Page 154 - Cyber Defense eMagazine September 2025
P. 154
• Siloed Teams: No API inventory is shared by developers, security, and operations.
• Cloud-Native Complexity: APIs are dynamically exposed by ephemeral services in Kubernetes
clusters.
The irony? Modern software has blind spots because of the very techniques that make it quick and
flexible.
The Developer's Guide: How to Get Rid of Shadow APIs
Shifting API security to the left and integrating visibility into the DevSecOps pipeline are necessary to
handle shadow APIs. This is a useful road map:
1. API Inventory & Discovery
o To find undocumented endpoints, use automated discovery tools (such as Salt Security,
Noname, Traceable, and 42Crunch) to scan traffic.
o As part of pull requests, require OpenAPI/Swagger specs for every API.
o Maintain a centralized API catalog that the development, security, and operations teams
can access.
2. Include API Security in CI/CD tools for embedding linting that checks API schemas prior to
merging.
o Execute API security tests in pipelines, such as checking for missing rate limiting and
broken auth.
o Deployments without the appropriate API documentation are automatically rejected.
3. Visibility at Runtime
o Install API traffic analyzers at points of entry (API gateway, service mesh such as Istio, or
Kubernetes Ingress).
o Signal APIs that get around gateways.
o Even for internal APIs, use rate limits, schema validation, and JWT verification.
4. Legacy API Management
o Examine current APIs and categorize them as secure, refactor, or retire.
o For APIs that cannot be modernized right away, develop compensating controls (MFA, IP
restrictions).
5. Change Culture, Not Just Equipment
o Document, test, and monitor APIs just like you would production code.
o Assign ownership of the API to each product team. Encourage developers to shut down
endpoints that aren't being used.
Cyber Defense eMagazine – September 2025 Edition 154
Copyright © 2025, Cyber Defense Magazine. All rights reserved worldwide.
