Subscribe to the Salt blog to learn about the latest developments in API Security

Blog Post

Wrestling with the Problem of API Sprawl

Michael Isbitski
Feb 17, 2022

The API ecosystem is global and rapidly expanding. In its 2021 State of the API Report, Postman reported that its user base spanned 234 countries and collectively made 855 million API requests. Over half of Postman survey respondents also indicated that they deploy new APIs to production once per day, once per week, or once per month. Similarly, Axway reported that API-first enterprises are building APIs in hours or days rather than weeks or months, enabling them to deliver over 40 digital projects in a year. These statistics reflect a rapid delivery cadence and changing API landscape that inevitably results in more APIs and a shifting API attack surface.  

Significant API proliferation has turned into significant API sprawl, which increases operational and security challenges for organizations.  Several factors contribute to API sprawl including:

  • Adoption of cloud-native design patterns and microservices architectures
  • Use of API-enabled cloud infrastructure
  • Support for increasingly mobile consumer and employee user populations as well as machine identities
  • Consumption of SaaS-delivered services and mobile applications
  • Partner and supplier integrations, commonly referred to as digital supply chains

API protocol disparities also contribute to API sprawl since multiple APIs may need to be built or integrated to support varied clients and service types. REST still dominates much of the API landscape but GraphQL is also gaining adoption, as is gRPC within microservice architectures.

How did we get here?

It’s practically impossible for an organization to satisfy all elements of a customer or employee transaction end-to-end. Nearly every entity, irrespective of industry, works with other suppliers and partners to facilitate functionality or exchange data. Since their widespread adoption in the early 2000s, APIs are the main mechanism to provide functionality and serve data. The resulting API sprawl is an indicator of how effective APIs are for service delivery.

API sprawl introduces significant operational and security challenges for organizations. Pressing concerns include risk of business logic abuse, data exposure, and privacy impacts. With API sprawl, there’s also a high likelihood that a given organization only understands a fraction of its total API consumption. These challenges cannot be addressed using traditional approaches like API gateways or web application firewalls (WAFs). Indeed, most of the API security issues presented in the OWASP API Security Top 10 are not directly solvable with these technologies.

Download the Salt API Security Maturity Model to determine your organization's maturity stage placement.

The challenge of API asset management

Many organizations are embracing cloud infrastructure and services in some capacity, and cloud compute has become increasingly abstracted. Organizations also still host a great deal of systems and applications within on-premises data centers. Additionally, many organizations adopt other “flavors of cloud” beyond just infrastructure-as-a-service, including managed container or Kubernetes platforms, low-code application platforms, and serverless or function-as-a-service platforms. Some organizations also frequently consume software-as-a-service offerings to support their business. Kubernetes itself is declarative infrastructure, interacted with via API. And most applications or services being built today are API-enabled or API-first.

An organization’s API inventory is also more than the APIs it mediates with API gateways or the APIs it formally publishes within an API management suite. Often, those APIs only include Internet-exposed APIs where increased observability and access control is desired. Or in the case of APIM, it may only be those APIs that are productized or monetized by the organization. Axway reported that the average enterprise uses three different API management offerings, with the number expected to grow to five for some organizations by 2023. This reality of enterprise architecture and API delivery results in blind spots for organizations with respect to unified API management, visibility, and governance.

The large spectrum of application, compute, and service types makes universal visibility and control difficult for security teams to achieve. Even if an organization could achieve full visibility over all its assets, it won’t have the same level of visibility across all its partners and suppliers and the complete digital supply chain.

Containing the sprawl

Getting visibility into all your environments is central to addressing API sprawl. It’s not enough to deploy an API gateway or perimeter proxy – it will not give you the complete picture of your API traffic. Your systems, applications, and APIs and the data they interact with span many environments. Discovering all API assets requires that the organization gather telemetry at multiple points of its enterprise architecture.

To keep up with API sprawl, organizations inevitably need to seek new tooling that:

  • integrates with the numerous technology stacks and varieties of compute that are used across all environments
  • works in tandem with pre-existing network proxies and gateways to enforce the most appropriate type of mitigation, in the most appropriate point of an architecture, for a given API exploit or abuse
  • is functional “out of the box”
  • continuously learns the uniqueness of an organization’s environments and business logic

API Security platforms reduce your risk

Dedicated API security tooling, and specifically platforms that provide full life cycle security capabilities, help organizations that are facing the problem of API sprawl. A given organization’s API inventory must include all internal (private), external (public), partner APIs, and third-party APIs. Continuous discovery of all the APIs that an organization builds, integrates, or consumes enables API teams and security teams to better understand their relative API security risk and prioritize security controls more effectively.  

This end state can only be achieved with security tooling that is cloud-scale itself and that makes ample use of AI/ML (i.e., machine assistance) to analyze all API telemetry, produce meaningful signals for IT teams, and protect APIs accordingly.

Here at Salt, we’re helping customers get a handle on their API sprawl with automatic API discovery, data classification, API attack detection and prevention, and shift-left tactics that identify API vulnerabilities in pre-production. If you’d like to see the platform in action, request a personal demo.


Salt Security Blog

Sign up for the Salt Newsletter for the latest resources and blog posts.

June 21, 2024

Amanda Fitzsimmons
Head of Legal


Don't Get Salted: Why API Inventory is Key to PCI DSS 4.0 Compliance (and How Salt Security Can Help You Achieve It)

A secure API ecosystem starts with a clear understanding of what APIs you have and how they interact with your data.

Read more

June 18, 2024

Salt Labs
Research Team

Salt Labs

Increasing API Traffic, Proliferating Attack Activity and Lack of Maturity: Key Findings from Salt Security’s 2024 State of API Security Report

The latest Salt Security State of API Security Report is out now, and we’re thrilled to give a little sneak peek of its contents.

Read more

June 12, 2024

Elad Hoffer
Head of Product R/T Protection


Salt Security Leading the Way in AI-Driven API Security for Next-Generation Threat Protection and Attacker Insights

Learn how the recent introduction of advanced LLM-driven attacker insights further solidifies Salt's position as a leader in API security solutions.

Read more

Download this guide for advice on evaluating key capabilities in API Security

Learn everything you need to know to keep your APIs secure

Get the guide