Cloudflare recently released its 2024 API Security and Management Report, providing insights, predictions, and recommendations for safeguarding APIs in the new year. The report analyses the growing risk of shadow APIs, the most common API errors, and global API usage across different industries.
The security team at Cloudflare predicts that in 2024, there will be an increased loss of control and complexity, easier access to AI leading to more API risks, and an increase in business logic-based fraud attacks. The CDN company foresees a growing demand for governance, coinciding with the implementation of the first version of PCI DSS that directly addresses API security going into effect in March 2024. Michelle Zatlyn, COO at Cloudflare, tweets:
APIs are taking over the internet! APIs account for 57% of all Internet traffic, up from ~15% five years ago. This rapid growth is impressive, but it also makes APIs a target for cyberattacks.
John Cosgrove, product manager at Cloudflare, and Sabina Zejnilovic, data scientist at Cloudflare, write:
The rise in generative AI brings potential risks, including AI models' APIs being vulnerable to attack, but also developers shipping buggy, AI-written code.
The findings in the report are derived from traffic patterns observed by Cloudflare's global network over ten months, during which the CDN provider handled an average of over 50 million HTTP requests per second.
Source: Cloudflare blog
The report highlights that many IT departments still do not know how many APIs they have: according to Cloudflare, machine learning-based discovery found 30.7% more API endpoints than self-reported approaches, indicating that nearly a third of APIs are "Shadow APIs" not properly inventoried. WAF-managed rules indicate that injection attacks are the second most common threat vector against APIs, following HTTP Anomaly ones.
While Cloudflare acknowledges that there are no "silver bullets" for API security, they recommend four strategies: combine API application development, visibility, performance, and security with a unified control plane; using security tools that rely on machine learning technologies; adopting a positive security model; and improving the API maturity level over time. In a negative model, security tools look for signs of attack and take action to stop them, in a positive model they only allow good requests through.
The report highlights the importance of implementing a rate-limiting approach, with HTTP 429 being the most common rate-limiting error for APIs, constituting almost 52% of responses among 4xx and 5xx error messages.
Source: Cloudflare blog
Cloudflare recommends that customers base the limit on a session ID as a best practice and only fall back to IP address (or IP + JA3 fingerprint) when session IDs are not available. However, Cosgrove and Zejnilovic explain why implementing the correct approach can be challenging:
For some APIs, practitioners configure rate-limiting errors to respond with an HTTP 403 (forbidden), while others will respond with HTTP 429 (too many requests). Using HTTP 403 sounds innocent enough until you realize that other security tools are also responding with 403 codes. When you are under attack, it can be hard to decipher which tools are responsible for which errors/blocking. Alternatively, if you utilize HTTP 429 for your rate limits, attackers will instantly know that they have been rate-limited and can "surf" right under the limit without being detected.
The full report is freely available, but it requires sign-in. Cloudflare is not the only company releasing a security and management report, with F5 publishing the Forrester API Security Report.