Surviving the API apocalypse: How to defeat zombie APIs

Lurking in the shadowy corners of your environment, zombie APIs can bring unnecessary risk by providing attackers with unseen and untested points of entry. Baking anti-zombie practices into your AppSec strategy is no longer a nice-to-have but a requirement if you want to keep a lid on the risks and headaches that forgotten APIs can bring.

Surviving the API apocalypse: How to defeat zombie APIs

In the world of software development, application programming interfaces (APIs) are everywhere. Whether you’re building microservice-based applications or maintaining monolithic architectures, chances are you have services running and you’re exposing and calling their associated APIs in the background. They’re a critical part of software development and nearly two-thirds of developers spend more than 10 hours every week working with APIs – with 32% spending over 20 hours a week

Because APIs are aplenty in web application development and functionality, they’re a prime target for attackers. Palo Alto’s latest report on API security, Securing the API Attack Surface, found that just 25% of respondents accurately inventory API usages, and 28% lack visibility and control around security during the development of APIs. 

Throwing yet another wrench into the mix, many organizations are plagued by so-called zombie APIs – endpoints or entire APIs that have been forgotten or overlooked, usually after they became outdated. Sitting there unmaintained and exposed to the world without updates, patches, or security testing, such lurking APIs carry significant security risks. And similar to the zombies we see on TV, these forgotten friends-turned-foes can be a serious pain for your DevSecOps teams.

How zombie and shadow APIs bring a plague of risk to your security strategy

Zombie APIs are often discussed alongside shadow APIs. While both can lead to similar security headaches, shadow APIs are actively used and often even developed – except they live outside the organization’s best practices and governance. Shadow APIs are often discovered alongside zombie APIs when organizations work to cover more of their attack surface and discover otherwise unknown assets. Together with rogue APIs, they form the unholy trinity of API security:

Shadow APIZombie APIRogue API
Any undocumented and unmonitored API used in your applications (including untracked use of a third-party API)Any unmaintained and untracked API that is still accessible in production (often an old version)Any API that provides unauthorized access to data or operations (created with malicious intent or caused by security flaws)

All these types of surprise APIs present a common problem that organizations need to keep an eye on. As more businesses incorporate more APIs into their environments, they can inadvertently contribute to API sprawl that risks leaving behind zombie APIs – and also shadow APIs, if they don’t enforce watertight API inventory procedures. 

The move toward API-first application architectures and the rapid pace of API creation means the sprawl will only worsen for some organizations. Neglecting to maintain and secure APIs can lead to some serious consequences if threat actors get your endpoints in their sights. For example, cybercriminals might use your APIs to:

  • Exploit more serious vulnerabilities and gain deeper access to an application.
  • Steal sensitive data and use that information to execute other attacks, like phishing.
  • Execute full-scale attacks on related services and applications to disrupt service.
  • Gain entry to unauthorized administrative areas of a website or application.

An attack resulting from subpar API security can lead to critical data exposure, financial loss, and lasting damage to customer trust. Fortunately, there are best practices and tools that organizations can implement within their own security strategies to ensure they’re catching those zombie APIs before they snowball into a security apocalypse.

Defeating zombie APIs before the plague can spread 

When it comes to securing your APIs and API endpoints, it’s important that you first change your mindset around APIs and understand that they’re a critical part of your security posture. If you don’t know how many APIs you have, what endpoints they provide, and what the status is for each one, you can’t possibly understand your full threat exposure and all of the risks you’re facing. You can avoid creeping APIs by putting your best foot forward on asset discovery and management while also running regular and consistent scans for deeper intelligence on your environment. 

Follow security best practices around discovery and complete coverage. It’s critical that as APIs try to sprawl across your digital landscape, you’re staying on top of where everything lives and how secure each asset is: 

  • Use web asset discovery to find everything you have out in the wild, keeping a running inventory of all your applications and the APIs they expose.
  • Conduct regular reviews and audits of your security tools, configurations, and workflows to spot areas for improvement. 
  • Document everything related to APIs, from development to maintenance to security testing, and ensure DevSecOps teams have access to the documentation.

Build security into the software development lifecycle with a focus on APIs. When you ensure that security is a routine part of your development workflow, you can catch more issues before they reach production: 

  • Use dynamic application security testing (DAST) to cover your entire attack surface (including APIs) regardless of technology or availability of source code.
  • Build agile security into the coding process so that scanning in development and production becomes a standard procedure. 
  • Select security tools that cover all major API types and definitions with accurate and automatic authentication. 

With a thoughtful and efficient combination of the right tools and best practices, zombie APIs don’t have to sneak up on you in the dark. When API security becomes a routine and automated part of your AppSec program, undead endpoints don’t get a look in anymore – and your development projects don’t have to put the brakes on innovation to let security catch up.

Watch our on-demand webinar API Security Decoded: Insights into Emerging Trends and Effective AppSec Strategies to learn more.

Meaghan McBee

About the Author

Meaghan McBee - Senior Marketing Content Writer

Meaghan is a Senior Marketing Content Writer at Invicti with over a decade of experience creating written content in the tech industry. At Invicti, she leverages the voices of our subject matter experts and insights from industry research to deliver news, thought leadership, and product information to the masses.