Cloudflare launches its annual 2024 report about how secure the APIs on the internet have been and highlights guidelines and pointers to help companies mitigate attacks on their APIs that can lead to security/data breaches.

According to the company over 57% of the traffic on the internet is solely from APIs and overtakes any other form of traffic that occurs online.

Shadow APIs

Shadow APIs are APIs that are undocumented or 'undiscovered' according to the company which when left to run amok online lead to a lot of security breaches.

Shadow APIs are a growing risk for organizations as they can be used to bypass security measures and gain access to sensitive data, potentially leading to substantial data leakage and compliance violations. To mitigate this, it is advised to document and perform regular vulnerability checks of any APIs that are deployed online to make sure any unintended requests to these APIs do not go through, and maintaining good levels of authorization permissions is a great way to mitigate the risks posed by these according to CloudFlare.

Risk of Misdiagonising API Errors

According to Cloudflare over 51% of the error codes received from APIs are the 429 error indicating a rate-limiting occurrence that is a ton of requests made in a single point of time to an API and the company emphasizes the need for a system to manually rate limit APIs instead by using the header options available.

Mitigating API Errors

1. Schema Validation

   HTTP anomalies like missing user agents, malformed method signatures and names, ports that are non-standard, and more are common signs that a request being sent to your API is malicious and it becomes important to block such types of requests and to strictly allow only requests that do not belong to these categories.

2. Tackle Authentication LoopHoles

   Faulty Authentication methods used in designing APIs prove to be a form of a loophole that can be utilised by attackers to breach your APIs.

   It is crucial to address these by following steps like enforcing very strict authentication methods for your APIs through sophisticated API design and practices, limiting the speed of incoming requests your server can take from an external source, blocking request sources sending an abnormal number of requests, block attackers from skipping any steps in the authentication process.

Predictions of the type of API Attacks for 2024 and beyond

1. Increased loss of Control and increase in complexity

   There is a disconnect between the IT/Security and the dev teams of companies according to Cloudflare's report, 73% of the developers feel like security regulations tend to slow them down in general and security is always treated as a second citizen in organizations in general and emphasizes the requirement for automated API pen-testing and security scans to boost API Security

2. Increased and Easier Access to AI can lead to security risks

   2023 and 2024 have been the years that led to a massive increase in the amount of Generative AI applications produced and these can in the wrong hands prove to be a very big source of API attacks.

   A lot of companies are now working heads-down to integrate GenAI into their applications and this can prove to be a point source of attack for hackers who can through the process of automation and botnets, make tons of API calls to the services using these GenAI machine learning applications that are in general packaged in the form of APIs to rack up the costs that the company have to incur and pay for these GenAI services and can also end up increasing the compute costs very rapidly by attacking these sophisticated models being created by companies in the GenAI space. GenAI can be used to implant or add in malicious code execution as well through prompt injection attacks and more causing very big security breaches.

3. Increase in Business and Logic-Based Attacks

   Bot operators will become even more widely used henceforth to attack and target APIs that can lead to the automatic creation of a wide number of unsolicited and fake users on a lot of applications who can also potentially impersonate the currently active users on the application and this phenomenon can also lead to an increase in credential stuffing on applications with no MFA support.

4. Increasing Regulation and Governance

   Organizations can witness a lot of compliance and governance-related rules and organizations being set henceforth to boost API security which can also lay out guidelines helping businesses and companies protect themselves from security breaches via their APIs acting as an intermediary.

   Some examples of this are PCI DSS, SOC 2 Compliance, and more.

Cloudflare's Recommendations to build Robust APIs

The company recommends following a holistic approach to secure yourself from API security breaches.

1. Centralize App Management, Visibility, Performance and Security with a Connectivity Cloud

   A connectivity cloud released by the company is a piece of software that can be used to deliver connectivity between the different parts of the SDLC lifecycle and API defense and this infrastructure includes :

   • Automated API Discoverability and Visibility

   • Modern Authentication and Authorization

   • API Endpoint Management

   • API Protections

   • Detection of any Zero-Day Exploits

2. Use an API Gateway

   According to Cloudflare, There are an estimated 200 million public and private APIs in use, and IT and security leaders cannot realistically keep up with the performance, behavior, and risk exposure from each API. Traditionally, web applications are protected with a negative security model enforced by a web application firewall (WAF) that allows everything except for requests coming from problematic IPs, ASNs, countries, or requests with problematic signatures.

   Organizations should protect their APIs using a "positive security" model, allowing only known good behavior and rejecting everything else. This approach effectively blocks malicious requests and anomalies, such as credential-stuffing attacks and automated scanning tools. To ensure security, organizations should implement best practices such as secure authentication, authorization methods, and rate limiting to allow only authorized access to the APIs

3. ML technologies to reduce costs and free up resources

   Cloudflare also suggests companies utilize automation and up-and-coming ML models to analyze and identify security problems in their products and applications. ML can be used to train a classifier that can be utilised to distinguish between different forms of traffic and attack sources, uncover all API traffic to a particular traffic source, detect attack variations like XCE, XSS and more and finally, differentiate between the types of spikes in the usage of your product and analysing the source of these requests to effectively differentiate between a DDOS attack and a genuine increase in the userbase using your product.

4. Improve your Organizations API Maturity

   Cloudflare suggests that Organizations can protect their APIs by implementing a holistic web application and API protection (WAAP) platform, which provides comprehensive security. However, for organizations just starting to address their API exposure, it's important to begin somewhere. They can progress toward comprehensive API management and security by following these levels:

   1. Visibility: Companies should track and manage all their API endpoints, including shadow APIs, by using an API visibility service to automatically discover API endpoints and identify their ownership and proper usage.

   2. General web attack protection: This involves implementing services such as DDoS mitigation, Web Application Firewall (WAF), encryption certification management, and advanced rate limiting to protect web applications and APIs from various threats like DoS attacks, credential stuffing, and zero-day vulnerabilities

Conclusion

Overall, the company highlights a lot of guidelines and ways that organizations can take to mitigate and address such a common form of vulnerability and hopes to make the internet much safer in this day and age where automated attacks are becoming much more common place and the trend only seems to be going up from here.

Sources

https://blog.cloudflare.com/2024-api-security-report

https://www.cloudflare.com/en-gb/2024-api-security-management-report/