Shadow APIs
GROWTH OF API
The rapid growth of modern applications has led to a dramatic increase in the number of APIs developers are creating. Many of these new APIs are being developed on cloud platforms, leveraging containers as part of microservice architectures. The complexity of microservice architectures requires that developers work closely with their operations team to handle resource allocation and scalability. Cloud platforms such as Amazon Web Services, Microsoft Azure and Google Cloud Platform have introduced serverless services allowing developers to build applications at scale with less infrastructure complexity and lower costs. Developers can now publish new applications and services within minutes without thinking about resource and infrastructure allocations. These new applications often have API services that enable unintended data loss due to outdated TLS encryption support and lack of proper authentication.RISE OF SHADOW API
As adoption of these new cloud serverless services grows, it allows for the creation of rogue APIs called shadow APIs that operate outside of enterprise security. The ephemeral nature of serverless based applications often makes legacy API security tools irrelevant and unusable. Traditional security approaches allow these shadow APIs to go undetected. Many security organizations are now being challenged to discover, track and secure these Shadow APIs.Rise Of The Shadow APIs
If the term shadow API sounds insidious, it's because it should. The term refers to APIs that have been overlooked, forgotten, or ignored in the development process; the app's creators simply aren't aware they're in use. These APIs have the same accesses and permissions as the others utilized in any given app, however, because they remain in the shadows, they can potentially be exploited by hackers for a variety of nefarious purposes.The risks of such untracked APIs only grows as app development becomes easier. Agile development has lowered the skills needed to produce and deploy an application, largely due to the reliability and proliferation of API integration. This increased rate of productivity touches other sectors as well, such as the Internet of Things, which relies just as heavily on APIs as mobile apps.
It's this proliferation that causes security professionals to worry, with Gartner predicting APIs will become the number one source of data breaches by 2022. A shadow API is an enticing security loophole for anyone capable and willing to exploit one. Knowing how to cut down on this risk is as essential as creating the app itself.
What is serverless?
We’re going to talk first about what is serverless. Serverless computing is a new application execution model that automates at runtime the orchestration of infrastructure. In other words, when a developer builds a new application, when they build it on top of serverless, there is a capability that essentially automates all of the traditional approaches of having to spin up and scale out a variety of computing, network, storage, databases, etc., all the underlying infrastructure to support and scale up the infrastructure to support the application. Similarly, when the application is no longer in use, scale it all back down.Advantages and benefits of serverless
The big advantage of what serverless has been delivering for the past four years for applications that have been built on it, are dramatically lower cost because you only pay for when the application is in use, and significantly easier to use because of the skills that you need to orchestrate and automate all of the infrastructure is taken care of by the cloud providers. Specifically, Amazon with Lambda service, Google cloud with Cloud Functions and Microsoft with Azure Functions.This is a relatively new area in the last four years that has grown in substantial popularity. Just to put a statistic on that, Amazon released data that it took about 10 years for Docker containers to reach about 24% usage by their customer base. Lambda in comparison has reached a similar percentage, 23.5%, in just four years since it was introduced.
Serverless is growing more than twice as fast in popularity of usage among their customer base versus containers. Because of this fast-growing popularity, particularly by developers to take advantage of serverless to make their life easier and to dramatically lower the cost of application development and application execution, it has created some new and interesting challenges for enterprise security.
On the positive side, because there are no traditional servers staying persistent all the time, there is this nice benefit of wiping out, sort of a clean slate on operating systems and compute that support applications. When malware or difficult attacks are happening and staying persistent or even dormant inside of your infrastructure, the positive is with serverless, these things are constantly scaling up and scaling down because ultimately the infrastructure is ephemeral. So, it’s hard for bad applications or malware just to stay hidden in your environment for long periods of time, because it’s all getting cleared out frequently.
Shadow APIs and Denial of Wallet (DoW) challenges
There are some new interesting challenges with this serverless approach. One of them is this concept of Shadow APIs. Because most of these applications are now being built with a microservices architecture, you have these smaller, reusable pieces of software that ultimately support an enterprise application built on serverless.Most of these microservices are interconnected with one another through a communication via API, typically RESTful APIs. Whether these RESTful APIs are viewed as publicly consumable or private, to be only used to interconnect microservice fabric, either way, once it’s on the public cloud it is inherently accessible and available to any attacker or to any potential malicious software. One of the things that’s starting to happen for the enterprises, they don’t know what they don’t know on the number of APIs that are being published and consumed by these modern applications using serverless.
This is a new challenge from a discovery perspective, to find all of these Shadow APIs that exist in the enterprise environment, and there needs to be new tools and new techniques on how to go about that discovery. That’s one of the new interesting challenges for security when developers are using this new concept of serverless.
The second challenge that is starting to pop up is this new class of attack called Denial of Wallet (DoW). A Denial of Wallet attack is similar to what we know about with Denial of Service. If you have a bad actor or some threat that is going after one of your applications and part of its intent is to bombard it with fictitious requests that busy up your application, what will happen when that application is built on a serverless architecture is that the underlying resources continue to scale up and spin up in order to deal with these increased number of requests.
These requests are intended to potentially take down your service, but because of the nature of the public cloud and services like Lambda and Cloud Functions, they will continue to spin up in order to handle the load. As a result, the cost to the enterprise continues to balloon out of control from a financial perspective to the point where it’s really ultimately hurting the wallet or hurting the bottom line of the company paying that bill for their serverless infrastructure.
