poor inventory and control.

Well, this is what we’re seeing with APIs today. A survey conducted by Axway found that while more organizations are adopting hybrid technologies, there is a growing concern about API sprawl.

Brian Otten, VP of the digital transformation catalysts division with Axway, defined API sprawl as “an uncontrolled proliferation of APIs in an organization” that is the result of “uncoordinated API delivery across an organization due to the lack of a well-defined API program and universally-adopted API operational life cycle.”

And, not surprisingly, with API sprawl comes greater risk. We’re regularly seeing data breaches that are caused by vulnerabilities in APIs, with the most recent high-profile API-related breach impacting millions of T-Mobile customers.

Lack of API Inventory

Sprawl is a major reason why many organizations lack a good inventory of their APIs.

“Every day, new APIs are created to connect a business or service to partners and customers. APIs are also created to connect applications internally,” explained Edward Roberts, VP of marketing at Neosec, in an email interview. “And any new business acquisition brings inside another set of APIs that are not documented.”

The growth of APIs and their usage comes in tandem with the increased amount of internet traffic that occurs on them. It becomes a vicious cycle, with the need for more APIs to keep our businesses and personal lives connected but with little accountability for them.

“Because no single person inside an organization controls every API, the sprawl is creating a vast spaghetti bowl of shadow APIs that are unsanctioned (including zombie, rogue or hidden APIs) or out-of-date ones (like deprecated, legacy or orphaned APIs),” said Roberts. “This API sprawl is creating a vast attack surface that must be protected from abuse.”

Security Challenges of API Sprawl

You can’t protect what you don’t know, so the foremost challenge of API sprawl is discovery and inventory. “Getting visibility into the API estate within an organization allows the ability to address the more advanced security problems,” says Roberts.

API sprawl also prevents adoption of new security approaches across the board, Otten pointed out, and this leaves more vulnerable security mechanisms in place.

Auditing for compliance regulations is another challenge. Each API requires documentation that should be up-to-date with the latest version of the API. Without that, you can’t easily audit business controls, and that makes security compliance difficult, if not impossible, to prove.

Finally, there is the challenge of knowing if there is any abuse happening within each API. “Understanding normal traffic behavior versus abnormal abusive traffic is key to seeing if data is being scraped and stolen, user credentials are compromised, or even if usage agreements have been exceeded,” said Roberts. “The ramifications for allowing API abuse are data loss, monetary loss, compliance problems and downtime.”

The Risks of Sprawl

The security risks within APIs are very real. Because there are more APIs than ever before, API traffic is growing exponentially. According to Otten, here are some of the security risks due to API sprawl that organizations should be aware of:

– Poor adoption of APIs due to the inability to search for and discover the right APIs for digital product and service delivery, leading to low return on investment of API initiatives.

– Duplication of effort and little to no reuse of APIs leading to unnecessary and spiraling costs.

– Misuse of data leading to the inability to make data-informed decisions, or worse, ill-informed data decisions.

– APIs that are not aligned to business capabilities with little to no reuse and point-to-point interfaces that tightly couple applications to data sources, resulting in technology lock-in and potentially increased maintenance costs.

– This also makes it nearly impossible to draw direct correlations between API delivery and business outcomes.

– Mishandling of personally sensitive data leading to compliance penalties and increased reputation risk for the organization.

– Increased costs and delays of key initiatives due to people spending most of their time searching for and preparing data rather than performing valuable analysis for business insights.

How do you address providing security for APIs with sprawl making them so difficult to track? We’ll look at that in next week’s post.

Avatar photo

Sue Poremba

Sue Poremba is freelance writer based in central Pennsylvania. She's been writing about cybersecurity and technology trends since 2008.

sue-poremba has 271 posts and counting.See all posts by sue-poremba