LOGBOOK

HELP

Quiz Entry - updated: 2026.06.20

What is API9 Improper Inventory Management?

You can't secure endpoints you forgot you have — old, undocumented, or deprecated API versions stay exposed and unpatched, becoming an easy back door. The classic case is a forgotten api.v1.example.com still live months after everyone moved to v2.

The danger is the "shadow" or "zombie" endpoint: a /test, a staging host, or an old API version that nobody decommissioned. It still works, still touches production data, but no longer gets security patches or monitoring because everyone forgot it exists — so an attacker who finds it hits a softer target than the current API. The fix is treating your API surface as an inventory problem: keep an up-to-date list of every host, version, and endpoint, document them, and have an explicit retirement/sunset plan instead of leaving old versions running forever.

Issues:

  • Missing or outdated inventory of API endpoints
  • Missing or outdated documentation
  • Unfinished or deprecated APIs still exposed
  • Unclear data flows between services

Countermeasures:

  • Inventory all API hosts and integrated services
  • Document everything - endpoints, parameters, auth
  • Automate documentation generation
  • Use external protection (API gateway, WAF)
  • Include old versions in patches and sunset plans

From Quiz: SPRG / OWASP Top 10 | Updated: Jun 20, 2026