From Zombie to Rogue to Shadow APIs: How to Reduce API Security Risks

PUBLISHED ON October 27, 2021
LAST UPDATED January 13, 2022

With Halloween on the horizon, it seems like a good time to talk about modern applications’ version of the undead and unseen — namely zombie and shadow APIs. While APIs have quickly become the de facto building blocks of applications, they also introduce a sprawling attack surface with new and unique risks. Zombie and shadow APIs are prime examples that can quickly undercut the security of an application. So, let’s take a closer look to see exactly what they are and what security teams can do to address them. 

The Proliferation of APIs 

To understand why shadow and zombie APIs have become such a big deal, we need to understand the incredible growth of APIs in general over the past several years. APIs became central to the way that applications work beginning in the early 2000s, and their growth increased up and to the right with the shift into cloud infrastructure. A recent survey found that 71% of organizations plan to use more internal and external APIs this year. Additionally, organizations have a LOT of APIs, with 40% of organizations having 250 or more APIs. APIs have transformed from a garnish to the main course of application development, and the signs are evident everywhere you look. 

So, what is making APIs so popular? Well, there are a variety of factors at play. APIs provide developers with a fast, highly modular way to add capabilities to their applications. Developers can also integrate existing best-of-breed functionality without needing to reinvent the wheel. For example, developers could integrate existing mapping services instead of having to develop their own. Probably most importantly, APIs provide an adaptive way to work with mobile devices and cloud applications, while enabling enterprise digital transformations. Quite simply, APIs are central not only to the way applications are developed, but they have also become central to scaling business strategy. 

Unfortunately, organizations are often focused on building the next great piece of code, and may lose focus when it comes to sunsetting and deprecating their old APIs. If these APIs aren’t properly removed, they can leave organizations with outdated, vulnerable points that attackers can exploit to wreak havoc. 

Shadow, Zombie, and Rogue APIs …  oh my  

APIs are undeniably valuable, but they also come with their own risks. In fact, some of their most beneficial traits can be the source of unexpected API security problems. Shadow and zombie APIs are two important cases in point that application and security teams need to be aware of. 

What are shadow APIs? (aka rogue APIs) 

Rogue or shadow APIs are APIs that exist outside of an organization’s official security and operational maintenance processes. There are countless scenarios that can lead to a rogue API. For example, a developer may need to quickly stand up an API to resolve an immediate problem or maybe to develop a proof of concept for a larger project. Regardless of the motivation, the lure of quickly deploying a new API endpoint makes it easy for developers to get their work done in the moment and worry about security and maintenance later.  

In many ways, this is the AppSec and DevOps version of the shadow IT problem and brings with it many of the same risks. Security teams can’t defend assets that they don’t know about, and shadow APIs will not receive the appropriate security testing, monitoring and protection. Likewise, a newly or quickly deployed API endpoint may not be properly secured and hardened. As with any new code, the API may have vulnerabilities or misconfigurations that can leave the door open to attackers, who constantly scour applications and APIs for new or vulnerable endpoints.  

What are zombie APIs? 

Zombie APIs are the APIs that time forgot. These are APIs that were previously valid and approved but were eventually abandoned or replaced by newer versions, left to be “swept under the rug.” Unfortunately, organizations are often focused on building the next great piece of code, and may lose focus when it comes to sunsetting and deprecating their old APIs. If these APIs aren’t properly removed, they can leave organizations with outdated, vulnerable points that attackers can exploit to wreak havoc. 

Zombie APIs can also creep up in an organization due to the key role they play in supporting and integrating with other applications. Partners may build applications that rely on a particular API, or organizations may need to maintain an outdated API in order to support legacy versions of an application. Over time, organizations may be hesitant to remove an API simply due to the fear of what it might break, ultimately leaving them with a vast attack surface 

However, these APIs quickly fall out of sight and out of mind for development and security teams. They can malinger within an application, and without ongoing maintenance and patching, can leave the app at risk of attack.  

Delivering Protection Against Zombie and Shadow APIs 

Even in the best cases, APIs need strong protection built for their unique needs and threat profiles. ThreatX gives security teams the tools and technology to protect all their applications and APIs, including the ability to find and protect any zombie or shadow APIs. This includes the following key capabilities: 

  • API Profiling and Discovery: Threatx automatically discovers active API endpoints and profiles the tech stack and responses seen from given endpoints to indicate operational health. This ensures security teams can find and appropriately protect APIs even as developers roll out new APIs on the fly. Automatically find and identify shadow APIs that have been deployed, or find zombie APIs that need to be deprecated. 
  • Native Decoding and Threat Prevention: ThreatX natively decodes and analyzes API traffic such as JSON and XML in order to identify any threats hidden within. This ensures teams can block injection attacks and other threats and exploits in the same way they do on the web front-end.
  • Logic Aware: ThreatX can identify a variety of ways that attackers or bots may try to abuse exposed application or business logic. For example, ThreatX can identify if an entity is hitting password reset functionality without having visited the login page. Likewise, the solution can identify a spike in resource-intensive requests or an entity constantly refreshing inventory functionality, which could be a sign of an automated attack. 

These core capabilities ensure that organizations can shine light on the unseen and undead APIs to keep attackers from going bump at night. If you would like to learn more about how ThreatX can protect your API infrastructure and simplify your security, please request a demo. Be safe and have a happy Halloween!  


About the Author

Sydney Coffaro

Experienced subject-matter expert focused on cybersecurity automation, incident response, APIs, and application security with a demonstrated history of working in fast-paced early stage startups. Sydney is a certified product manager, Scrum Master, and has led technical sales initiatives for go to customer teams that resulted in the acquisition of hundreds of customers.