Cloud providers such as AWS, Azure & GCP introduces notion of server less services which allows developers to build applications at scale with less infrastructure complexities. Developers can publish services within minutes without thinking about resource & infrastructure allocations. These new applications often have API services.
If not done right, the ephemeral nature of such server less applications often result them to go undetected. This leads to the creation of Shadow APIs. There are many other scenarios which could lead to introduction of Shadow APIs in your org.
Fundamentally, Shadow APIs are the services that your company uses, but doesn’t/couldn’t get tracked for one or other reasons. You may not even know they ever existed!
Threat the shadow APIs possesses!
The biggest problem with shadow APIs is the very nature of them being unknown! They could fail at any time to meet your org’s compliance standards, & even put your user’s data at risk—all without your knowledge! There are many examples where simple specification validation may have avoided significant security incidents such as Panera Bread & Uber!
How to detect shadow APIs?
The first step in avoiding shadow APIs is to discover the ones in your org! The goal is to increase visibility into your API reliance across the entire development & product organisation.
API discovery done right can help aligning both technical & non-technical stakeholders so that everyone has better insight into the state of API usage within an organisation and thus avoiding the perils of shadow APIs!