Shadow APIs are opening organizations to attacks: Report

Organizations lacking visibility on the application programming interfaces (APIs) they use has resulted in the APIs becoming more complex to manage and protect against abuse, according to a report by Cloudflare.

The report based on the traffic patterns observed by Cloudflare’s network between Oct 2022 and August 2023, has found that organizations are either failing to fully defend themselves or are relying on incomplete protection of APIs without real-time visibility.

“APIs are challenging to protect from abuse. They require deeper business context, discovery methods, and access verification controls compared to other web application security services,” Cloudflare said in the report. “Those that implement API security without an accurate, real-time picture of their API landscape can unintentionally block legitimate traffic.”

The Cloudflare network the report is based on included data from its web application firewall (WAF), DDoS protection, bot management, and API gateway services.

Shadow API opens up the attack surface

Cloudflare analysis concluded that APIs outpace other internet traffic, attributing 57% of the Cloudflare-processed internet traffic (dynamic HTTP) to successful API requests.

“Application developers are increasingly using modern, microservices-based application architectures, and they require APIs to access services, data, or other applications to provide richer functionality for the users of their applications,” said Melinda Marks, senior analyst at ESG. “But this means more attack surface areas so if the APIs are not secure, it creates a point that can be intercepted to get to those services, data or other applications.”

Cloudflare also observed that many organizations lack a full inventory of their APIs, making them difficult to manage. Nearly 31% more Representational State Transfer (REST) API endpoints, the API location responsible for accepting requests and sending back responses, were discovered by Cloudflare’s machine learning tools than those observed by customer-provided session identifiers.

According to Cloudflare, apps that have not been managed or secured by the organization using it — also known as Shadow APIs — are often introduced by developers or individual users to run specific business functions.

“A study of our own showed high percentages (67%) of open APIs for public consumption, (64%) connecting applications with partners, and (51%) connecting microservices, and high rates of API updates, including 35% with daily updates and 40% with weekly updates,” Marks said. “So, it’s an issue of an ever-increasing number of APIs, and the chance of hackers wanting to take advantage of vulnerabilities that are often the result of carelessness.”

DDoS is the leading API threat

Fifty-two percent of all API errors processed by Cloudflare were attributed to the error code 429, which is an HTTP status request code for “too many requests”. This is supported by the fact that 33% of API mitigations comprised blocking Distributed Denial of Service (DDoS).

“This is an important area – we sometimes underestimate or forget about the DoS and DDoS attacks,” Marks said. “The top application security driver is usually application uptime, so the ability to block DoS/DDoS attacks is often a priority for API security.”

Other leading API errors included bad requests (err code 400) at 13.8%, not found (err code 404) at 10.8%, and unauthorized (err code 401) at 10.3%.

“These days, we have more complex, feature-rich applications with an increasing number of APIs helping to deliver complex functionalities, but this increases security risk because each API is an attack surface,” Marks said. “Our recent studies showed 92% of organizations faced at least one API security incident over the previous 12 months, and the impacts included exposure of data, account takeover, Denial of Service attack, etc., and they had serious impacts.”

According to Cloudflare, organizations can protect API abuses by implementing practices that can include unifying API management, performance, and security with connectivity cloud, implementing a “positive security” model with the API gateway that only allows “known good” traffic rather than disallowing “known bad,” using machine learning technologies for cost reduction and security, and measure API maturity over time.


Go to Source