When speaking with our customers, and particularly with platform teams, we repeatedly hear about how difficult it is to discover and govern all the services and APIs that actively run on their infrastructure.

In ever-expanding and changing environments, platform teams often grapple with the challenge of monitoring and managing the creation and termination of services across numerous disparate application teams. This lack of visibility can lead to inefficiencies and potential conflicts as the scale of operations increases. Additionally, staffing churn makes it hard to keep up with which services exist and who their corresponding owners are. This challenge is generally referred to as API sprawl and stems from a lack of centralized API oversight across teams and business units. 

Organizations that aren’t able to keep an ongoing track of what APIs and services exist inevitably have **shadow APIs**, undiscovered and unmanaged APIs. These APIs may have been developed with good intent, and by skirting organizational governance and controls, they may have had perceived value as a quick solution. Yet left unchecked, they introduce a range of risks and inefficiencies.

## What are the risks associated with shadow APIs?

Shadow APIs often bypass standard security reviews and protocols and may expose sensitive data or create unnecessary vulnerabilities in the service. Even though they may be known by a development group or line of business, these APIs may not undergo continuous security testing, data compliance controls, or patching, increasing threat vectors such as data breaches or unauthorized access.

Kong [forecasts](https://konghq.com/resources/reports/ai-and-api-adoption-challenges)forecasts the number of annual API attacks will grow 548% by 2030. This means every single API endpoint running in your infrastructure is an opportunity for attack by bad actors.

Security aside, the presence of shadow APIs can still pose serious compliance and operational risks. These APIs were most likely not built following organizational standards and introduce inconsistencies in data handling, compliance, and alignment with regulatory requirements. Lack of controls may result in non-compliant practices, which can open up organizations to legal ramifications that may include fines and costly remediation. 

These security and compliance risks are on top of the inefficiencies created in collaboration barriers when assets are unknown to organizations, resource waste in the creation of redundancies in functionality, and add maintenance burdens of service that are more likely to become abandoned over time.  

That said, maintaining an up-to-date inventory of live services and all their various dimensions typically requires a significant amount of manual work from platform teams. 

With Kong Konnect Service Catalog, you can automatically discover running services and APIs through infrastructural integrations and auto-populate the catalog as services, APIs, and other critical data get discovered and updated in real-time.

Let’s explore how that works and the value you get!

## Maintain a single record of truth for all services and APIs with ease

If you’re already a Kong customer and using our runtimes to manage your APIs, implementing Service Catalog into your API platform is effortless. Because Service Catalog is natively integrated with Kong Gateway and Kong Mesh, once activated, it will pre-populate with all the services that exist in Gateway Manager and Mesh Manager.

Beyond our native runtime integrations, we currently support a discovery integration with Traceable and will support more discovery integrations across Kubernetes, serverless functions, and more in the months to come, so you can expand discovery and cataloging across your infrastructure regardless of where your application teams run. Traceable is integrated with Kong in two ways: at the gateway level with the Traceable plugin and via a direct integration with Service Catalog. 

The Traceable platform identifies unmanaged APIs by collecting a variety of data, including CI/CD pipelines, WAFs, and load balancers. Through the Service Catalog integration, API platform owners can bring those shadow APIs into management and compliance via a Kong Gateway.

To learn more about how to secure APIs using the Konnect Service Catalog x Traceable integration, check out this [blog](https://konghq.com/blog/engineering/secure-apis-with-kong-and-traceable)blog. 

If you discover an unmanaged API in your infrastructure via the catalog, you can take action to ensure it’s secured by fronting it with a proper gateway in Gateway Manager and go one step further by populating a record of who owns the service, its function(s), analytics, git repo activity, and more. With minimal effort, you unlock centralized visibility into the health and activity behind every running API in your organization. Let’s explore the value of this in more detail next.  

## Manage a repository of self-serve data about all services and APIs

Once a service has been discovered, you can start to enrich the specific service’s record with various data points across the Kong platform and third-party applications.

For example, if you refer to the screenshot above, you’ll notice we’re looking at a dashboard for a Billing service that’s been cataloged. In the Overview section for Billing, we can see a range of information including official Engineering Slack channels, the GitHub repo for the service, and the PagerDuty on-call Engineer and status of arisen incidents, just to call out a few.

