Case study
How Dominos Pizza Eliminated Zombie API Threats Using p0
Customer introduction:
Incorporated in 1995, Domino’s Pizza India has been operating since 1996 with their first location in New Delhi. As Domino's popularity grew, they added a number of web and mobile applications with backend APIs to handle business logic and database procedures for the over 800 million users they acquired.
Business growth challenges:
As Domino’s expanded throughout India and Bangladesh, development environments and repositories also expanded. Developers and operations teams struggled to audit and track the many moving parts including code repositories added through the years. Through the years of operations, Domino’s India accumulated 316 active repositories. Although developers were aware of their growing attack surface, they did not know if any legacy infrastructure was openly allowing for unmoderated activity. Developers and operations needed a comprehensive view of their entire API attack surface to ensure all Zombie APIs were properly identified and deprecated or moved to active maintenance.
pre p0 scan:
Industry definition
How do you define a Zombie API?
The p0 solution:
Domino’s India deployed p0's solution to audit and identify open API endpoints in code. P0’s solution has two components: a large language model (LLM), and the core p0 engine - both deployed on-prem. Further, p0 integrated with New Relic at Domino's to gain insights into active network traffic data.
p0 then ran a comprehensive scan of Domino's entire codebase. It takes p0 scanners about 1.5 minutes on average to generate results for one endpoint. Domino’s India had 2063 endpoints, resulting in about 3000 minutes or roughly 2.2 days to complete. Reachability tests requested API endpoints to avoid false positives and validated that APIs were externally accessible. p0's engine further ranked zombie API severity by assessing PII involvement in each case.
P0 developers worked closely with Domino’s India to deploy the LLM onto their own private cloud and execute scans. Domino’s India specified that Zombie APIs must have no detected usage in the last month and no active maintenance for at least 6 months. When both requirements were fulfilled, 189 Zombie APIs were found in 71 repositories with 11% of them linked to PII.
A zombie API is a rapidly growing cybersecurity issue for enterprise businesses where an API is publicly available and active but the business has no documentation or monitoring configured for traffic activity. Because zombie APIs are unknowingly enabled on the network, administrators don’t update them with security patches or keep them maintained like other infrastructure. It was critical for Domino’s India to find zombie APIs to fully protect their attack surface and reduce it where possible.
How p0 works:
Benefits and results after p0 scan:
Because of the large number of repositories with API references, p0 scanners took 2.2 days to fully scan the entire codebase. Using p0, Domino’s discovered 2063 APIs from the scan and 1396 of them were externally accessible. Only 667 of them were documented by Domino’s internal teams, so an extended attack surface was identified and could be documented.
Of the numerous APIs identified, p0 found 189 zombie APIs with 11% them linked to critical PII. These 189 zombie APIs increased Domino’s India attack surface, but Domino’s India developers could then add them to monitoring agents and maintenance schedules or disable them from being used if they are no longer necessary.
Post-scan results:
Results from p0’s solution allowed Domino’s India to disable endpoints and ensure monitoring was in place for all APIs, increasing their security posture. By disabling zombie APIs, Domino’s India better protected their data, avoided unmonitored data breaches, and avoided costs associated with incident response and litigation.