API security
API requests make up 57% of global dynamic HTTP traffic, Cloudflare reports
Matthew J. Schwartz (euro infosec) •
January 9, 2024
Most of the dynamic traffic that flows on the Internet involves two or more software components that interface with each other through application programming interfaces. However, as the use of APIs becomes more prevalent, many organizations lose track of how many APIs they have open, whether they are secure, or who has access to them.
Related item: On Demand | Understanding Human Behavior: Tackling Retail ATO and Fraud Prevention Challenges
San Francisco-based Cloudflare warned at its inaugural press conference: API Security and Management Report, released on Tuesday. The company says it handles about one-fifth of the world’s internet traffic, processing an average of more than 50 million HTTP requests per second.
This report is based on data collected by Cloudflare through its web application firewall, distributed denial of service protection, bot management, and API gateway services during an 11-month period from October 1, 2022 to August 31, 2023. I am.
According to Cloudflare, the amount of API traffic traversing the internet continues to skyrocket, with API requests accounting for 57% of dynamic HTTP traffic, which “depends on user-specific factors such as visit time, location, and device.” It means “to change based on.” That it deals with.
Last year, the industries that accounted for the largest share of API traffic (comprising over 70% of dynamic HTTP traffic) included IoT platforms. Trains, buses, taxis, and rideshare services. legal services; multimedia and gaming; Plus logistics and supply chain.
One of the well-documented “shadow IT” challenges is that not all organizations using APIs maintain an accurate inventory of what the API is doing and why. Security experts warn that we don’t know enough about it. These zombie APIs can slip through the cracks of oversight by CIOs and CISOs.
A proprietary discovery process using machine learning tools revealed that customers were operating 31% more API endpoints than they self-reported, according to a report from Cloudflare.
Breaches related to API misuse
Attackers’ misuse of APIs has led to multiple large-scale data breaches. One of the worst known data breaches to date in Australia occurred in 2022 when attackers stole 11.2 million customer records from telecoms giant Optus via an unauthenticated and publicly accessible API. This means that any Internet user can access it without providing any credentials.
In 2019, attackers compromised an API designed to route information to billing vendors that worked with testing companies, resulting in the loss of data for approximately 12 million patients who had tests performed by Quest Diagnostics. I stole information. The leaked information included financial data, social security numbers, and medical information.
“Many API breaches occur due to permissive authorization, such as users being granted excessive privileges or access to other users’ data,” Cloudflare said.
According to Cloudflare, if organizations don’t understand the APIs they’re using, they’re not only at risk for unauthorized access, but also lack context when trying to deal with other threats like DDoS and injection attacks. It is called putting away.
“Enterprises that implement API security without accurate real-time visibility into their API environment may inadvertently block legitimate traffic,” the report warns. The top API error category seen by Cloudflare customers in 2023 was HTTP error 429 (also known as “too many requests”). The report states that “a 429 code does not automatically mean too many requests from an attacker.”
Rather, errors can be caused by unexpected spikes in legitimate usage or a combination of legitimate usage and DDoS attacks. Cloudflare says that “imposing overly broad and imprecise rate limits can still block legitimate users,” and the biggest API defense it used for customers last year was blocking DDoS attacks. It points out that it was.
Another recurring challenge involves APIs that give users overly permissive “write” access rather than restricting them to read-only access, which can be easily exploited by attackers. According to a Cloudflare report, 59% of customers allow write access to at least half of their APIs.
A call for governance
Forrester Research recommends that all organizations that build and maintain their own APIs or use third-party APIs have a formal API security program in place to manage such technologies. Masu. For such programs to be effective, they must cover everything from detection and testing to protection, detection, and response (see below). API Security Trends: A Collaborative Strategy for Leaders).
Regulations are also driving changes to API security. Payment Card Industry Data Security Standard Version 4.0, scheduled to go into effect on March 31st, mandates certain API security checks for the first time. In particular, PCI DSS version 4 requires code reviews and testing designed to protect against business logic attacks that “include attempts to exploit or bypass the functionality of an application through the manipulation of its API.”
The latest version of PCI DSS requires organizations to maintain an inventory of “all payment software components and dependencies,” including third-party components (including APIs), to ensure that, among other things, they stay aware of known vulnerabilities and are patched. It is also recommended that it be applied. in a timely manner. This currently remains a voluntary ‘best practice’, but from 31 March 2025 it will become mandatory and part of the auditor’s assessment.
Violators may be subject to fines and other penalties.