Service Catalog aggregates critical information from these third-party applications through robust integrations, which means any developer, with the proper permissions, can go in and view real-time updates and data regarding any cataloged service. 

With these centralized summaries of each live service, developers have a dedicated space where they can view critical information about each cataloged service. For example, let’s say Helena is building a service that will potentially integrate with the Billing service. She can head into the catalog, find the Billing service dashboard, and locate who owns the service as well as which Slack channel she could message to get the conversation rolling. If she wants to refer to the Billing service’s API documentation, she can also find that information stored in the “API Specs” tab of the dashboard (see screenshot below). 

Here’s another example: let’s say Sam just got back from vacation, and now she’s trying to understand at a high level what’s been happening in the backend of her Flight Bookings service. To get a comprehensive birds-eye view, she heads over to the Flight Bookings service in the Service Catalog and opens the “Events” tab.

From there, she can refer to a chronological list of events related to her Flight Bookings service that occurred in the time she was out, including:

• - GitHub events for pull request activity (open/merged)
• - GitLab for merge request activity (open/closed)
• - PagerDuty for whenever an incident was opened/acknowledged/closed
• - Gateway Manager for whenever plugins were installed or removed
• - Datadog for whenever monitors changed status from alert/warn/OK

Taking in this information at a high level, with the ability to filter by Event type, gives Sam a good idea of where she needs to follow up and saves her a lot of time in doing so. Being the single record of activity for any given service, you can see how Events is useful for service and platform owners in everyday monitoring and for better collaboration when triaging incidents. 

For new employees joining a company, Service Catalog is a great place to start familiarizing themselves with existing services in the organization. 

These are just a few examples of how a centralized dashboard of aggregated, real-time information for each service can help developers find the information they need to efficiently get their work done.

## Measure and enforce API and service compliance

Once you’ve (1) gathered an active inventory of the APIs and services running internally in your organization and (2) after you’ve enriched this inventory with critical contextual information, you can start to drive org-wide governance by setting up Scorecards tied to your compliance initiatives around security, reliability, quality, and more.

You can configure Scorecards (available in Konnect Service Catalog as an add-on) based on Kong-recommended best practices and industry standards for security, documentation, and service maturity. Once you’ve applied scorecards to all or select services in your catalog, scorecards will automatically score each service with a “pass/fail” and present the exact reasons for non-compliance with individual rules. 

This means platform teams can automate traditionally time-consuming compliance checks and leverage clear paths to remediation with non-compliant service owners. For a deeper look into how Scorecards works, head over to this [blog](https://konghq.com/blog/product-releases/service-catalog-deep-dive)blog. 

## Start cataloging and drive value in your organization with:

• - **Accelerated Development**: Developers can locate and reuse existing APIs, reducing the need to build new services and speeding up development cycles. This also lowers development costs and ensures consistency.
• - **Improved Teamwork**: A central API repository enhances collaboration by allowing teams to easily share and access APIs, fostering innovation and building upon existing work.
• - **Consistent Standards and Control**: API discovery supports adherence to design, security, and usage standards. It enables centralized management and oversight, which is vital for compliance and quality.
• - **Reduced Security Risks**: A managed and discoverable API ecosystem minimizes the creation of unauthorized APIs, thereby reducing potential security vulnerabilities and compliance issues.
• - **Enhanced Scalability**: Efficient management of an expanding API landscape is facilitated by a strong discovery mechanism, ensuring consistent performance and reliability as the organization grows.
• - **Actionable Insights**: Discoverable APIs improve analytics and monitoring, providing valuable data on API usage, performance, and areas for improvement, which can inform strategic decisions.
• - **Faster Market Responsiveness**: Quick integration of new or existing services through easily discoverable and well-documented APIs accelerates development, allowing organizations to adapt quickly to market demands.

Eliminate shadow APIs and boost developer productivity by cataloging your services and APIs today! 

If you’re already a Konnect user, [log in,](https://cloud.konghq.com/login)log in, and you’ll have a pre-populated catalog in minutes. If you’re new and would like to build yours for free, it’s so easy to get started with [Konnect Plus](https://konghq.com/products/kong-konnect/register)Konnect Plus. 

We can’t wait to see the catalogs you build, and if you have any feedback, let us know at [releases.konghq.com](http://releases.konghq.com)releases.konghq.com.