The API ecosystem is global and rapidly expanding. In its 2021 State of the API Report, Postman reported that its user base spanned 234 countries and collectively made 855 million API requests. Over half of Postman survey respondents also indicated that they deploy new APIs to production once per day, once per week, or once per month. Similarly, Axway reported that API-first enterprises are building APIs in hours or days rather than weeks or months, enabling them to deliver over 40 digital projects in a year. These statistics reflect a rapid delivery cadence and changing API landscape that inevitably results in more APIs and a shifting API attack surface.
Significant API proliferation has turned into significant API sprawl, which increases operational and security challenges for organizations. Several factors contribute to API sprawl including:
API protocol disparities also contribute to API sprawl since multiple APIs may need to be built or integrated to support varied clients and service types. REST still dominates much of the API landscape but GraphQL is also gaining adoption, as is gRPC within microservice architectures.
It’s practically impossible for an organization to satisfy all elements of a customer or employee transaction end-to-end. Nearly every entity, irrespective of industry, works with other suppliers and partners to facilitate functionality or exchange data. Since their widespread adoption in the early 2000s, APIs are the main mechanism to provide functionality and serve data. The resulting API sprawl is an indicator of how effective APIs are for service delivery.
API sprawl introduces significant operational and security challenges for organizations. Pressing concerns include risk of business logic abuse, data exposure, and privacy impacts. With API sprawl, there’s also a high likelihood that a given organization only understands a fraction of its total API consumption. These challenges cannot be addressed using traditional approaches like API gateways or web application firewalls (WAFs). Indeed, most of the API security issues presented in the OWASP API Security Top 10 are not directly solvable with these technologies.
Many organizations are embracing cloud infrastructure and services in some capacity, and cloud compute has become increasingly abstracted. Organizations also still host a great deal of systems and applications within on-premises data centers. Additionally, many organizations adopt other “flavors of cloud” beyond just infrastructure-as-a-service, including managed container or Kubernetes platforms, low-code application platforms, and serverless or function-as-a-service platforms. Some organizations also frequently consume software-as-a-service offerings to support their business. Kubernetes itself is declarative infrastructure, interacted with via API. And most applications or services being built today are API-enabled or API-first.
An organization’s API inventory is also more than the APIs it mediates with API gateways or the APIs it formally publishes within an API management suite. Often, those APIs only include Internet-exposed APIs where increased observability and access control is desired. Or in the case of APIM, it may only be those APIs that are productized or monetized by the organization. Axway reported that the average enterprise uses three different API management offerings, with the number expected to grow to five for some organizations by 2023. This reality of enterprise architecture and API delivery results in blind spots for organizations with respect to unified API management, visibility, and governance.
The large spectrum of application, compute, and service types makes universal visibility and control difficult for security teams to achieve. Even if an organization could achieve full visibility over all its assets, it won’t have the same level of visibility across all its partners and suppliers and the complete digital supply chain.
Getting visibility into all your environments is central to addressing API sprawl. It’s not enough to deploy an API gateway or perimeter proxy – it will not give you the complete picture of your API traffic. Your systems, applications, and APIs and the data they interact with span many environments. Discovering all API assets requires that the organization gather telemetry at multiple points of its enterprise architecture.
To keep up with API sprawl, organizations inevitably need to seek new tooling that:
Dedicated API security tooling, and specifically platforms that provide full life cycle security capabilities, help organizations that are facing the problem of API sprawl. A given organization’s API inventory must include all internal (private), external (public), partner APIs, and third-party APIs. Continuous discovery of all the APIs that an organization builds, integrates, or consumes enables API teams and security teams to better understand their relative API security risk and prioritize security controls more effectively.
This end state can only be achieved with security tooling that is cloud-scale itself and that makes ample use of AI/ML (i.e., machine assistance) to analyze all API telemetry, produce meaningful signals for IT teams, and protect APIs accordingly.
Here at Salt, we’re helping customers get a handle on their API sprawl with automatic API discovery, data classification, API attack detection and prevention, and shift-left tactics that identify API vulnerabilities in pre-production. If you’d like to see the platform in action, request a personal demo.
Salt Security Chief Marketing Officer, Michael Callahan, reflects on his first 90 days with the company and shares his observations and optimism!
To effectively reduce risk, organizations must adopt a strategy that helps mitigate risk now and ensures long term risk reduction.