Cloudflare Report Shows Organisations Struggle To Identify, Manage API Cybersecurity Risks

Businesses are increasingly leveraging application programming interfaces, which underpin today's most-used sites and apps, ultimately opening the door to more online threats than seen before, a report by connectivity cloud company Cloudflare Inc. shows.

The API Security and Management Report underscores the gap between organisations' use of the APIs and their ability to safeguard the data those APIs touch.

The APIs power the digital world, with everything from phones and smartwatches to banking systems and shopping sites relying on the APIs to communicate. They can help ecommerce sites accept payments, enable healthcare systems to securely share patient data, and give taxis and public transportation access to real-time traffic data.

Businesses today now use them to build and provide better sites, apps and services to consumers. However, if unmanaged or unsecured, the APIs present a goldmine for threat actors to exfiltrate potentially sensitive information, the report showed.

"APIs are central to how applications and websites work, which makes them a rich, and relatively new, target for hackers," Matthew Prince, chief executive officer of Cloudflare, said. "It's vital that companies identify and protect all their APIs to prevent data breaches and secure their businesses."

• API Traffic Rising Even For Unlikely Industries: The integrations that the APIs allow for have driven organisations across industries to increasingly leverage them. The internet of things, rail, bus and taxi, legal services, multimedia and games, and logistics and supply chain industries saw the highest share of the API traffic in 2023.

• API Traffic Accounts For Majority Of Internet Traffic: The APIs dominated dynamic internet traffic around the globe (57%), with each region seeing an increase in usage over the past year. However, the top regions that adopted the APIs and witnessed the highest traffic share in 2023 were Africa and Asia.

• APIs Face Rising Threats: As with any business-critical function that houses sensitive data, threat actors attempt to exploit any means necessary to gain access. The rise in popularity of the APIs has also caused a rise in attack volume, with HTTP anomaly, injection attacks and file inclusion being the top three most commonly used attack types, according to Cloudflare.

• Shadow APIs Provide Defenseless Path For Threat Actors: Organisations struggle to protect what they cannot see. Nearly 31% more API REST endpoints—when an API connects with the software programme—were discovered through machine learning versus customer-provided identifiers, indicating that organisations lack a full inventory of their APIs.

• DDoS Mitigation Solutions Effective In Protecting APIs: Regardless of whether or not an organisation has full visibility of their APIs, distributed denial-of-service mitigation solutions can help block potential threats. One-third (33%) of all mitigations applied to the API threats were blocked by DDoS protections already in place, according to the report.