Organizations Undercount APIs by One-Third, Experts WarnAPI Requests Comprise 57% of Global Dynamic HTTP Traffic, Cloudflare Reports
A majority of dynamic traffic flowing across the internet involves two or more software components interfacing with each other via application programming interfaces. But as API use grows ever more pervasive, many organizations lack visibility into how many APIs they've opened, whether those APIs are secure or who's meant to have access to them.
So warns San Francisco-based Cloudflare. In an inaugural API Security and Management Report, released Tuesday, the company said it handles about one-fifth of the world's internet traffic, processing on average more than 50 million HTTP requests per second.
The report is based on data gathered by Cloudflare via its web application firewall, distributed denial-of-service defense, bot management and API gateway services over an 11-month period - from Oct. 1, 2022, to Aug. 31, 2023.
Cloudflare said the amount of API traffic crossing the internet continues to surge, and API requests account for 57% of the dynamic HTTP traffic - meaning traffic that "changes based on factors specific to the user, such as time of visit, location and device."
Industries last year with the greatest share of API traffic - comprising 70% or more of their dynamic HTTP traffic - included IoT platforms; rail, bus, taxi and ride-sharing services; legal services; multimedia and games; and logistics and supply chains.
One well-documented "shadow IT" challenge is that not all organizations that use API maintain an accurate inventory or have good visibility into their APIs, what they're doing or why, security experts warn. These zombie APIs can slip through the cracks of oversight by the CIO or CISO.
Cloudflare's report says its own discovery process, using machine-learning tools, found 31% more API endpoints being operated by customers than they self-reported.
Breaches Tied to API Abuse
Multiple large data breaches have resulted from attackers abusing APIs. One of Australia's worst known data breaches to date involved an attacker in 2022 stealing 11.2 million customer records from telecommunications giant Optus via an unauthenticated, publicly accessible API, meaning any internet user could access it, without having to provide any credentials.
In 2019, an attacker stole information on nearly 12 million patients who had lab tests performed by Quest Diagnostics by gaining unauthorized access to an API designed to route information to billing vendors who worked with the lab test firm. Exposed information included financial data, Social Security numbers and medical information.
"Many API breaches happen due to permissive authorization: users being granted too many privileges, or allowed access to other users' data," Cloudflare said.
Without understanding what APIs they're using, organizations don't just risk unauthorized access. They also lack context when attempting to deal with other threats, such as DDoS or injection attacks, Cloudflare said.
"Those that implement API security without an accurate, real-time picture of their API landscape can unintentionally block legitimate traffic," the report warns. Take the top API error category seen by Cloudflare's customers in 2023, which was HTTP error 429, aka "too many requests." The report says: "A 429 code does not automatically mean too many requests from an attacker."
Rather, the error might get triggered by an unexpected surge in legitimate use or by a combination of legitimate use and a DDoS attack. "Imposing overly broad, incorrect rate limits can still block legitimate users," said Cloudflare. It added that the number one API defense it used last year for its customers was blocking DDoS attacks.
Another repeat challenge involves APIs giving users overly permissive "write" access, which can be more easily abused by attackers, rather than restricting them to read-only access. Cloudflare's report says 59% of its customers permit write access to at least half of their APIs.
Calls for Governance
Forrester Research recommends all organizations that build and maintain their own APIs, or use third-party APIs, run a formal API security program that governs such technology. To be effective, such a program must encompass everything from discovery and testing to protection, detection and response (see: API Security Trends: Collaborative Strategies for Leaders).
Regulations are also driving API security changes. Version 4.0 of the Payment Card Industry Data Security Standard, set to take effect March 31, for the first time mandates specific API security checks. In particular, PCI DSS version 4 requires code reviews and testing designed to guard against business logic attacks, "including attempts to abuse or bypass application features and functionalities through the manipulation of APIs."
The latest version of PCI DSS also recommends organizations keep an inventory of "all payment software components and dependencies" that include third-party components - APIs included - not least to ensure they're keeping abreast of known vulnerabilities and ensuring they get patched in a timely manner. While this currently remains a voluntary "best practice," after March 31, 2024, it will become a requirement and part of auditors' assessments.
Violators can face fines and other penalties.