Zombie APIs! Sounds scary, right? Well, it should. Zombie APIs won’t eat your brains, but they just might eat your data, your money, and your organization’s ability to maintain operations, by giving cybercriminals access to your network.
Fortunately, security technologies and strategies exist that can help you tame these APIs, eliminating the risks they pose.
API-based cyber risk
The widespread use of application programming interfaces, or APIs, has been a huge boon to organizations of all sizes. They enable the rapid development and deployment of the apps that by now are critical to nearly every business and industry.
Unfortunately, each API is a new point of vulnerability, meaning that their use expands your attack surface. According to one recent study, the average number of APIs in use by survey respondents was over 15,000. And for large enterprises with more than 10,000 employees, the average rose to more than 25,000.
That’s a lot of potential points for cybercrooks to penetrate, and you can bet that they’re busily scanning networks to find unprotected APIs to attack.
And they’re succeeding. The same study found that 41% of respondents had experienced a security incident that exploited an API in the previous year — and that 69% of those had suffered lost or breached data as a result. And in 2022, TechWire Asia estimated that API-based attacks cost businesses up to $75 billion annually.
What are zombie APIs?
When it comes to APIs that are in active use, keeping them updated and secured can be challenging in itself — and that largely comes down to the fact that there’s no consensus on whose job it is. IT security teams say it’s DevOps’ job, DevOps say it’s a security issue, and criminals are laughing all the way to the bank.
But however that conflict is resolved in your organization, you still have the problem of zombie APIs. These are APIs that are no longer being used for anything (or at least, not for any legitimate purpose). They’re still out there, and they still provide a point of access to some part of your system, but no one is maintaining or updating them anymore — and in all likelihood, no one even remembers that they exist.
What you can do
So. You’ve got many thousands of APIs out there, some significant percentage of them are zombies, and you don’t have any kind of inventory or listing of them all. Indeed, whoever developed and deployed them in the first place may no longer be in your organization. Thinking about all the work it’s going to take to catalog all your APIs, remove unneeded ones, and secure the ones you want to keep in production is enough to give you a major headache.
But wait a second. Doesn’t that sound like a job that’s perfect for artificial intelligence? Yes, it does. And guess what. Modern application-security platforms like Barracuda Application Protection have developed the ability to do just that — and plenty more.
The API Protection module of Barracuda Application Protection leverages an advanced AI engine to discover all your APIs, including unprotected endpoints. What’s more, it can then automatically apply up-to-date security controls, shutting down the avenues for cybercrooks to penetrate your network and potentially cause a costly breach.
And that’s just the beginning. API protection capabilities also give you full visibility into applications and traffic, creating rich logs of every interaction and request to every API, and integrate with your development processes to ensure that apps and APIs are fully secured before they reach the deployment stage.
Zombie APIs are definitely on the march. But with a modern app-security platform like Barracuda Application Protection, you can be a zombie-slaying hero and keep your organization safe from having its brains — or data — eaten.