Yet, while APIs are essential for supporting communication between apps, they’re also one of the most targetable parts of the attack surface.
According to Noname Security, the average organization has 15,564 APIs in its environment. This number is so high that most organizations don’t have visibility over these components, which leaves them open to exploitation by threat actors.
The same study revealed that 54% of organizations name outdated/zombie APIs as their top concern. These concerns aren’t just theoretical either, with 41% of enterprises experiencing an API breach in 2022.
A year prior occurred, one of the most high-profile examples of an API-related breach after hackers exploited a Twitter API vulnerability to gain access to the data of over 5 million users.
But what makes zombie APIs such a big threat?
How Zombie APIs Come Back to Haunt Enterprises
Zombie APIs are APIs that have been deployed to an environment that is no longer in use or is no longer being maintained. Threat actors can thus look to target zombie APIs as a backdoor to gain access to sensitive data assets.
Part of the reason for the concern over zombie APIs is that there are too many APIs in modern cloud environments for security teams to keep track of. In practice, this means that organizations are in the dark about their exposure to threat actors.
“Because of their forgotten nature, zombie APIs are not included in regular testing, patching or security updating, which leads to an increased attack surface area,” CSO and co-founder of StackHawk, Scott Gerlach, told Techopedia.
Gerlach notes that increased migration to the cloud has led to an increase in APIs, which many organizations aren’t security testing, essentially leaving new vulnerabilities for threat actors to exploit.
This is even more problematic when you consider that many APIs have direct data access, so if they are compromised, they can expose massive amounts of data.
“The technical debt associated with these APIs can unknowingly be linked to other parts of critical systems, which can cause other operating complexities and risk to the stability of newer systems.”
So unless an organization invests in tools to automatically discover APIs, they’re not going to be able to know what APIs exist in the environment, or take action to maintain them.
Addressing Zombie APIs
At a high level, one-way organizations can look to address zombie APIs is by running automated scanning with an API vulnerability scanner, which can automatically discover and create an inventory of APIs. Creating an inventory of APIs can give security teams a better understanding of their security posture.
However, Gerlach suggests that the key solution to mitigating the risks presented by zombie APIs is communication.
“To minimize risk from zombie APIs and other API-related threats, organizations need to encourage and practice open lines of communication with developers and security teams.
“Both sides of API security need to understand that they share the responsibility of documenting and deprecating software that’s no longer in use. Without proper and constant communication between developers and security teams, zombie APIs can remain active and unknown, leaving organizations’ infrastructure vulnerable.”
This highlights that both software developers and security teams have a role in defining whether an API is necessary for an organization’s operations or needs to be closed down to eliminate potential vulnerabilities.
Other steps, like using self-documenting code, which documents all APIs, can provide a framework for testing and remediating bugs and vulnerabilities throughout the environment.
Zombie APIs pose significant risks, but organizations that invest time and money into inventory APIs can drastically decrease the likelihood of falling victim to a data breach.
By creating an inventory of APIs, security teams and developers can start to identify components that aren’t necessary and take action to remove them.