What is API9 Improper Inventory Management?
You can't secure endpoints you forgot you have — old, undocumented, or deprecated API versions stay exposed and unpatched, becoming an easy back door. The classic case is a forgotten api.v1.example.com still live months after everyone moved to v2.
The danger is the "shadow" or "zombie" endpoint: a /test, a staging host, or an old API version that nobody decommissioned. It still works, still touches production data, but no longer gets security patches or monitoring because everyone forgot it exists — so an attacker who finds it hits a softer target than the current API. The fix is treating your API surface as an inventory problem: keep an up-to-date list of every host, version, and endpoint, document them, and have an explicit retirement/sunset plan instead of leaving old versions running forever.
Issues:
- Missing or outdated inventory of API endpoints
- Missing or outdated documentation
- Unfinished or deprecated APIs still exposed
- Unclear data flows between services
Countermeasures:
- Inventory all API hosts and integrated services
- Document everything - endpoints, parameters, auth
- Automate documentation generation
- Use external protection (API gateway, WAF)
- Include old versions in patches and sunset plans