The largest attack vector in most organizations is unmanaged, unsecured APIs. The ones you do not know about today. The ones not in your inventory of API assets. Whether you call them zombies, shadow APIs, or legacy assets, the race is on for you to discover and remediate these before the hackers do.
Today, Amplify offers a new tool in your battle against the lost APIs.
Understanding lost APIs
Shadow APIs, Zombie APIs, and Legacy APIs are slightly different concepts, but they all represent outdated or unauthorized elements within an organization’s API ecosystem. Here’s a quick overview to better understand these lost APIs:
A zombie API is an API that is outdated, no longer supported, or has been deprecated but is still in use by some systems or applications. It’s called “zombie” because, like a zombie in popular culture, it’s technically dead but still somehow wandering around causing trouble.
You may have also heard the term shadow APIs. The main difference with zombie APIs is that shadow APIs are actively being used – they’re just not well-known, cataloged, or managed by the enterprise. These APIs are often developed by individual teams or departments to address specific needs but may lack documentation, security measures, or proper integration with existing systems.
Zombie APIs are typically deprecated but haven’t properly been put to rest.
Legacy APIs, meanwhile, are APIs that have been officially deprecated or superseded by newer versions or alternative solutions – but they are still in use by some applications or systems.
All these lost APIs might lack updates, bug fixes, or security patches, posing potential risks to systems that continue to rely on them. They can also create compatibility issues and hinder the development of newer, more efficient solutions.
Find all your APIs
Axway’s Amplify Platform offers a single governance plane for all APIs across your organization, providing a single source of truth regarding your digital assets. They can be deployed directly on top of gateways or from central places within network segments that allow access to gateways or systems that communicate via APIs.
Learn more about Amplify Agents and how they enable federated API management.
The Amplify Graylog agent enables integration of Graylog’s API Security product with Amplify. Security monitoring tools like Graylog’s can give you an accurate readout of all API calls on your network.
The problem is: which are valid calls, and which are coming from unmanaged APIs?
By integrating Graylog’s traffic with Amplify’s known list of all API assets, you can quickly identify and prioritize the zombies APIs that are still active on your network.
No API left behind: remediate lost APIs
Once you find the zombies, shadow, or legacy APIs, you need to prioritize for remediation.
Target the ones that offer the highest risk because of the information they expose, or the volume of traffic they are driving. Find the team who created and/or are hosting the API and educate them to the risk and your security policy to deal with it.
This typically involves placing it behind an API gateway with encryption, authentication, and authorization (Amplify can provide this gateway if needed).
Next up is to integrate it with Amplify’s multi-step security protection.
Create one registry for all your API assets
There needs to be one place where all your APIs are governed. This is the master catalog or registry of assets — an API marketplace.
You might decide not to advertise them, but you need to track and manage them. Amplify Marketplace gives you this one place.
Discovery of assets is automated by lightweight agents (like the new Graylog agent) that sit alongside your gateways, platforms, and repositories and discover all API assets. You can then decide which to productize and publish to a specific audience.
This provides developers with one place to discover, subscribe to and track usage for all APIs, regardless of what team built them, what vendor hosts them, or what security policies are in effect.
See also: Top seven reasons your API developer portal is failing
Check against your security policy
Amplify also enables you to check discovered APIs against your security policies (you do have security policies… right?) where they will be graded and provide explanations as to what needs to be corrected for a higher grade.
This capability is known as linting, and it automates the identification of problems without manual intervention. Amplify uses the open source Spectral linting capabilities provided by Stoplight to drive this service.
See also: Hands-on with Spectral: Using API linting for better API design and API governance
Automate the API deployment process
Don’t depend on API developers alone for security (one of the leading causes of zombies in the first place). Automate as much of the process as possible.
With CI/CD pipelines, you can automate the discovery, cataloging, and linting checking of your APIs as a part of the standard deployment process.
This can be accomplished regardless of whether you are using Amplify gateways or cloud gateways like AWS and Azure. This helps ensure you stop the creation of new zombie APIs.
Repeat
Regardless of how good your tools, processes, and policies are, there will still be teams that create the one-off API that is just needed for a deadline or for testing that becomes a legacy API. You must automate the process to find them and then make the decisions of how to remediate. Only through automation and vigilance can you keep on top of the shadow API problem.
As hackers become more sophisticated, so must your tools and processes advance. Amplify will continue to bring new capabilities to assist in the battle against hackers and zombies.
Death to zombie APIs!
Follow us on social