The rising tide of API sprawl

Ease of experience is becoming more expected of the digital transactions necessary for everyday life. This becomes difficult as we grow more connected to the digital realm and the demands placed on those digital experiences increase.

Application programming interfaces (APIs) are seldom discussed but lie beneath the surface, enabling software components to communicate with each other. APIs serve as the backbone of that necessary data exchange. However, to harness the full potential of APIs, two critical elements are at odds with each other and both are usually overlooked – API discoverability and sprawl.

API discoverability refers to the ease with which developers can find and access the APIs they need. Akin to a library made easy to navigate when categorised and indexed correctly, ensuring the discoverability of APIs allows for efficiency, easier collaboration, third-party integration, and importantly, scalability.

As the desire for interconnectivity increases, the number of APIs being developed and used is skyrocketing. As the rate of API usage soars, with no signs of slowing down, API sprawl becomes a very real challenge.

This is most commonly seen within organisations lacking a centralised strategy or framework. Individual departments may develop their own APIs, each with its own security protocols, documentation, and update cycles. The result is a discombobulated mess of APIs spanning the entire reach of an organisation, or API sprawl.

Navigating the complexity of API sprawl

Aside from the difficulty in navigating the API chaos, there are serious implications for an organisation’s security posture.

With so many scattered APIs, the attack surface grows exponentially. With more entry points to exploit, it’s considerably easier for attackers to infiltrate. API sprawl also poses a risk to customers as a result of the unintentional exposure of sensitive data.

Different APIs may have varying security protocols and authentication mechanisms. This inconsistency leads to gaps and vulnerabilities that grow increasingly difficult to manage with every new API.

When APIs are developed and used without central oversight, or older APIs are discarded and become obsolete, IT and cybersecurity teams can be blind to their activities. This lack of visibility can result in unauthorised access or data breaches going unnoticed until it’s too late.

All industries are subject to regulatory requirements. Among them, the Australian financial services industry answers to the Australian Prudential Regulation Authority (APRA), the Security of Critical Infrastructure Act (SOCI) presents a regulatory framework for the 11 critical infrastructure sectors, and the Australian Cyber Security Centre (ASCS) leads the Australian Government’s efforts to improve cybersecurity. The proliferation of APIs can lead to difficulties in complying with these requirements.

Strategies for effective API management

When looking to allocate time and resources to addressing API sprawl, it’s important for organisations to consider that more than just bolstering security posture; APIs also present an untapped opportunity for development and innovation. For this potential to be harnessed, there are a few important steps to implement.

A centralised API governance team must be established, responsible for creating and enforcing organisation-wide standards for API development, security, and documentation.

A thorough inventory should be conducted of all existing APIs to create a catalogue that measures each API’s purpose, data flow, and security requirements. Following that, comprehensive monitoring and logging for all APIs must be made standard. This includes monitoring for unusual activity, tracking API usage, and generating logs for regular auditing and assessment.

One of the most critical steps necessary is ensuring security measures are incorporated into the API development process from the beginning. This includes implementing authentication mechanisms, encryption, and access controls, and must also include protocols to guarantee APIs are regularly reviewed and updated to address vulnerabilities.

As with all areas of cybersecurity, education is one of the most important components. Organisations must provide detailed and accessible documentation for all APIs, including security best practices. Additionally, continuing training for developers and users needs to be put in place to foster understanding and adherence to security guidelines.

While it is the case that an organisation cannot be 100% covered against threats, it’s entirely possible for risk to be mitigated to the highest possible extent. When a single broken API can bring down an entire business, the only way to ensure this level of protection is proactive API governance and security, which in turn will also harness APIs’ power for innovation and growth.