Page 152 - Cyber Defense eMagazine September 2025
P. 152

According to Gartner, most enterprise data breaches will be caused by APIs by 2025. Consider the
            recent high-profile breaches at Peloton and T-Mobile, which both involved unprotected APIs exposing
            sensitive customer data, if you believe this to be a theoretical risk.

            The conclusion is straightforward: you cannot secure your APIs if you do not know all of them.

            APIs  have  become  the  connective  tissue  of  modern applications.  From  mobile  apps  to  cloud-native
            microservices, APIs now handle the majority of data exchange across enterprise environments. The
            convenience is undeniable APIs enable agility, faster development cycles, and integration at scale.


            But this agility comes with a hidden cost: the proliferation of shadow APIs, undocumented, unmonitored,
            or forgotten endpoints that slip outside the governance of DevSecOps pipelines.

            Unlike a known vulnerability in a published API, shadow APIs don’t show up in inventories, vulnerability
            scans, or compliance audits. They are invisible doors attackers love to exploit. And the trend is only
            accelerating.

            Gartner predicts that by 2025, APIs will account for the majority of enterprise data breaches. If you think
            this is a theoretical risk, consider the recent high-profile breaches at T-Mobile and Peloton, both of which
            involved unprotected APIs exposing sensitive customer data.

            The takeaway is simple: if you don’t know all your APIs, you can’t secure them.



            Shadow APIs: What Are They?

            Shadow APIs naturally arise from the rapidity of contemporary development; they are not intentionally
            malicious:

               •  Forgotten  Test/Dev Endpoints:  After  an  endpoint  is  released,  it  is  never  taken  down,  even
                   though a developer spins it up for debugging. Older APIs that were never incorporated into the
                   company's current API management layer are known as unmonitored legacy APIs.
               •  Microservice Sprawl: As serverless and container-based architectures become more common,
                   services reveal APIs that are frequently missed in documentation.
               •  Third-Party  Integrations:  APIs  introduced  by  outside  vendors  or  SaaS  products  have  the
                   potential to get around enterprise controls.

            Shadow APIs can be compared to a building's abandoned doors; some may be locked, but others are
            left ajar.














            Cyber Defense eMagazine – September 2025 Edition                                                                                                                                                                                                          152
            Copyright © 2025, Cyber Defense Magazine. All rights reserved worldwide.
   147   148   149   150   151   152   153   154   155   156   157