What is API Sprawl?

Have you ever flown over Los Angeles and noticed the phenomenon called “urban sprawl?” The city appears to extend in every direction, without any planning. This results in inconvenient commutes, traffic jams, and air pollution. IT departments can face a similar issue known as “server sprawl.” It occurs when too many servers are deployed without proper planning or coordination. Much like urban sprawl, server sprawl causes problems such as inefficient use of space and energy, as well as unnecessary administrative burdens.

Application programming interfaces (APIs) can also be subject to sprawl. In fact, in 2021, F5 engineer Rajesh Narayanan coined the phrase “API Sprawl” while predicting that the current 200 million APIs will grow exponentially to billions by the end of this decade. As he explained, “As APIs of all types proliferate, it will become common for organizations to reach a point where they are unable to effectively manage and control them. This is API sprawl: the condition of having too many APIs of too many different types in too many different locations to manage effectively.”

What is API sprawl?

Before exploring Narayanan’s concept in more depth, it’s important to understand how APIs function. An API is software that allows multiple applications or data sources to communicate and interact with each other. For instance, when your mobile banking app retrieves information from your retirement account at a different company, it likely does so using an API. Therefore, APIs not only establish connections between software programs, but also link businesses and their respective workflows.

APIs mark a departure from the conventional monolithic approach to software development. In the past decade, enterprise computing has largely shifted towards collections of applications and data sources interconnected through APIs. While this approach offers significant advantages, it also introduces challenges, one of which is API sprawl.

Typically, each API is developed and managed by a dedicated team. This team is responsible for maintaining its functionality, applying updates as needed, and restricting access to authorized users. However, in reality, many organizations today may have numerous “rogue” APIs that are unknown or “zombie” APIs that continue to operate despite no longer serving a purpose. Additionally, there may be APIs that lack proper tracking, existing without clear oversight, leading to an inefficient and insecure sprawl of APIs.

What causes API sprawl?

There are several theories that try to explain the phenomenon known as API sprawl. One common belief is that the rapid increase in the number of APIs has directly led to sprawl. However, this outcome was not inevitable. Instead, it seems that this growth, when combined with certain organizational issues and advancements in IT, creates the conditions that result in API sprawl.

For instance, when IT organizations migrate systems to the cloud, some APIs may be inadvertently left behind. One might wonder how an API can be abandoned, but considering the constant turnover that most organizations experience, the issue becomes apparent. If an API was assigned to person A, who later left the company, their replacement, person B, may not be aware of the APIs they are responsible for tracking.

Changes in software architecture can contribute to API sprawl. Microservices, for example, create an environment where there are so many APIs that it becomes difficult to manage them all effectively. Shifts in development methodology can compound this problem. With continuous integration/continuous deployment (CI/CD), to name one example, developers gain the ability to push new APIs into production or generate code that calls on new APIs on a daily basis. If administrators are not fully aware of the CI/CD pipeline, rogue and zombie APIs can proliferate. 

Inconsistent or nonexistent standards are also responsible for version sprawl. If developers don’t adhere to standards, different versions of the same API can operate simultaneously, leading to confusion and inefficiencies.

How API sprawl affects your business

API sprawl can hurt your business. It increases the cost of application development and IT management. An API that is not easily discoverable may be redeveloped because no one knows it exists. Admins may also waste time determining which API version to use or disconnecting software that is calling the wrong API. 

Both revenue and reputation can suffer when customers have bad experiences interacting with your software due to API sprawl. If customers are calling an outdated or non-functional API, they may not want to do business with you again. Additionally, if working with your APIs causes an undue burden on technical support, that will also not be good for your business relationships. 

However, security is where API sprawl can cause the most damage. APIs create a significant attack surface because they can provide access to applications and data. Even well-managed and defended APIs pose significant risks. 

Poorly managed or undiscovered APIs significantly increase the vulnerability they pose. If a hacker gains access to your data via a zombie API, you may remain unaware of the attack for an extended period, potentially resulting in a massive data breach and exfiltration.

Best practices to prevent API sprawl

To prevent API sprawl, or control it if it’s already excessive, adopt best practices. The most important practice is to implement a clear API governance strategy. This strategy should outline who is responsible for API creation, the standards that must be followed, how APIs will be used, and who should have access to them. Additionally, API governance should establish policies for version control, monitoring, and reporting. 

Implementing API governance must begin with an accurate API inventory. This is often where the first surprises occur, with IT managers expressing surprise at APIs still in operation. However, an accurate inventory enables the identification and removal of rogue and zombie APIs. Additionally, admins can connect the most current API versions with API consumers. 

The management and governance of APIs is not a one-time process. Instead, there should be a comprehensive plan for ongoing oversight. This plan should be operationalized and integrated into the continuous integration/continuous delivery (CI/CD) pipeline and other aspects of the software development lifecycle (SDLC).

Another best practice is to limit the number of APIs that can be developed and then manage them with a centralized API management platform. This allows administrators to keep track of APIs in one place, preventing sprawl. 

API governance is as much an organizational issue as it is a technical one when it comes to combating API sprawl. Staff members responsible for API management need to be trained, and managers must hold them accountable for API sprawl issues. API security controls and countermeasures should be implemented to prevent or contain API sprawl. API security testing should be included in the CI/CD pipeline. API security needs to be an integral part of the overall API governance design and process. Controls can include rate limiting and preventing unauthorized access.

How Noname Security can help with API sprawl

Noname Security’s platform addresses the issue of API sprawl through its API discovery capabilities. The solution enables users to identify and document every API within their domain. In real time, it can detect misconfigurations and vulnerabilities in the source code, as well as identify problems in network configuration and policy that could impact security and manageability. 

Noname Security’s solution can also categorize APIs based on the type of data they handle. For example, if an API provides access to personally identifiable information (PII), which is subject to privacy regulations, Noname Security will flag it for compliance checks. It evaluates API configurations, alerting security managers to potential vulnerabilities. These features empower users to reduce API sprawl and prevent its recurrence in the future.