<p>Access to APIs — connectors that enable disparate systems and applications to share data and communicate — is business-critical. And because APIs have access to sensitive information, it’s important that security teams know about every API in use — yet this isn’t always the case.</p>
<div class=”ad-wrapper ad-embedded”>
<div id=”halfpage” class=”ad ad-hp”>
<script>GPT.display(‘halfpage’)</script>
</div>
<div id=”mu-1″ class=”ad ad-mu”>
<script>GPT.display(‘mu-1’)</script>
</div>
</div>
<p>Employees commonly use technologies and tools without the security team’s sanction — known as <a href=”https://www.techtarget.com/searchcloudcomputing/definition/shadow-IT-shadow-information-technology”>shadow IT</a> — and APIs are no different. Like other unauthorized components, shadow APIs are created or deployed outside of official processes, often by internal teams, contractors or legacy systems.</p>
<p>Security teams need to know how to prevent, identify and manage shadow APIs to avoid the significant security threats posed by these undocumented and frequently unmonitored interfaces.</p>
<section class=”section main-article-chapter” data-menu-title=”The problem with shadow APIs”>
<h2 class=”section-title”><i class=”icon” data-icon=”1″></i>The problem with shadow APIs</h2>
<p>The number of APIs in organizations is skyrocketing. According to API platform Postman, each business application is powered by 26 to 50 APIs, and API intelligence platform Trebble estimated the average enterprise maintains more than 1,000 APIs, most of which perform in-house functions.</p>
<p>The numbers seem unmanageable even before shadow APIs are considered. The dynamic nature of DevOps and microservices make shadow APIs even more prevalent through continuous integration/continuous delivery (CI/CD) pipelines.</p>
<p>While shadow APIs are not necessarily malicious, they are a prime target for attackers because they bypass governance and security controls. Shadow APIs are problematic for the following reasons:</p>
<ul class=”default-list”>
<li>They can expose sensitive data, leading to data loss and exfiltration and compliance violations.</li>
<li>They operate without proper authentication, leading to compliance violations and breaches.</li>
<li>The
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: