Access to APIs — connectors that enable disparate systems and applications to share data and communicate — is business-critical. And because APIs have access to sensitive information, it’s important that security teams know about every API in use — yet this isn’t always the case.
Employees commonly use technologies and tools without the security team’s sanction — known as shadow IT — and APIs are no different. Like other unauthorized components, shadow APIs are created or deployed outside of official processes, often by internal teams, contractors or legacy systems.
Security teams need to know how to prevent, identify and manage shadow APIs to avoid the significant security threats posed by these undocumented and frequently unmonitored interfaces.
The problem with shadow APIs
The number of APIs in organizations is skyrocketing. According to API platform Postman, each business application is powered by 26 to 50 APIs, and API intelligence platform Trebble estimated the average enterprise maintains more than 1,000 APIs, most of which perform in-house functions.
The numbers seem unmanageable even before shadow APIs are considered. The dynamic nature of DevOps and…
