As enterprises increasingly adopt cloud-native architectures, microservices, and third-party integrations, the number of Application Programming Interfaces (APIs) has surged, creating an “API tsunami” in an organization’s infrastructure that threatens to overwhelm traditional management practices. As digital services proliferate, so does the development of APIs, which allow various applications to communicate or integrate with each other and share information. This rapid growth, often referred to as API sprawl, complicates security and management efforts as traditional security tooling is not equipped to deal with the specific challenges of API attacks. Therefore, the attack surface widens, making it harder for organizations to monitor and secure each endpoint.

The Growing Challenge of API Sprawl

API sprawl brings several unique challenges that traditional security tools and practices are ill-equipped to handle. These include:

1. The Invisible Threat of API Proliferation Leads to an Expanded Attack Surface

Each new API endpoint increases an organization’s attack surface, as every API represents a potential entry point for attackers. The larger and more decentralized an API ecosystem, the harder it becomes for security teams to enforce consistent security policies and monitor for vulnerabilities across all endpoints.

For example, research from Salt Security in 2024 found that over 63% of organizations experienced security incidents due to unmonitored or inadequately secured APIs, often those created by different teams across multiple cloud environments. With hundreds or thousands of active APIs, each endpoint becomes a blind spot in the network, and attackers actively seek out these less visible targets.

Action: Implement centralized API management solutions that integrate with all deployed APIs across the enterprise. Centralized platforms offer better visibility and control, allowing security teams to enforce security policies uniformly, monitor all endpoints for vulnerabilities, and streamline incident response.

2. Inconsistent Security Standards and Fragmented API Management

API sprawl leads to inconsistent security practices, as different teams – often working with different standards – create and manage their own APIs. These inconsistencies can lead to security misconfigurations, varying levels of access control, and inconsistently applied encryption protocols, creating weaknesses that attackers can exploit.

Salt Security’s report also shows that some institutions prioritize API security only selectively, leading to gaps where older APIs or less protected endpoints might use basic authentication or API keys instead of robust multi-factor authentication. This inconsistency can expose sensitive information, particularly in financial institutions where APIs often process personal and transactional data. Moreover, attacks against APIs have been on the rise within the financial services sector, prompting a significant portion of the industry to elevate API security to a critical business priority in response.

Action: Establish a centralized API security policy that mandates uniform security practices for all APIs, including requirements for encryption, authentication, and access control. Additionally, adopt API gateways that can enforce these policies automatically, ensuring consistency across environments, whether on-premises or cloud-based.

3. Maintaining Regulatory Standards Across APIs become Compliance and Data Privacy Challenges

Compliance with regulations like GDPR, CCPA, and HIPAA becomes increasingly challenging in an API-sprawled environment. This is because data privacy laws require organizations to secure sensitive information and maintain audit trails. However, when APIs proliferate, it’s hard to track where data is stored, processed, and transmitted. Many organizations lack visibility into the data flows of all APIs, especially shadow or undocumented APIs, which can create potential compliance violations.

As digital healthcare services and mobile apps become more popular, the bigger the risk to personal health information (PHI) becomes. For example, earlier this year, fertility tracker app Glow experienced a massive data leak of 25 million users due to a leaky developer API. This  incident highlights the risk of compliance violations in environments with uncontrolled API growth – particularly as countries like the UK seek to centralize healthcare management, proposing that medical records, health letters and test results will all be available through the NHS app.

Action: Implement continuous API discovery and cataloging tools to maintain an accurate, up-to-date inventory of all APIs in use. These tools should provide visibility into data flows and facilitate compliance audits by tracking data transmission, storage, and access. Regularly audit APIs to ensure each complies with relevant regulatory requirements, and use automated tools to detect and remediate gaps in compliance.

4. The Strain of Managing API Sprawl and Operational Complexity

It’s not a surprise that the larger the API ecosystem, the more difficult it becomes to manage. As digital services gain popularity and streamline everyday business operations, security teams face a growing workload to oversee each endpoint, manage access controls, and perform vulnerability scans. This operational complexity can lead to overlooked vulnerabilities and delayed responses, especially in multi-cloud environments where APIs interact across different services and platforms.

For example, large enterprises with multiple business units, each will have its own API standards and practices. Security teams are often unable to effectively manage and monitor the entire ecosystem due to the sheer scale of the business, which can lead to many API security incidents that can take weeks to fully investigate and resolve.

Action: Adopt centralized, scalable API management platforms that allow security teams to monitor all APIs from a single dashboard. Automated vulnerability scanning and real-time alerts reduce manual workload and improve the speed of response, while integrated security orchestration can streamline remediation processes. Give access to multiple business units that can help take responsibility for the security of the APIs they control.

5. API Lifecycle Management and the Ability to Address Shadow and Zombie APIs

With rapid development cycles, APIs are often created and deployed to meet immediate project needs, only to be forgotten once the project ends. These orphaned APIs, often referred to as shadow or zombie APIs, can remain active in production, creating ongoing security risks. Unmonitored and unmaintained, they become easy targets for attackers who scan for unprotected endpoints.

A notable example of a zombie API breach involved the United States Postal Service (USPS) in 2018, where an exposed API known as the “Informed Visibility” API allowed unauthorized access to sensitive customer data. This API, which provided near real-time tracking data to bulk mail senders and advertisers, lacked proper access control and anti-scraping protections. As a result, it exposed data for over 60 million USPS users, allowing attackers to query and retrieve personally identifiable information (PII) without restriction. The security gap was reported by a researcher rather than a malicious actor, allowing USPS to eventually patch the API after it was publicly disclosed.

Action: Integrate lifecycle management into API development processes, ensuring that each API is tracked from creation through deprecation. Automated decommissioning policies can remove APIs that are no longer in use, reducing the risk of zombie APIs. Additionally, automated discovery tools can continuously scan for shadow APIs, ensuring that undocumented endpoints are identified and either secured or removed.

Navigating the API Tsunami with Proactive Management

As more teams create and deploy APIs independently, the organization’s risk exposure grows, compounded by inconsistent security practices and regulatory compliance issues. Understanding and addressing the causes and consequences of API sprawl is essential to mitigating these risks.

Addressing API sprawl requires centralized management, consistent security practices, real-time monitoring, and effective lifecycle management. By proactively managing the “API tsunami,” organizations can reduce risk, ensure compliance, and improve operational efficiency.

Successful organizations will recognize that controlling API sprawl is not merely a security measure; it’s a strategic approach to sustaining digital transformation. With the right tools and practices, businesses can harness the benefits of APIs while safeguarding their environments against evolving security threats. Learn how to today.

*** This is a Security Bloggers Network syndicated blog from Salt Security blog authored by Michael Callahan. Read the original post at: https://salt.security/blog/the-quiet-rise-of-the-api-tsunami