Why Enterprises Are Concerned About Zombie APIs Posted in SecurityStrategy Bill Doerrfeld October 31, 2024 The API threat landscape is continually evolving as new threats enter the fold. Lately, one risk that has received more attention is zombie APIs. These are the forgotten, undead endpoints lurking in the shadows of yesteryear’s IT projects. Not fully deprecated and clinging onto life, zombie APIs could unintentionally expose sensitive data if not shuttered. The threat of shadow and zombie APIs is not lost on today’s savvy technologists. This year’s State of API Security Report, conducted by Salt Labs, found that outdated, zombie APIs were the top concern among their survey respondents. According to Nick Rago, Vice President of Product Strategy at Salt Security, this is likely due to increasing awareness around the importance of cloud and API governance within enterprises. I recently caught up with Rago to get the lowdown on these ghoulish endpoints and how organizations should respond. In short, as attackers increasingly target APIs for nefarious purposes, executives are turning to API governance to strengthen an organization’s overall security posture. There’s also a shift toward viewing APIs as IT assets, encouraging standardization. These changes necessitate improving inventory management and identifying endpoints like zombie APIs, which no longer serve the needs of the business but may pose an unforeseen threat. APIs Get The Spotlight: From Security Threats to IT Assets The barrier to hacking APIs is surprisingly low. After examining many attacks over the last couple of years, Rago concludes, “About 70% of attacks we saw were attacks that a high schooler could have conducted.” API attacks are increasing, and the vast majority of them are related to poor security postures. Due largely to this condition, 95% of respondents have experienced security problems in production APIs, as found in the aforementioned Salt Labs report. Interestingly, Rago has noticed a dip in concern about runtime protection lately and more heightened concern about posture governance. This is likely because many API journeys are still at an early stage, and executives in large enterprises are just now forming cloud governance committees that are writing standards for APIs. In many cases, API standards were never defined or enforced until recently. Part of the reason is the fluid nature of API design and a lack of universal standards. “If you ask an architect, developer, DevOps, or AppSec professional, everyone has a different idea of what a good API is,” says Rago. For this reason, there’s been more interest in designing and enforcing standards upfront. “Spec-first is taking hold finally,” says Rago. New API program managers, especially in finance, require these blueprints for new API projects. In an increasing number of scenarios, “APIs don’t see the light of day until there is a spec,” he says. To his point, this area is ripe for improvement, as 75% of APIs suffer from specification drift, according to a recent APIContext study. Overall, large organizations across the board—from insurance to airlines and healthcare—are beginning to take APIs seriously and invest in their maturity. Increased API awareness is also influencing more consolidation of gateway technologies. “Enterprises are treating APIs like IT assets,” he says. “They often have more API endpoints than any other IT asset they have.” Why Zombie APIs Are Top of Mind Traceable’s 2025 Global State of API Security report, conducted by the Ponemon Institute, surveyed 1,500 IT and IT security practitioners and found that 61% of them believe that API risks will increase in the next 12 to 24 months. Broken access control and simple authorization gaps remain top risks to APIs, and those growing cobwebs are low-hanging fruit. “The fear of zombie APIs is real,” says Rago. “If these are IT assets, you need to know if there is a server in the back sitting for five years that no one has updated or patched. We’re getting there with APIs right now.” Add to this scenario that the average API inventory is steadily growing. According to the Salt Security study, the overall number of APIs is increasing, having gone up by 167% in the past year, and 61% of their customers now manage more than 100 APIs. A lot of the concern around zombie or shadow APIs stems from the realization in large, sophisticated enterprises that there is little to no governance around these API endpoints, says Rago. “There are many, and they have no control or insight.” What Type of APIs Become Zombies? But which APIs are most likely to be left behind? According to Rago, the APIs most likely to become zombies are the ones built for specific use cases. Folks usually have good eyes on APIs built for public or partner-facing scenarios. But take a purpose-built API built for a custom user experience, like a mobile app or website. Projects like these are often sunsetted, especially if built for a single event or campaign, but all the piping underneath is left up and running. In this situation, the API could easily expose sensitive data or personally identifiable information (PII). Zombie APIs may be more common within environments that aren’t closely monitored or where there’s significant tech debt or shadow IT. And finding them is not always easy. Only 10% of organizations fully document their APIs, making locating these endpoints challenging. Therefore, API discovery must go beyond simply analyzing runtime requests, says Rago, since a zombie endpoint might not be getting traffic. Instead, he encourages a more active discovery approach. Organizations should look through source code repositories, old developer portal documents or references, and API ecosystem tooling to discover where zombie APIs lurk. “What’s in Postman, Insomnia, or SwaggerHub collections?” Fighting Zombie APIs With Governance They say the only surefire way to kill a zombie is to cut off its head. Where APIs are concerned, the steps are a little less bloody but similarly effective. For zombie APIs, the only surefire way to stop them is to shutter them for good. But how do we stop APIs from becoming zombified? Finding them is one thing — eliminating the root cause of their creation is another effort entirely. And the latter response hinges on governance. As we’ve covered before, governance is a catch-all term that applies to best practices around the API lifecycle, from design to development, testing, and production. At various stages, it’s necessary to validate things from a data regulatory standpoint, says Rago, or ensure APIs follow specific design policies, like implementing user IDs following a certain format. Organizations might also have policies in place around third-party consumption. You won’t learn how to shutter APIs by watching Dawn of The Dead. While zombie APIs aren’t as thrilling as cinematic undead, they’re just as dangerous to organizations. The solution lies in executive-driven, organization-wide standards. As Rago says, “Everyone is recognizing that standards are important.” With proper governance, organizations can ensure their APIs won’t come back to haunt them. The latest API insights straight to your inbox