In only a few weeks at BLST Security, the team piqued my interest specifically around a buzzword, whether it was the Zombie API or the Shadow API, heck..I had no clue what that was, and I've started to research the term.
The searching journey led me into the early days...
Before we venture into the shadows of APIs, give our API security GitHub repo a ⭐- https://github.com/blst-security/cherrybomb
In the early days of the web, only a few companies had APIs. Those that did, did so for internal use only. Today, APIs are how the internet works. They are how companies interact with each other and how developers access data.
There are now thousands of APIs across all industries, and the number is growing every day. The growth of APIs has been explosive, and it shows no signs of slowing down.
The reasons for this growth are many. First, APIs are now seen as an essential part of doing business on the internet. Companies that don't have an API are at a competitive disadvantage.
Second, the rise of mobile devices has led to a need for APIs that can be accessed from mobile devices. APIs have been growing a lot because companies are trying to make their APIs work better for mobile devices. This has been a big reason for this.
Third, the rise of the cloud has made APIs more important than ever. Cloud-based services need APIs to function, and this has led to a boom in cloud-based APIs.
Fourth, the growth of the internet of things has created a need for APIs that can control and connect devices. This will be a major driver of API growth in the coming years.
Finally, the rise of artificial intelligence and machine learning has created a need for APIs that can provide access to data and services. This is a major growth area for APIs and one that is only getting started.
So what does the future hold for APIs? More growth, more innovation, and more competition. The API economy is booming, and it shows no signs of slowing down.
The birth of a shadow API
The shadow API evolves as the needs of developers change. As the needs of the developer community change, new features are added or old features are changed.
There are a few dangers associated with shadow API use in an organization. First, shadow APIs can be used to bypass security controls and access sensitive data. This could lead to data leaks or theft. Second, shadow APIs can be used to circumvent governance controls, leading to uncontrolled data growth and sprawl. Finally, shadow APIs can be used to make applications depend on things that aren't well-managed, which can hurt performance and stability.
Shadow APIs are abused when developers use them to access sensitive data or perform actions that are not intended for the API. This can result in data leaks or security vulnerabilities.
Shadow API Abuse examples
Making unauthorized calls to another user's data
Manipulating or deleting data without proper permission
Using shadow API calls to distribute viruses or malware
Using shadow API calls to engage in denial of service attacks
You can go even deeper about Shadow API reading on APImike.com who has a good article about the term.
After you read all about shadow APIs and even Rogue APIs your welcome to test our OAS scanner over at https://blstsecurity.com and find all your Shadow APIs, zombies etc 🧟
Top comments (2)
Great post, I have something I want to build very similar to what you have and I call it the Shadow Medusa. It runs of the theory that you run your code but it mirrors the actual code in view - lets say in Github, now if anything changes from the code you run and the view code on Github then your application gives out a warning. Remember view would run slightly faster than your application. Just an idea.
Great post!