The 1954 novel, “I Am Legend,” is widely recognized for playing a pivotal role in shaping the modern genre of zombies and vampires. The novel follows the protagonist, Robert Neville, who believes he is the sole survivor of a deadly pandemic that has turned everyone else into vampire-like creatures, which resemble what we commonly refer to as zombies. One notable aspect of the story is the scientific explanation behind the disease and the potential solution to eradicate it. Interestingly, this concept of zombies and vampires can be applied to the world of APIs, specifically referring to two types of dangerous APIs: zombies and shadows.
A zombie API is an API that has been abandoned by an organization, left neglected and forgotten. On the other hand, a shadow (also known as a rogue) API is an organizational API that has been created but never officially documented or recognized. Although different in their origins, both types of APIs pose significant risks when it comes to security, compliance, and privacy. The key issue lies in the fact that these APIs are not included in the official inventory, meaning they are not routinely updated, secured, or removed. This lack of oversight exposes organizations to potential vulnerabilities.
The severity of the risk associated with each type of API depends on how they are being utilized and where they are located. Internal and test APIs, for example, may be more challenging to access from external sources. However, if an internal shadow API was created by a malicious threat actor who now has continuous and unrestricted internal access, it poses a much higher threat than a public-facing zombie API that may have not been discovered yet. According to a recent survey, the majority of respondents ranked zombie APIs as their top concern, with 54% expressing a high level of concern. Shadow APIs, while seemingly less worrisome for those surveyed, may reflect differences in organizational risk appetite.
To shed light on the importance of following the Secure Software Development Lifecycle (SSDL) during API development and mitigate the risks posed by zombie and shadow APIs, the concept of gamification can be helpful. For instance, the popular “Choose Your Own Adventure” series or the similarly styled “Pick Your Path” books can provide an interactive and engaging way to educate developers on the significance of adhering to the SSDL guidelines. An example scenario could revolve around a developer working on a critical project to create an application that aids in defending against a zombie apocalypse. By following the SSDL, the developer ensures that their code remains secure and impervious to potential attackers who could exploit it for malicious purposes.
The scenario unfolds in chapters, presenting choices for the developer to make at each stage. If the developer chooses to familiarize themselves with the SSDL guidelines before starting to code, they proceed to the next chapter that emphasizes the importance of continuously monitoring their code for vulnerabilities. On the other hand, if the developer ignores the SSDL and takes shortcuts during coding, the storyline progresses to a chapter where their code becomes susceptible to attacks. The narrative highlights the consequences of such negligence and offers the developer a chance to correct their mistake.
Another crucial aspect of securing APIs is ensuring they undergo thorough testing. Similar to crash tests performed on vehicles to ensure their safety, API testing plays a vital role in identifying vulnerabilities and enhancing security. While testing may not cover every possible scenario, some testing is significantly better than none at all. It is crucial, however, to avoid a myopic approach and continuously improve the testing process. One effective concept that can be applied to API design, development, and testing is Kaizen. This method of continuous improvement helps identify areas for enhancement, ensuring that testing remains a proactive and effective means of mitigating risks.
Lastly, it is imperative for organizations to conduct comprehensive inventory assessments to identify any forgotten or unrecognized APIs. This process is akin to mining for gold, requiring significant resources and effort. However, the results are invaluable in the protection of customers’ data and upholding an organization’s reputation. Knowing what APIs exist within an organization provides the opportunity to secure and manage them effectively, minimizing potential risks.
In conclusion, just as the novel “I Am Legend” introduced the concept of zombies and vampires with scientific explanations and possible solutions, the world of APIs also faces its own forms of zombies and shadows. Understanding the risks posed by these neglected or unrecognized APIs is crucial for organizations to ensure security, compliance, and privacy. By following the principles of the Secure Software Development Lifecycle, embracing testing methodologies like Kaizen, and conducting thorough inventory assessments, organizations can effectively combat the threats presented by zombie and shadow APIs.