Cloudflare, a global content delivery network (CDN) provider, has released its first API Security and Management Report. According to this year’s report’s findings, companies are using APIs - a technology that powers the majority of popular websites and applications - more than ever before, which exposes them to an increase in online risks. The research highlights the disparity between the adoption of APIs by enterprises and their capacity to protect the data those APIs touch.
APIs are the backbone of the digital world, stated Cloudflare. They enable communication between websites, financial systems, wearables, and phones. They may facilitate safe patient data sharing across healthcare systems, allow e-commerce sites process payments, and even provide real-time traffic data to taxis and public transit. These days, almost all businesses utilize them to create and provide customers better websites, applications, and services. However, insecure or poorly maintained APIs provide threat actors a wealth of opportunities to steal potentially private data, Cloudflare added.
“APIs are central to how applications and websites work, which makes them a rich, and relatively new, target for hackers,” said Matthew Prince, CEO and co-founder at Cloudflare. “It’s vital that companies identify and protect all their APIs to prevent data breaches and secure their businesses.”
APIs Account for 57% of Dynamic Internet Traffic
Key findings from Cloudflare’s 2024 API Security and Management Report include the following:
- Even unlikely industries see high spikes of API traffic - Organizations in a variety of sectors are using APIs more and more because they enable smooth interactions; some are doing so faster than others. The sectors with the largest proportion of API traffic in 2023 were IoT, rail, bus and taxi, legal services, multimedia and gaming, and logistics and supply chain.
- API traffic accounts for the majority of Internet traffic - Globally, APIs account for 57% of dynamic Internet traffic; during the last year, use has increased in every location that Cloudflare defends. Nonetheless, Asia and Africa had the greatest traffic share in 2023 and the fastest use of APIs.
- APIs face an array of frequent and increasing threats - Like with any well-known, crucial company function that contains sensitive data, threat actors try to get access by all means possible. Attack volume has increased along with the use of APIs; the three most often utilized attack methods that Cloudflare mitigates are file inclusion, injection assaults, and HTTP anomaly.
- Shadow APIs provide a defenseless path for threat actors - Organizations struggle to protect what they can’t see. Compared to customer-provided IDs, machine learning revealed over 31% additional API REST endpoints (where an API interfaces with the software application); this suggests that enterprises may not have a complete inventory of their APIs.
- DDoS mitigation solutions are one of the most effective tools to protect APIs - DDoS mitigation technologies may assist in thwarting such attacks, even in cases when a company has complete access over all of its APIs. Pre-existing DDoS safeguards accounted for one-third (33%) of all mitigations deployed to API attacks.
Melinda Marks, Practice Director, Cybersecurity, for Enterprise Strategy Group“APIs are powerful tools for developers to create full-featured, complex applications to serve their customers, partners, and employees, but each API is a potential attack surface that needs to be secured,” said Melinda Marks, Practice Director, Cybersecurity, for Enterprise Strategy Group. “As this new report shows, organizations need more effective ways to address API security, including better visibility of APIs, ways to ensure secure authentication and authorization between connections, and better ways to protect their applications from attacks.”
Report Methodology: The traffic patterns that Cloudflare's worldwide network (which includes Cloudflare's web application firewall, DDoS protection, bot management, and API gateway services) observed between October 1, 2022, and August 31, 2023 are the basis for the results in this report, including the data mentioned above. In the quarter that concluded on September 30, 2023, Cloudflare stopped an average of 170 billion cyberthreats per day and serviced more than 50 million HTTP requests per second.
