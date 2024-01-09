Organizations lacking visibility on the application programming interfaces (APIs) they use has resulted in the APIs becoming more complex to manage and protect against abuse, according to a report by Cloudflare.\n\nThe report based on the traffic patterns observed by Cloudflare\u2019s network between Oct 2022 and August 2023, has found that organizations are either failing to fully defend themselves or are relying on incomplete protection of APIs without real-time visibility.\n\n\u201cAPIs are challenging to protect from abuse. They require deeper business context, discovery methods, and access verification controls compared to other web application security services,\u201d Cloudflare said in the report. \u201cThose that implement API security without an accurate, real-time picture of their API landscape can unintentionally block legitimate traffic.\u201d\n\nThe Cloudflare network the report is based on included data from its web application firewall (WAF), DDoS protection, bot management, and API gateway services.\n\nShadow API opens up the attack surface\n\nCloudflare analysis concluded that APIs outpace other internet traffic, attributing 57% of the Cloudflare-processed internet traffic (dynamic HTTP) to successful API requests.\n\n\u201cApplication developers are increasingly using modern, microservices-based application architectures, and they require APIs to access services, data, or other applications to provide richer functionality for the users of their applications,\u201d said Melinda Marks, senior analyst at ESG. \u201cBut this means more attack surface areas so if the APIs are not secure, it creates a point that can be intercepted to get to those services, data or other applications.\u201d\n\nCloudflare also observed that many organizations lack a full inventory of their APIs, making them difficult to manage. Nearly 31% more Representational State Transfer (REST) API endpoints, the API location responsible for accepting requests and sending back responses, were discovered by Cloudflare\u2019s machine learning tools than those observed by customer-provided session identifiers.\n\nAccording to Cloudflare, apps that have not been managed or secured by the organization using it \u2014 also known as Shadow APIs \u2014 are often introduced by developers or individual users to run specific business functions.\n\n\u201cA study of our own showed high percentages (67%) of open APIs for public consumption, (64%) connecting applications with partners, and (51%) connecting microservices, and high rates of API updates, including 35% with daily updates and 40% with weekly updates,\u201d Marks said. \u201cSo, it\u2019s an issue of an ever-increasing number of APIs, and the chance of hackers wanting to take advantage of vulnerabilities that are often the result of carelessness.\u201d\n\nDDoS is the leading API threat\n\nFifty-two percent of all API errors processed by Cloudflare were attributed to the error code 429, which is an HTTP status request code for \u201ctoo many requests\u201d. This is supported by the fact that 33% of API mitigations comprised blocking Distributed Denial of Service (DDoS).\n\n\u201cThis is an important area \u2013 we sometimes underestimate or forget about the DoS and DDoS attacks,\u201d Marks said. \u201cThe top application security driver is usually application uptime, so the ability to block DoS\/DDoS attacks is often a priority for API security.\u201d\n\nOther leading API errors included bad requests (err code 400) at 13.8%, not found (err code 404) at 10.8%, and unauthorized (err code 401) at 10.3%.\n\n\u201cThese days, we have more complex, feature-rich applications with an increasing number of APIs helping to deliver complex functionalities, but this increases security risk because each API is an attack surface,\u201d Marks said. \u201cOur recent studies showed 92% of organizations faced at least one API security incident over the previous 12 months, and the impacts included exposure of data, account takeover, Denial of Service attack, etc., and they had serious impacts.\u201d \n\nAccording to Cloudflare, organizations can protect API abuses by implementing practices that can include unifying API management, performance, and security with connectivity cloud, implementing a \u201cpositive security\u201d model with the API gateway that only allows \u201cknown good\u201d traffic rather than disallowing \u201cknown bad,\u201d using machine learning technologies for cost reduction and security, and measure API maturity over time.