What are Shadow and Zombie APIs? Identifying API Security Risks

What are Shadow and Zombie APIs? Both of them create API security risks, and modern API management needs to make sure that they are being properly managed. The larger an organization is, the harder (and the more important) it gets to have a complete and accurate overview of its API landscape. In order to manage risk, getting such an overview is an important first step.
Shadow APIs are APIs that bypass the standard API management infrastructure and practices in an organization. One frequent reason why they exist is that something is considered "private and internal only". Then it seems like it doesn't need to be managed like the APIs that are either partner/public-facing, or exposed externally. Another frequent reason is that teams are not even aware of the fact that they create APIs, for example when they build apps. These apps are backed by APIs, but sometimes this gets forgotten and then these APIs are not properly managed as APIs.
Zombie APIs are APIs that exist, but where the ownership is unclear or their owners may not be aware that they (still) exist. One popular scenario are APIs that are not used anymore, but that have not been shut down. They are still operational and can be exploited. Another popular scenario is when APIs exist and are being used, but ownership of the API is unclear. This makes it hard to change anything when changes have to be made.
In summary, both shadow and zombie APIs are problematic for organizations because they create risk. Managing them has to start with finding them, which can be tricky. After finding all APIs, they have to be managed and monitored. There also needs to be clear ownership of the APIs so that it is clear who to contact when an API needs to be changed or shut down.

00:00 Introduction
01:02 What are Shadow APIs?
03:23 Shadow APIs bypass API Management
04:41 What are Zombie APIs?
07:08 Zombie APIs are unmanaged Services
08:19 API Management needs to cover all APIs and Services
11:25 Wrapping it up
Be the first to comment