If you had to find an analogy for the explosive growth of APIs over the past decade, you might choose to compare them to cell phones. Like cell phones, APIs were once considered a niche technology for use in specific, limited circumstances.
And now, they’re everywhere. Just as the total number of cell phones in the world increased from a couple of million circa 1990 to around 2.5 billion today, the total APIs in existence has grown from a few dozen in the early 2000s, approaching 1.7 billion active APIs by 2030.
In most respects, the proliferation of APIs is a great thing. But, like the proliferation of smartphones, it also presents a major challenge in one key aspect: Security. More APIs means more opportunities for attackers to exploit API security vulnerabilities – especially if organizations fail to keep track of which APIs they are using.
Let’s explore this phenomenon, which is sometimes known as API sprawl, and what it means for modern security strategies.
The fact that there are so many APIs in existence today is not an inherently bad thing. On the contrary, APIs provide a number of key benefits to developers and users, such as:
- Integrations: APIs make it easy to share data between applications and services.
- Distributed environments: Because APIs serve as the glue that binds together discrete microservices, cloud services, and so on, they play a vital role in allowing developers to take full advantage of modern, distributed infrastructure. By extension, they help enable resilient and scalable environments.
- Lower development effort: In some cases, APIs allow developers to incorporate functionality into software by borrowing it from third-party services instead of having to write it themselves.
- Simplified user experience: APIs can drive better user experiences by allowing users to share data with multiple applications seamlessly, for example, or sign in once to access multiple applications.
The list could go on, but the point is clear: There are numerous factors today that encourage developers to use APIs extensively. That’s why it has become common today to talk in terms of “API-first” development and design, which means APIs lay the foundation for the way developers design and build software.
Yet, there is one major downside to the surge of API adoption in recent years: API sprawl.
API sprawl is the use of APIs to such a large extent that businesses struggle to keep track of which APIs they are using, and which security vulnerabilities may linger within those APIs.
To go back to the cell phone analogy, you could compare API sprawl to what happens when businesses adopt overly liberal Bring Your Own Device (BYOD) policies for their employees by allowing workers to use personal mobile devices at work. If businesses don’t enforce strong governance policies regarding exactly how mobile devices can be connected to their networks, they may end up with a situation where they struggle to keep track of which third-party devices are in use within their environments, let alone whether those devices are secure.
API sprawl is similar in the respect that, if a business uses too many APIs without systematically tracking where and how they are used, it becomes very difficult to ensure that those APIs are used securely.
Analyst firms like Gartner point to API sprawl – and the security issues it introduces – as a major issue that businesses will need to address as they continue to make use of APIs.
It’s worth noting that API sprawl challenges affect both internal APIs (meaning those that a company develops in-house to connect its own microservices or applications) and external APIs (which are APIs created by third parties to support integrations with outside resources).
In some senses, external APIs pose a greater threat with regard to API sprawl because it’s easier for attackers to discover and abuse external APIs. But internal APIs, too, can be exploited by attackers who identify flaws within them. For instance, an internal API could be abused in order to escalate a breach from one application into other applications that integrate with the breached application using an internal API.
The point here is that, even if you don’t use external APIs (or you use them sparsely), it’s critical to make sure that you know which APIs you are using and how they are being used, so that you can react quickly to security issues that arise with any type of API on which you rely.
Faced with the security challenges that arise from API sprawl, what’s a business to do?
The answer is clearly not to stop using APIs. While that would mitigate API-related security issues, it would deprive businesses of the many benefits that APIs offer.
A better solution is to use APIs as often as you like while making sure to manage the security risks that they introduce. Doing so hinges on a few key practices:
- API governance: You should include rules for APIs within your organization’s governance policies. The rules should explain when both internal and external APIs may be used by your developers, and which security practices (such as the OWASP API security recommendations) need to be followed when using those APIs. Your governance policies should also ensure that developers systematically document which APIs they are using and where, so that it’s easy to know which systems are affected by an API security vulnerability.
- Track API security vulnerabilities: Keep track of disclosures about API security issues for any external APIs you use. (For internal APIs, you’ll need to identify vulnerabilities yourself, because there are no disclosures by third parties about APIs you develop and use yourself.)
- Monitor your APIs: In addition to following disclosures of API security issues, continuously monitor APIs to detect usage anomalies that could signal abuse.
Practices like these help to establish a happy medium with regard to APIs. They let you take full advantage of APIs while mitigating the risk of API sprawl.
Just as there’s no avoiding cell phones today, not using APIs is simply not an option for most businesses. That’s why it’s critical to use governance strategies and security tools to mitigate the security risks that can arise from API sprawl. With a little effort, you can benefit fully from APIs without letting APIs undercut your business’s security.
About the Author:
Chris Tozzi has worked as a Linux systems administrator and freelance writer with more than ten years of experience covering the tech industry, especially open source, DevOps, cloud native and security. He also teaches courses on the history and culture of technology at a major university in upstate New York.
To learn more about the many risks (including APIs) in modern application development, download this e-book today.