The Solution to Shadow APIs

December 13, 2022
Written by
Seif Hateb
Reviewed by
Matt Coser
Chad Fryer
Paul Kamp

Solution Shadow APIs Hero

In a previous article, we talked about the top API security flaws and mitigations, and asset management was one of them. Gaining visibility on your assets should be your top priority, and by enhancing the visibility of your software inventory, you gain a greater understanding of what components are being used where, what applications might be vulnerable, and what you need to secure.

In this post, we will go over one of the top risks in API security related to asset management and resource visibility. It’s the ghost, the myth, the legend of Shadow APIs.

You should be scared of "Shadow APIs"

Shadow APIs are all the APIs your business is using but not tracking. This lack of visibility includes the data these APIs are sending and receiving, the services they’re interacting with, and all the potential flaws that come with any third-party component.

The risks of Shadow APIs

Organizations that fail to track, monitor, and protect these shadow APIs and their security flaws are exposing themselves to unnecessary data loss, financial damage, and reputational risk. Not having visibility into shadow APIs increases the risk of:

  • Reliability issues due to the dependency on shadow APIs;
  • Operational cost increases due to the unpredictable aspects related to the use of third-party components that are neither inventoried nor managed;
  • Business non compliance with standards and regulations;
  • Inherent risks that might cause you security incidents.

Security recommendations

Now that you understand what Shadow APIs are and some of the problems they pose, you must expand your visibility into them and manage any hazards they pose. In the next part, I'll teach you how to discover Shadow APIs and, after you've identified them, reduce the threats they bring.

How can you identify Shadow APIs?

These are the most common techniques for discovering APIs that will give you the visibility you need to mitigate the risks related to shadow APIs.

  • Monitoring Traffic: For this type of monitoring, connecting with API gateways simplifies setup and eliminates security risks from duplicating monitoring functionality across apps. But it has some downsides, such as performance impacts and the need to be set across all enterprise applications and services.
  • Proxying: API proxies redirect all API requests to their service. They track requests and responses while cataloging APIs. One limitation of this method is that the data cataloged may be out-of-date since it will only reflect requests from whatever APIs you are using.
  • Reviewing Logs: Since most organizations have logging systems in place, exploring your logs is a great place to start gaining visibility into your API usage. However, log reviews are most effective when you have the full payloads stored, which introduces a significant cost increase compared to storing security logs.
  • Scanning Code: Scanning your source code is an effective way of identifying the APIs used by your applications, but it will depend on the tools you have and their ability to scan different programming languages.

Mitigate the risk of Shadow APIs

Now that you have a good overview of Shadow API risks and how to identify the APIs you are using, let's go over the list of actions you can undertake to effectively manage shadow APIs and mitigate the risks that come with them:

  • Create the policies, standards, and procedures that define how APIs are developed, documented, used, and managed
  • Monitor your API traffic by integrating with the API gateways and using proxies
  • Centrally store your logs and payloads for periodic reviews
  • Setup alerting to detect new API usage and define the mitigation procedures that follow
  • Follow the security standards and best practices, like the OWASP® API Security Top 10
  • Retire any unused APIs to reduce your attack surface


Following the best practices when creating, using, securing, and managing APIs is the foundational technical aspect to focus on, but culture and behavior are as important as technology.

Building good habits into your SDLC and DevOps processes is the key success factor, which, when combined with continuous monitoring, will help win the fight against shadow APIs.  


Don’t forget to check our API Security Guide and OWASP API Security Top 10 Summary.

Seif Hateb is a Security Professional working as a Principal Security Engineer at Twilio. With more than a decade of Security experience with success in guiding the design, testing, and implementation of leading-edge technologies and solutions while balancing security initiatives to risks, business operations, and innovations.

His specialties include Security Architecture, Cryptography, Data Protection, System Hardening and Security Assessment with extensive experience in the Telecommunications and Healthcare industries. Find him on LinkedIn and Twitter.