How to Reduce API Sprawl with API Discovery
If you’re a security professional, then you’re likely familiar with the concept of sprawl. Anytime the proliferation of a would-be attack vector gets out of control, you’re dealing with sprawl: from permissions to passwords.
It’s not unlike the 1980s movie, Gremlins. Sure you might start with a cute little fuzzball, but as the story progresses, you start to realize that you’re surrounded by a crowd of problematic creatures screeching and breaking stuff.
Movie tropes aside, there’s a sprawl that many organizations aren’t familiar with – and it’s becoming a popular attack vector: API sprawl.
Managing gremlins (or API sprawl)
For every application you build, every workload you migrate in the cloud, and every tool your employees use to collaborate, there are APIs behind the scenes exchanging data. And the pace of innovation is causing your APIs to go into full gremlin mode.
API sprawl is a common problem for organizations that have multiple development teams and a wide variety of applications and services. As more innovation is demanded, more APIs are created, and it becomes increasingly difficult to keep track of them, how they’re being used, and what types of data they return when called.
API sprawl can lead to inefficiencies in development, increased costs, performance issues, and wasted resources. It can also lead to confusion about the purpose and usage of certain APIs, making it difficult for developers to find APIs for their needs or understand how they interact with one another. As businesses become more dependent on APIs, it’s important to understand how API sprawl occurs and how it can be prevented or managed effectively.
In this blog post, we’ll discuss how API sprawl happens and what organizations can do to prevent it from occurring. Understanding these strategies can help you better manage your APIs and ensure that your applications remain efficient and maintainable for years to come.
How API sprawl occurs
API sprawl can happen for a variety of reasons, such as poor API management, lack of governance, lack of visibility into the existing APIs, and inadequate documentation. Without proper governance and visibility, organizations can find themselves with too many APIs that aren’t being used or properly managed.
Employee attrition also contributes a great deal to dormant, shadow, and zombie APIs. Consider the rate at which developers come and go within organizations – what are the chances that they’ll have time to transfer their knowledge or finish projects before the last day at work?. Even developers with the best intentions will overlook things during their handoff.
What’s more, APIs that have been “inherited” as a result of a merger or acquisition are frequently forgotten. During the challenging and complicated task of systems integration, inventories are sometimes lost (or possibly didn’t exist in the first place). If the acquired company’s APIs are poorly documented, then the company can face significant risks – risk of the unknown, for example.
Often, an older version of an API with inferior security or a known vulnerability is left intact. While software is being upgraded, an older version might need to coexist with a newer one for a period of time. At the same time, the person tasked with proper versioning and deactivating the API may quit the company, be given a new assignment, or forget to remove the previous version.
Consequences of API sprawl
On the security side, API sprawl creates more opportunities for malicious actors to exploit vulnerabilities if an organization’s APIs are not properly secured and configured. When APIs proliferate to the point of no controls, organizations lose visibility into how applications, systems, and resources like sensitive data are interconnected — impeding informed decision-making about their architecture and infrastructure. It’s nearly impossible to monitor API usage without an accurate picture of how many APIs you have.
And you cannot secure what you cannot see.
In terms of business impact, API sprawl can lead to a decrease in performance. Adding and maintaining multiple APIs increases the complexity of managing them, resulting in slower response times and higher latency when making requests. In addition, API sprawl can increase costs as organizations have to invest more resources into managing APIs.
What is API discovery and how does it reduce API sprawl?
API discovery is a process and set of capabilities that help organizations identify, catalog, and manage, and gauge risk among their APIs. Carried out properly, API discovery can help reduce API sprawl and improve security posture.
API discovery also helps organizations better understand their current API landscape and make informed decisions about future development. Furthermore, it makes it easier to monitor and control access to these APIs, ensuring that only authorized users can access them.
Why manual API discovery is not an option
Manually performing an API audit could take up to 40 hours per API to accurately document all the required inputs. Also, it can take a lot more time to investigate the occurrence, assess the damage, take corrective action, and perform root cause investigation.
Security teams with overstretched resources can benefit from using automated procedures to discover every API in use to safeguard their API estate. It’s crucial to find and inventory every API across all your digital activities, which includes APIs and API domains that aren’t controlled by an API gateway.
How Akamai can help you de-sprawl your API estate
As we near the end of this blog post, it’s worth pausing for a moment to look around… have your API gremlins proliferated even further while you were reading?
API sprawl can get pretty intense. The better question to ask is: Are you looking to improve your organization’s capabilities for API discovery? If the answer is yes, we’d like to help you.
Akamai API Security is designed to help you maintain an accurate inventory of all your APIs, including elusive shadow APIs. Here are a few capabilities that can help you reduce risk and increase confidence in your API inventory:
Our discovery module enables security teams to gain full visibility from myriad data sources across on-prem and cloud environments through a streamlined user experience.
Akamai API Security can scale to hundreds or thousands of pieces of infrastructure, monitoring load balancers, APIs gateways, and web application firewalls to help you locate and catalog every type of API, including HTTP, RESTful, GraphQL, SOAP, XML-RPC, JSON-RPC, and gRPC.
Our data classification capabilities monitor API traffic and provide visibility into the types of data that traverse your APIs — so you can quickly see how many APIs are able to access credit card data, phone numbers, Social Security numbers, and other sensitive data.