The Risks of Zombie APIs (and What to Do About Them) Posted in Security J Simpson August 30, 2022 Zombie APIs are a problem. Zombie APIs, and shadow APIs in general, are one of the most significant vulnerabilities to your network. Hackers love to exploit these forgotten endpoints since they’re often exposed and unprotected. Zombie APIs could become a major problem in the near future. API attacks increased 348% in the first six months of 2021. According to that same report, almost 94% of respondents had experienced some sort of API security incident in the last 12 months. Unprotected APIs will become even more of a problem in the near future. It’s predicted that less than 50% of APIs will be managed by the end of this year, leaving many APIs unmanaged and potentially unknown. More API usage means more vulnerabilities for cybercriminals to exploit. It’s better to address these issues now before they become actual problems down the line. Below, we’ll delve into the risks that zombie APIs pose to your network. Then we’ll finish with a few pointers on how to shutter zombie APIs so you can ensure your network’s security. The Risks of Zombie APIs If you’re new to the term, zombie APIs are old, forgotten APIs that are still working in the background. They may have been replaced by new versions or sometimes even a brand new API. These endpoints may persist from not wanting to alienate existing customers consuming the API. Or, they may be due to simple oversight, with developers having too much on their plates. Or perhaps public HTTP endpoints were opened as part of a testing environment and never appropriately closed. Whatever their cause, unmanaged APIs pose a significant risk to both your company and its products. Cybersecurity breaches that reveal sensitive customer data can result in up to 70% of customers abandoning a company. Zombie APIs risk your company’s reputation and assets. You could lose sensitive data, get locked out of your network, or countless other catastrophes. Reasons to Kill an API The first step in getting rid of zombie APIs is recognizing when it’s time for an API to be deprecated. Some reasons for killing an API include: Lack of profitability Lack of adoption Lack of usefulness Easier to start over Advantages of new technologies Transitioning infrastructure Fatal security flaws Advantages of different formats In the scenario of a security breach, it’s essential to lockdown an API as quickly as possible. Otherwise, it’s important to take the proper steps to kill a zombie API to make it as undisruptive as possible for all involved. How To Detect Zombie APIs Zombie APIs wouldn’t be such a problem if they were easily discoverable. The fact that you don’t know they’re there is the main problem in the first place. With that in mind, performing an audit of your API inventory from time to time is a good idea. A number of modern API tools can even automate this process, monitoring all active APIs in real-time. Keeping a record of a user’s activities across all APIs is another way to help prevent zombie APIs. This will let you know what users are accessing. It can also keep a record of IP addresses and assets received, such as tokens, cookies, or API keys. Finally, there are some advanced AI/ML tools coming on the market to identify potential security breaches. Hackers often use recognizable actions to reveal potential weaknesses and security issues. This approach will become more critical as time goes on since bad actors calling an API can be challenging to distinguish from regular traffic. It’s important to prevent that from happening in the first place. How To Kill a Zombie API The most important step in deprecating an existing API is to give its current users proper warning so they can transition with as little disruption as possible. For example, when the National Institute of Standards and Technology retired its SOAP format they gave current users six months notice. By contrast, Twitter changed many of the Twitter API’s features without telling anyone at all. This understandably upset many of their existing users. As a good rule of thumb, you should shoot for a six-month rollout to completely deprecate an API. The first step in killing an API is to set a hard date for the deprecation. You should make an official announcement and send it to all of your existing customers and API consumers. You might even consider releasing a press release so that technical publications might amplify your message. You’ll also want to draft technical instructions letting your customers know how they can transition to the API’s replacement. You should make these instructions as clear and understandable as possible, so your users have a smooth and painless segue to your new API. That’s assuming the API is public and available for widespread consumption, of course. Considering that 58% of APIs remain private according to the 2022 State of API report, it’s more likely that many Zombie APIs are caused due to an internal API being forgotten or overlooked. These APIs tend to be much easier to deprecate, of course. They’re also often harder to detect, though, as they’re caused by some private API being forgotten or overlooked. Of course, if clients rely upon the API, you’ll need to craft a replacement before deprecation is fully possible. Creating the replacement API should also help you identify potential security risks. This process should help avoid future zombie APIs, as you’ll know what to look out for and how to prevent those issues in the future. Even with official announcements, some of your users will likely still miss the memo. As you get closer to the official retirement date, you might make occasional reminders on your social media accounts in case some of your followers miss the official announcements. You might even include some warning in the HTTP response as the deprecation day approaches. Finally, you might start intermittently deactivating the API shortly before it’s fully retired. All of these steps, taken together, should give your customers and API consumers enough warning to switch to the new product. The Risk of Zombie APIs: Final Thoughts APIs are only going to become increasingly important as time goes on. They’re a major part of many data-driven products or solutions. They’re also crucial for remote work, digital collaboration, and numerous other applications that have become part of our daily lives. Unfortunately, APIs are often the weakest link in our cybersecurity efforts. It’s vital to tighten up your API security in every way possible to help make sure you and your customers are protected.