Part 2 of the OWASP API Security Top 10 Deep Dive Series
Risk #9 – Improper Inventory Management
Psychology of Digital Blindness
In September 2022, telecom giant Optus learned a $140 million lesson – and nearly 10 million customers learned that not all breaches involve elite hackers. The cause? A forgotten API endpoint.
It wasn’t buried behind layers of obfuscation. It wasn’t encrypted with military-grade tech. It was just… sitting there. api.optus.com.au, unauthenticated, quietly accepting requests since 2017. All an attacker had to do was write a script that incremented customer IDs. The result? A full data leak – names, birth dates, addresses, government IDs.
The kicker? Optus had fixed a similar issue on their main site in 2021. But no one remembered that this test API still existed. As regulators noted, “It wasn’t sophisticated. It was trial and error.”
This is the essence of Improper Inventory Management:
It’s not what you know that kills you.
It’s what you forgot you had.
The Digital Forgetting Curve
In the 1880s, psychologist Hermann Ebbinghaus showed that we forget things fast-unless we make an effort to remember them. The same goes for digital systems.
We have seen production systems with a gazillion undocumented APIs. What it means is that a big part of a company’s attack surface might be invisible to their security team.
Imagine if a quarter of your office doors were invisible to your team, but unlocked for anyone persistent enough to find them. That’s not a security gap. It’s a full-blown security blindfold. And it’s not carelessness. It’s human nature: we forget what’s old and quiet, and focus on what’s new and noisy.
When Trust Becomes Weaponized
The real danger of poor API inventory management? It’s not just forgotten endpoints – it’s how attackers turn that invisibility into opportunity.
Take this case:
A social network implemented rate limiting to prevent brute force attacks on password reset tokens, but only on the main API. A beta version, still running in the background, had no such protection. Researchers used it to guess users’ six-digit reset tokens with ease.
The main system was secure. The docs were accurate. But the beta environment? A perfect open door.
In such cases, systems weren’t breached through clever code – they were compromised by what the organization didn’t know was still running.
Flavors of Improper Inventory Management
Improper inventory management manifests in three distinct ways that security researchers have given wonderfully evocative names:
- Shadow APIs: Endpoints that exist but aren’t documented. Usually, an artifact of engineers building a quick testing endpoint, deploying it to staging, and moving on to the next urgent project.
- Zombie APIs: Deprecated versions that should be dead but still survive as developers are too afraid to shut them down. “Just in case” someone may need them. These undead APIs accumulate like digital sediment.
- Shadow Parameters: Undocumented features lurking within known endpoints. These can appear as extra query strings, headers, or POST body fields added during development or debugging, but never officially documented – yet still processed by backend logic.
Each represents a different failure mode in how humans manage complexity.
Building Systems That Remember What We Forget
Improper API inventory isn’t just a documentation issue – it’s a discovery problem. The best teams acknowledge their system maps are always outdated and incomplete. Finding unknown APIs isn’t a failure; it’s a sign you’re paying attention.
Automation is key. Humans aren’t great at constant vigilance, but machines are. Use tools that continuously scan your environment, flag discrepancies, and map out hidden endpoints.
Also, plan for API retirement. Zombie APIs exist because no one wrote their obituaries. Treat your APIs like any other software asset – with a defined lifecycle from birth to deprecation.
The Deeper Lesson
The Optus breach is less about broken tech and more about broken memory. The vulnerable API had multiple chances to be discovered – during its 2018 launch, a 2020 exposure, and even during a 2021 fix – but it slipped through each time. Why? Because no one remembered it was there.
As systems grow into sprawling, interconnected ecosystems, human memory and manual documentation just can’t keep up. The fix isn’t to blame people – it’s to build systems that assume we forget, and are designed to catch what we miss.
The Cure? Build Systems That Remember for You
The best organizations know: this isn’t a documentation problem – it’s a visibility problem. They don’t assume they know everything in production. They assume they don’t – and act accordingly.
Here’s how to build resilience:
1. Continuous API Discovery
Assume your maps are outdated.
2. Automate the Memory Work
Humans forget. Machines don’t. Set up systems that continuously watch for unknown or undocumented endpoints, especially in non-prod environments. Treat staging with the same scrutiny as prod.
3. Map the Unknown
Use modern discovery tools to auto-generate OpenAPI specs from real traffic. Let your systems document themselves in real-time. If something runs and talks to produce data, it should be visible and defined.
4. Retire APIs – Don’t Let Them Haunt You
Every API should have a retirement plan. Zombie APIs persist because no one wants to be the person who “breaks something.” Build sunset policies and make API death part of the lifecycle.
5. Behavior-Based Monitoring
If an API designed for user profiles suddenly starts returning payment data, investigate immediately. Anomalies in traffic flow are often signs of forgotten or misused endpoints.
6. Apply Controls Everywhere
Don’t assume only production matters. Many breaches happen through staging systems with prod-level access but zero controls. Clone databases, leaked tokens, open debug flags – test environments are often the weakest link.
Periodic Inventory Audits
Make it a ritual. Sit down as a team and actively hunt your ghosts – Shadow APIs, deprecated routes, weird headers. Not to punish mistakes, but to strengthen awareness.
Final Thought
Improper Inventory Management isn’t about poor code. It’s about poor visibility. And the solution isn’t perfect documentation – it’s creating systems that scream when something undocumented exists.
The next forgotten API might not be a weather app. It might be a test script, a debug tool, or a clone of last year’s project that someone spun up “just for a day.”
If you don’t find them, someone else will.