Organizations lacking visibility on the application programming interfaces (APIs) they use has resulted in the APIs becoming more complex to manage and protect against abuse, according to a report by Cloudflare.
The report based on the traffic patterns observed by Cloudflareâs network between Oct 2022 and August 2023, has found that organizations are either failing to fully defend themselves or are relying on incomplete protection of APIs without real-time visibility.
âAPIs are challenging to protect from abuse. They require deeper business context, discovery methods, and access verification controls compared to other web application security services,â Cloudflare said in the report. âThose that implement API security without an accurate, real-time picture of their API landscape can unintentionally block legitimate traffic.â
Shadow API opens up the attack surface
Cloudflare analysis concluded that APIs outpace other internet traffic, attributing 57% of the Cloudflare-processed internet traffic (dynamic HTTP) to successful API requests.
âApplication developers are increasingly using modern, microservices-based application architectures, and they require APIs to access services, data, or other applications to provide richer functionality for the users of their applications,â said Melinda Marks, senior analyst at ESG. âBut this means more attack surface areas so if the APIs are not secure, it creates a point that can be intercepted to get to those services, data or other applications.â
Cloudflare also observed that many organizations lack a full inventory of their APIs, making them difficult to manage. Nearly 31% more Representational State Transfer (REST) API endpoints, the API location responsible for accepting requests and sending back responses, were discovered by Cloudflareâs machine learning tools than those observed by customer-provided session identifiers.
According to Cloudflare, apps that have not been managed or secured by the organization using it â also known as Shadow APIs â are often introduced by developers or individual users to run specific business functions.
âA study of our own showed high percentages (67%) of open APIs for public consumption, (64%) connecting applications with partners, and (51%) connecting microservices, and high rates of API updates, including 35% with daily updates and 40% with weekly updates,â Marks said. âSo, itâs an issue of an ever-increasing number of APIs, and the chance of hackers wanting to take advantage of vulnerabilities that are often the result of carelessness.â
DDoS is the leading API threat
Fifty-two percent of all API errors processed by Cloudflare were attributed to the error code 429, which is an HTTP status request code for âtoo many requestsâ. This is supported by the fact that 33% of API mitigations comprised blocking Distributed Denial of Service (DDoS).
âThis is an important area â we sometimes underestimate or forget about the DoS and DDoS attacks,â Marks said. âThe top application security driver is usually application uptime, so the ability to block DoS/DDoS attacks is often a priority for API security.â
Other leading API errors included bad requests (err code 400) at 13.8%, not found (err code 404) at 10.8%, and unauthorized (err code 401) at 10.3%.
âThese days, we have more complex, feature-rich applications with an increasing number of APIs helping to deliver complex functionalities, but this increases security risk because each API is an attack surface,â Marks said. âOur recent studies showed 92% of organizations faced at least one API security incident over the previous 12 months, and the impacts included exposure of data, account takeover, Denial of Service attack, etc., and they had serious impacts.â
According to Cloudflare, organizations can protect API abuses by implementing practices that can include unifying API management, performance, and security with connectivity cloud, implementing a âpositive securityâ model with the API gateway that only allows âknown goodâ traffic rather than disallowing âknown bad,â using machine learning technologies for cost reduction and security, and measure API maturity over time.
Go to Source