APIs connect all the applications we use, and their ubiquity and ease of use makes our world more interconnected every day. Their omnipresence creates API sprawl, which is the rapid growth in the number of APIs in an enterprise. API sprawl can result in shadow APIs, which are unmanaged APIs in use, and zombie APIs, which are old or deprecated APIs that are still accessible but no longer used for the purpose they were created for. Each of these can cause significant security issues, and both can be resolved by proper API discovery and inventory practices.
What is API Inventory?
API inventory is a comprehensive list or catalog of all APIs that an organization owns, uses, or exposes—internally and externally. A complete and up-to-date API inventory is foundational to proper security, governance, API lifecycle management, and a comprehensive API security program.
Why are Inventory Processes Necessary? Achieving API Discovery and Classification
API inventory is critical from the security and management perspectives. First and foremost, you cannot protect what you cannot see, making a complete list of APIs the first step in an API security initiative. A runtime inventory also drives API awareness for the respective business owners, which is essential because most organizations do not have clear visibility of what APIs are deployed and who owns them.
Organizations constantly battle API sprawl resulting from inorganic growth such as mergers and acquisitions and organic growth from the prevalence of a hybrid architecture, including on-premises, data centers, public clouds, private clouds and edge computing. Another reason for the rapid and unmanaged proliferation of APIs across an organization is the increasing usage of microservices infrastructure and the desire for accelerated release and deployment of software, which can lead to zombie APIs.
The Business Cost of Improper API Inventory Management
Improper API inventory management results in operational and security challenges. The proliferation of API endpoints is not only limited to multiple environments but also the various teams across these environments. It also drives up development costs; imagine a scenario wherein APIs have been created for a specific process, but an inability to catalog the API means its existence is lost, and developers create the same API again, resulting in shadow API proliferation.
The inability to develop and update your inventory means a lack of visibility into API configurations and traffic and the potential for unreliable APIs due to API misconfiguration. Lack of inventory management leads to many undocumented APIs across the IT environment, many likely unsecured, making them easy targets for attackers to commit fraud, business logic abuse, and to disrupt the business.
Lack of API inventory can lead to real costs to the business. Unmanaged (shadow) or forgotten (zombie) APIs may have unmitigated vulnerabilities. Duplicated development efforts due to forgotten or “lost” APIs. The OWASP API Security Top 10 specifically calls out the issues in API9:2023 – Improper Inventory Management.
Why Do Organizations Struggle to Build an API Inventory?
An extremely detailed, well-taxonomized inventory is critical for ensuring API security, governance and compliance, but establishing a clear roadmap for API inventory remains a challenge. Creating an API inventory manually becomes a massive challenge as many APIs are frequently modified or updated. Organizations that depend on passive inventory tools or scanners are trapped in a legacy approach to inventory management, resulting in an inaccurate picture of APIs from design to production and deployment.
APIs have long been owned and deployed by developers, often for internal use only, and with little to no security oversight. As APIs have become more integral to the business and are now deployed externally, the act of tracking them and securing them continues to lag in many organizations, evidenced by recent API related security incidents.
What is the Right Approach for API Inventory?
The right approach towards understanding the number of APIs spread across an organization, should focus on three critical pillars: creation, deployment, and management. Also, a complete inventory requires includes internal, external, and third-party APIs.
How to Catalog and Build Your API Inventory
Creating an API inventory is not a difficult undertaking with the right tools, even for the largest enterprises which may have tens of thousands of APIs. A tool such as Cequence API Security can perform all of the following tasks with minimal configuration.
- Discover APIs – it’s best to be able to discover APIs at runtime, by watching API traffic, as well as by crawling. This ensures complete coverage of the enterprise API landscape.
- Document APIs – ensure APIs have up-to-date specifications that document what the API does. In the event APIs are missing documentation, a solution like Cequence that can automatically create the specifications is ideal.
- Make the API Inventory Accessible – enabling the right staff to access the API inventory, mine its contents, and keep it up to date makes best use of the inventory.
- Keep the Inventory Up to Date – Regular API discovery, again through runtime discovery and crawling external domains, ensure the inventory remains current.
Explore Unified API Protection with Cequence
Cequence enables users to perform regular API discovery to identify all existing APIs – internal, external, and third-party. The discovered APIs are inventoried for visibility, and Cequence can even automatically create API specifications for APIs where definitions are missing. Shadow and zombie APIs are identified, as well as those APIs whose functions have deviated from spec (API drift). The API inventory created with Cequence also enables a visualization of how traffic flows between APIs – the Flow Graph.
Proper API inventory management helps organizations harness the power of APIs while enabling security, governance, and compliance as part of a comprehensive API security program. Coupled with Cequence Bot Management, organizations can ensure protection and compliance for their entire API and application ecosystem.
Sign up for the latest Cequence Security news
By clicking Subscribe, I agree to the use of my personal data in accordance with Cequence Security Privacy Policy. Cequence Security will not sell, trade, lease, or rent your personal data to third parties.
