What is a shadow API?

Shadow APIs are unmanaged APIs that introduce serious risk to the organizations using them.

Learning Objectives

After reading this article you will be able to:

  • Define ‘shadow API’
  • Learn why shadow APIs are dangerous
  • Contrast shadow APIs vs. zombie APIs

Copy article link

What is a shadow API?

A ‘shadow’ API refers to any application programming interface (API) that has not been managed or secured by the organization using it. Often, shadow APIs are introduced by developers and other users within an organization, either during the application development process or to run other business functions.

Shadow APIs are not necessarily APIs that are used for malicious purposes. However, because they are not under the control of an organization’s IT and security teams, they are impossible to secure against new vulnerabilities and attacks.

Why are shadow APIs dangerous?

Although shadow APIs are not inherently malicious, they can introduce a fair amount of risk. An organization’s IT and security teams are responsible for enforcing and improving API security standards — but they can only protect the APIs and endpoints that they can see. If there is a dependency these teams are unaware of, they cannot track potential data exposure, ensure compliance, or block attacks.

Some of the most common risks introduced by shadow APIs include the following:

  • Data exposure: Shadow APIs may have access to sensitive data. If those APIs are compromised or attacked, this can result in data exposure or theft.
  • Lateral movement: Shadow APIs may provide entry points for attackers to access sensitive systems and accounts. Once they have infiltrated an organization’s environment, they may steal confidential information or use this access to launch further attacks.
  • Unpatched vulnerabilities: Organizations cannot patch new API vulnerabilities in APIs that they do not already monitor and manage. Even if shadow APIs are already secured against basic API attacks and risks (like those on the OWASP API Security Top 10), new exploits may create entry points for attackers.
  • Noncompliance: Many organizations are subject to data privacy laws (e.g. the GDPR or CCPA). Shadow APIs may allow developers or other users to handle data in ways that are noncompliant with these regulations, resulting in fines or other serious penalties.

What is API discovery?

API discovery is the process of cataloging all internal and third-party APIs used within an organization. Because APIs fulfill such a wide range of purposes — from augmenting application development to connecting microservices and other external functions — it is not uncommon for organizations to rely on dozens, if not hundreds (or thousands) of them.

With API discovery, organizations can not only streamline their application development, but also uncover potential shadow APIs that have not been properly inventoried or secured. For this reason, API discovery is a crucial first step in improving and implementing API security practices.

Shadow APIs vs. zombie APIs

A shadow API is an unmanaged API that is actively being used. By contrast, a zombie API is an API that has been deprecated or abandoned. Unlike shadow APIs, zombie APIs may already be identified and managed by an organization, but they are not actively being used.

Both shadow APIs and zombie APIs present serious risk to the organizations that interact with them, as they are typically left unsecured and may become compromised or used to carry out attacks.

How does Cloudflare protect against shadow APIs?

Cloudflare API Gateway includes an API discovery feature that automatically discovers, monitors, and secures all API endpoints. Incoming requests are validated against an OpenAPI schema, which is used to block nonconforming requests and help enforce a positive security model. Learn more about how Cloudflare API discovery works.