API9:2023 - Improper Inventory Management

APIs evolve quickly, and unmanaged versions, forgotten staging endpoints, and undocumented services often stay reachable. Attackers target these blind spots because they usually lack modern controls and monitoring.

• Attack surface growth through unmanaged endpoints.
• Old versions with known vulnerabilities still accessible.
• Monitoring and incident response gaps due to unknown assets.

• Maintain a live API inventory with ownership and data classification.
• Apply versioning and formal deprecation with retirement deadlines.
• Block internet exposure of non-production environments.
• Run discovery scans to detect undocumented or rogue APIs.