cybersecurity

The use of SaaS applications has fueled the unprecedented growth of APIs as organisations significantly rely on dozens of SaaS applications for almost everything. Statistics reveal that, on average, large-size organisations use around 447 SaaS apps, and every new tool introduces a potential source of new API endpoints, which usually go undocumented and lead to the emergence of shadow or unmanaged APIs.

Shadow APIs have become a challenge for organisations as they aren't officially approved or documented by the security teams. Postman's State of the API Report 2024 reveals that only 37% of API developers prioritise API testing. This alarming situation makes such APIs the number one lurking threat for organisations.

Unmonitored APIs often lead to data breaches, compliance violations, and financial losses that threaten an organisation's overall cybersecurity posture. Considering these negative consequences, CISOs and developers must address these risks by integrating comprehensive security practices.

The Dark Side of Shadow APIs Within SaaS Ecosystem

As SaaS adoption accelerates, so does the complexity of managing the APIs that power these applications. While APIs enable seamless integrations and data flow, their unchecked growth, especially shadow APIs, poses serious security risks. Below are some key challenges and consequences that make shadow APIs a growing threat in today's SaaS environments:

1. SaaS Sprawl and the Rise of Unmanaged APIs

Each SaaS app comes with its API, or organisations may embed third-party services within their products, introducing unknown APIs. Security teams are usually unaware of APIs embedded within the apps and services. This SaaS sprawl leads to the growth of many APIs operating within an organisation without centralised IT governance.

2. Visibility Challenges and Security Blind Spots

Besides this, it is challenging for the security teams to discover and keep track of all APIs across the SaaS environment where each app hosts its API. This poor visibility results in some APIs falling through the cracks and later causing significant security implications.

The foremost is that rogue APIs aren't designed under standard policies and lack proper authentication and authorisation mechanisms. This makes it easy for hackers to gain unauthorised access to sensitive data, leading to data breaches. Similarly, each rogue API endpoint serves as an entry point for attackers, expanding the attack surface beyond what the security teams can expect. They scan for these undocumented and forgotten APIs, probe for vulnerabilities, and exploit them, widening the organisations' exposure.

3. The Risk from Non-Human Identities

Non-human identities, such as service accounts, automation scripts, or CI/CD pipelines, often interact with APIs without the same scrutiny or governance applied to human users. If left unmanaged, they can bypass the security measures, making it easier for cyber-attackers to exploit flaws within the rogue APIs. This has also led to a rise in API-related breaches. A study found that as of 2024, 84% of security professionals experienced an API-related security incident in the last 12 months. These incidents usually involved API endpoints that organisations didn't even know existed.

4. Compliance Risks and Real-world Fallout

Developers using unapproved applications may expose sensitive data, violating compliance regulations such as HIPAA, GDPR, and the CCPA. This has severe consequences, including hefty fines, costly lawsuits, and reputational damage.

For instance, in January 2023, T-Mobile disclosed that a malicious actor assessed data from 37 million customers through an internal API vulnerability. The attacker first exploited the API for over a month, stealing names, emails, and phone numbers. Although not a classic shadow API, the internal API was not adequately monitored or hardened, making it a blind spot from a security perspective. As the company experienced similar incidents of data breaches, T-Mobile agreed to pay a $15.75M civil penalty and address the security flaws they had.

5. Unpatched Vulnerabilities in the Shadows

In cases where shadow APIs exist within custom-built SaaS integrations or internal tools, they may rely on outdated libraries or unpatched dependencies. As they're not under routine maintenance or scanning, they won't get patched during regular updates again, leaving the doors open for malicious actors to misuse or exploit them.

Best Practices for Securing SaaS APIs

As third-party SaaS apps introduce API security risks, an SSPM (SaaS Security Posture Management) tool is vital to ensure the secure management of SaaS applications across their network. These tools provide comprehensive visibility into app usage, enforce security policies, and help prevent data breaches. Similarly, efforts should be made to detect rogue APIs, as this helps mitigate the risks associated with them and also improves overall network security.

Below are some of the key strategies that need to be considered:

  • Using API Discovery Tools helps in automatically finding and cataloging unmanaged APIs across the entire environment. This also involves scanning network traffic, SaaS apps, and cloud environments for active API endpoints that aren't part of the official documentation.
  • Maintain an Updated API Inventory: Each new SaaS integration deployed should be registered first in the inventory. Noting details like the API owner, purpose, data handled, and security status helps map known and unknown APIs and decide whether to keep or destroy them.
  • Establish API Governance Policies and Procedures: Establish standard procedures for publishing APIs, including registration, documentation, and security reviews. This ensures that all APIs are authorised and documented, as developers must obtain approval before creating new APIs.
  • Implementing Zero-Trust Principles to APIs: By applying zero-trust principles like access control policies and continuous authentication for APIs within the SaaS environment, developers can have better visibility and control into their APIs and the minimum access users have. Furthermore, with limited pathways, it becomes challenging for potential hackers to infiltrate the network, reducing the attack surface and the likelihood of API data breaches.
  • Performing Audits and Penetration Tests: Regular audits and penetration tests are essential for detecting vulnerabilities within APIs and SaaS apps. Security audits ensure that APIs align with organisational security policies and regulatory requirements. Similarly, penetration tests simulate attacks on your APIs to detect vulnerabilities before malicious actors can exploit them.
  • Employee Education and Training: Developers must understand the risks associated with unregistered APIs and the importance of complying with security standards. Proper training sessions on secure API development, adequate access control, and risk awareness can significantly reduce human errors and other factors that lead to security vulnerabilities.

By practising these measures, enterprises can bring rogue APIs to light and improve security architecture.

Final Thoughts

Shadow APIs have quickly emerged as a critical threat in the SaaS-centric world. These APIs usually stem from the rapid use of third-party apps, poor visibility, and lack of security controls. They also expand the attack surface for attackers to exploit, leading to high-profile data breaches, data exposure, unpatched vulnerabilities, and compliance fines.

It's a nightmare scenario for developers and CISOS, but the good news is that they're waking up to tackle this challenging situation. From establishing robust API inventory to using API discovery tools and implementing zero-trust policies, organisations can regain control over the APIs and mitigate the risks that jeopardise their integrity.