Shadow APIs are unmanaged third-party APIs that introduce serious risk to the organizations using them.
After reading this article you will be able to:
Copy article link
A ‘shadow’ API refers to any third-party application programming interface (APIs) that has not been managed or secured by the organization using it. Often, shadow APIs are introduced by developers and other users within an organization, either during the application development process or to run other business functions.
Shadow APIs are not necessarily APIs that are used for malicious purposes. However, because they are not under the control of an organization’s IT and security teams, they are impossible to secure against new vulnerabilities and attacks.
Although shadow APIs are not inherently malicious, they can introduce a fair amount of risk. An organization’s IT and security teams are responsible for enforcing and improving API security standards — but they can only protect the APIs and endpoints that they can see. If there is a dependency these teams are unaware of, they cannot track potential data exposure, ensure compliance, or block attacks.
Some of the most common risks introduced by shadow APIs include the following:
API discovery is the process of cataloging all internal and third-party APIs used within an organization. Because APIs fulfill such a wide range of purposes — from augmenting application development to connecting microservices and other external functions — it is not uncommon for organizations to rely on dozens, if not hundreds (or thousands) of them.
With API discovery, organizations can not only streamline their application development, but also uncover potential shadow APIs that have not been properly inventoried or secured. For this reason, API discovery is a crucial first step in improving and implementing API security practices.
A shadow API is an unmanaged third-party API that is actively being used. By contrast, a zombie API is an API that has been deprecated or abandoned. Unlike shadow APIs, zombie APIs may already be identified and managed by an organization, but they are not actively being used.
Both shadow APIs and zombie APIs present serious risk to the organizations that interact with them, as they are typically left unsecured and may become compromised or used to carry out attacks.
Cloudflare API Gateway includes an API discovery feature that automatically discovers, monitors, and secures all API endpoints. Incoming requests are validated against an OpenAPI schema, which is used to block nonconforming requests and help enforce a positive security model. Learn more about how Cloudflare API discovery works.
About web application security
Learning Center navigation