SmartBear announced its acquisition of QMetry, provider of an AI-enabled digital quality platform designed to scale software quality.
While most may be scared of goblins and ghouls this Halloween, the real threat to enterprise organizations this spooky season are zombie APIs. Though it may be Halloween, developer and security teams are spooked year round by these undetected threats. According to a recent report, approximately 92% of organizations have been impacted by at least one API security-related incident in the past 12 months, while 57% reported experiencing multiple API security incidents in the same time frame. Instead of falling victim to these undead APIs, here are a few reasons why zombie APIs are more dangerous than others and how enterprise organizations can implement best practices to prevent their damage.
What Are Zombie APIs?
In DevSecOps, zombie APIs are endpoints that are supposed to be turned off, but remain active — unbeknownst to developer and security teams. These can be unused endpoints caused by a variety of mistakes ranging from miscommunication between security and developer teams to newer APIs replacing old ones that are then forgotten about. Like zombies, these APIs are supposed to be "dead," but they're not.
What Security Concerns Come with the Presence of Zombie APIs?
Ultimately, the overarching security concern that allows for the existence of zombie APIs is the insufficient communication between developer and security teams about what a zombie API is, whether or not they exist, how to mitigate the damage they cause, and how to prevent them in the future. If organizations don't have smooth lines of communication between the two sides of DevSecOps, one may not be on the same page as the other when it comes to being fully aware of the life cycles or procedures behind deprecating an API.
Another major concern behind zombie APIs is their ability to go undetected and, therefore, untested. Because these APIs are forgotten about, but still remain alive, DevSecOps teams aren't regularly running patching or maintenance processes to ensure they're not exposing an organization's vulnerabilities that are lingering in the shadows. In addition, Zombie APIs are removed from documentation and an organization's API security testing program, leaving them to rot over time and expose new vulnerabilities.
With software applications, developer teams build and deploy a new version of an already existing API, often resulting in the older version becoming a legacy API — one that's still used, but not as much. Often, product teams will want to keep both versions active because someone is still using the legacy API or it's still generating revenue, security teams on the other hand, view this older version with the potential to be forgotten about, creating a zombie API by their subjective definition, and as a result will leave developer teams caught in the middle. The real issue here is security, developer and product teams lacking a unified definition of what a zombie API truly is, which creates internal tension and leaves wide room for human error.
What Can Developer Teams Do to Prevent the Zombie API Plague?
With zombie APIs posing significant threats to enterprise infrastructure and software application security and development, it's important to implement the following best practices to detect the undetected threats they pose:
■ Open communication with developers and security - Engineering and security teams share the responsibility of documenting and deprecating software that's no longer in use. Lack of communication between developers and security experts can cause zombie APIs to go undetected to one or both teams, leaving room for critical vulnerabilities. As a developer, it's most important to maintain constant, open, and effective communication with security teams to ensure all key stakeholders in API security are on the same page in terms of definitions, processes, roles, and responsibilities within an organization.
■ Use self-documenting code - As developers, we know that most documentation, testing, and remediation should be done at the code level and implemented as tests that run against the code before it hits production. By comparison to manual processes that are slow and error-prone, utilizing source code that self-documents every single API allows each API to be accounted for. This means no zombie gets left behind, and as long as security and application testing teams can see APIs documented in code, they can test it for major vulnerabilities.
■ Enforce and communicate clear product retirement procedures - Developer and security teams need to work together to define and agree upon precise product retirement procedures and maintain those policies whenever a product is deemed unnecessary. This will not only ensure all APIs deemed inactive are actually shut off, but also maintain consistency across the board to avoid zombie APIs creeping up.
Ultimately, as long as humans play a role in software application development and security, there will always be room for human error. Until security teams and developers can get on the same page with effective and efficient communication, zombie APIs will continue to be a widespread issue among modern enterprises.
Industry News
Red Hat signed a strategic collaboration agreement (SCA) with Amazon Web Services (AWS) to scale availability of Red Hat open source solutions in AWS Marketplace, building upon the two companies’ long-standing relationship.
CloudZero announced the launch of CloudZero Intelligence — an AI system powering CloudZero Advisor, a free, publicly available tool that uses conversational AI to help businesses accurately predict and optimize the cost of cloud infrastructure.
Opsera has been accepted into the Amazon Web Services (AWS) Independent Software Vendor (ISV) Accelerate Program, a co-sell program for AWS Partners that provides software solutions that run on or integrate with AWS.
Spectro Cloud is a launch partner for the new Amazon EKS Hybrid Nodes feature debuting at AWS re:Invent 2024.
Couchbase unveiled Capella AI Services to help enterprises address the growing data challenges of AI development and deployment and streamline how they build secure agentic AI applications at scale.
Veracode announced innovations to help developers build secure-by-design software, and security teams reduce risk across their code-to-cloud ecosystem.
Traefik Labs unveiled the Traefik AI Gateway, a centralized cloud-native egress gateway for managing and securing internal applications with external AI services like Large Language Models (LLMs).
Generally available to all customers today, Sumo Logic Mo Copilot, an AI Copilot for DevSecOps, will empower the entire team and drastically reduce response times for critical applications.
iTMethods announced a strategic partnership with CircleCI, a continuous integration and delivery (CI/CD) platform. Together, they will deliver a seamless, end-to-end solution for optimizing software development and delivery processes.
Progress announced the Q4 2024 release of its award-winning Progress® Telerik® and Progress® Kendo UI® component libraries.
Check Point® Software Technologies Ltd. has been recognized as a Leader and Fast Mover in the latest GigaOm Radar Report for Cloud-Native Application Protection Platforms (CNAPPs).
Spectro Cloud, provider of the award-winning Palette Edge™ Kubernetes management platform, announced a new integrated edge in a box solution featuring the Hewlett Packard Enterprise (HPE) ProLiant DL145 Gen11 server to help organizations deploy, secure, and manage demanding applications for diverse edge locations.
Red Hat announced the availability of Red Hat JBoss Enterprise Application Platform (JBoss EAP) 8 on Microsoft Azure.
Launchable by CloudBees is now available on AWS Marketplace, a digital catalog with thousands of software listings from independent software vendors that make it easy to find, test, buy, and deploy software that runs on Amazon Web Services (AWS).