The perils of Shadow APIs!

Cloud providers such as AWS, Azure & GCP introduces notion of server less services which allows developers to build applications at scale with less infrastructure complexities. This allows developers to publish services within minutes without thinking about infrastructure implications. Such new services often have APIs.

If not done right, the very ephemeral nature of such server less applications often result these to go undetected by an org’s APIM platform. It leads to the creation of Shadow APIs. There are many other scenarios which could also lead to introduction of Shadow APIs in one’s org.

Fundamentally, Shadow APIs are the services that your org uses, but doesn’t or couldn’t get tracked for one or other reasons. You may not even know they ever existed!

Threat the shadow APIs possesses!

The biggest problem with shadow APIs is the very nature of them being unknown! They could fail at any time to meet your org’s compliance standards & even put your user’s data at risk — all without your knowledge!

There are many examples where simple specification validation may have avoided significant security incidents such as Panera Bread & Uber!

How to detect shadow APIs?

The first step in avoiding shadow APIs is to first discover them in ones org! The goal is to increase visibility into your API reliance across the entire development & product organisation.

API discovery done right can help aligning both technical & non-technical stakeholders so that everyone has better insight into the state of API usage within an organisation and thus avoiding the perils of Shadow APIs!