Enterprises operate a large and growing number of APIs — more than 200 on average — each a potential front door to sensitive data. Even more challenging can be figuring out which of these APIs are not actively managed “shadow APIs”. Born from well-intended development initiatives and legacy systems, shadow APIs operate without proper oversight or governance, and could be the source of damaging security incidents.

Today at Google Cloud Next, Google are excited to announce shadow API detection in preview in Advanced API Security, part of our Apigee API Management solution. 

Securing your APIs with Apigee API Management

Apigee is Google Cloud’s turnkey API management solution that can help you build, manage, and secure APIs in the cloud and on-premises. Apigee helps ensure the reliability of your API transactions with fine-grained controls and more than 50 built-in security policies, including authentication and authorization.

Advanced API Security works proactively to identify misconfigured APIs, detect malicious bot and business logic attacks, and helps organizations take swift action to mitigate threats. Previously, this protection was only available for actively-managed APIs. Now, with the ability to discover shadow APIs in Advanced API Security, you can eliminate hard-to-find blind spots and close security gaps.

Detecting shadow APIs in Advanced API Security

Advanced API Security now integrates with Google Cloud regional external Application Load Balancers to discover and identify API traffic in a specific region, to help support regulatory and performance requirements. 

In the following example, Google show how this works in our Belgium region (europe-west-1).

Select your Google Cloud external Application Load Balancer’s region to discover the associated APIs.

Through examination of requests and responses flowing through your load balancers, Advanced API Security extracts the APIs and their relevant details such as API endpoints, platform, protocol, parameter names, and responses. You can access critical details on where the API is operating, the kind of operations that are running, and the latest activity on these APIs via an intuitive interface.

Advanced API Security catalogs and organizes all the APIs linked to the selected load balancer

Shadow API detection also looks at historical data to uncover new API calls, and can provide always-on awareness and detection of emerging shadow APIs. You can tag individual endpoints that need further attention to ensure comprehensive protection across your API surface.

Detailed information on shadow API endpoints associated with your load balancer

Upon detecting shadow APIs, you can collaborate with the API owners to establish management in accordance with company-wide security and API management standards. You can also implement missing security measures to help reduce the risk of compromise.

Get started tracking down shadow APIs

By detecting shadow APIs, Advanced API Security can help you strengthen your security posture and adopt a more proactive approach to finding vulnerabilities lurking in your application infrastructure.