Organizations lacking visibility on the application programming interfaces (APIs) they use has resulted in the APIs becoming more complex to manage and protect against abuse, according to a report by Cloudflare.

The report based on the traffic patterns observed by Cloudflare’s network between Oct 2022 and August 2023, has found that organizations are either failing to fully defend themselves or are relying on incomplete protection of APIs without real-time visibility.

“APIs are challenging to protect from abuse. They require deeper business context, discovery methods, and access verification controls compared to other web application security services,” Cloudflare said in the report. “Those that implement API security without an accurate, real-time picture of their API landscape can unintentionally block legitimate traffic.”

The Cloudflare network the report is based on included data from its web application firewall (WAF), DDoS protection, bot management, and API gateway services.

Shadow API opens up the attack surface

Cloudflare analysis concluded that APIs outpace other internet traffic, attributing 57% of the Cloudflare-processed internet traffic (dynamic HTTP) to successful API requests.

“Application developers are increasingly using modern, microservices-based application architectures, and they require APIs to access services, data, or other applications to provide richer functionality for the users of their applications,” said Melinda Marks, senior analyst at ESG. “But this means more attack surface areas so if the APIs are not secure, it creates a point that can be intercepted to get to those services, data or other applications.”