In the API world, there's a buzz around a mysterious term: Shadow APIS. These hidden APIs are undocumented or unofficial application programming interfaces (APIs) within web services. While the visible web is like the tip of an iceberg, Shadow APIs are the hidden bulk beneath.
Why Do They Matter?
Shadow APIs are crucial because they drive innovation and interoperability. Developers use them to create unofficial integrations and features, enhancing user experiences and enabling automation. But their use raises ethical concerns, as they can skirt privacy and security boundaries. The term "Shadow API" extend from unofficial or undocumented APIs to official APIs that are hidden or even forgotten due to growth of micro-services.
(The growing problem of shadow apis check this article )
According to researches, in the latter part of 2022, to staggering 45 billion shadow API search queries were initiated, revealing a jaw-dropping 900% surge compared to the mere 5 billion attempts seen in the first half of the year.
In the New OWASP TOP 10 API a new categorize appears API Improper Inventory Management 09.
According to OWASP Maintaining a comprehensive host and deployed API version inventory is crucial for addressing concerns like deprecated API versions and the inadvertent exposure of debug endpoints or shadow API.
Shadow APIs pose a unique challenge for organizations like every organization, as they can be hard to detect and trace, potentially compromising data security and privacy.
Some Tips to reduce improper management
Inventory and Documentation:Documenting and Documenting
Educate and Raise Awareness: Educate your teams about the importance of using official, documented APIs whenever possible.
Establish API Governance: Implement a clear API governance framework
Managing and Discovery:
Blst can assist you in managing all your APIs, including shadow ones, API Security Platform offers a single, comprehensive view of your data sources, both on-premise and in the cloud. It can monitor load balancers, API gateways, and web application firewalls, helping you discover and categorize various types of APIs, such as HTTP, RESTful, GraphQL, SOAP, XML-RPC, JSON-RPC, and gRPC.Secure Official APIs: Prioritize the security of official APIs by implementing proper authentication, authorization, encryption, and access controls. Make official APIs more attractive and functional to discourage the use of shadow alternatives.
Review Third-Party Integrations: Examine third-party integrations and vendor relationships. Ensure that external partners and vendors are using official APIs and following security best practices. Refer to OWASP for more info.
Regular Audits and Assessments: Conduct regular audits and security assessments of your API ecosystem, including both official and shadow APIs. Identify vulnerabilities and address them promptly.
Shadow APIs offer a glimpse into the web's hidden power. They represent both innovation and ethical dilemmas, making responsible exploration essential in this digital frontier.
If you are interested to hear more about the subject
join our webinar.
Register at the link bellow 👇 -
https://blstsecurity.com/how-to-discover-your-hidden-apis-webinar
Top comments (3)
I'm new to this so I'm going to ask this if it makes sense
Hello I recommend to not use shadow API or reduce the usage of them, also works with different environment
understandable 🤝