API growth parallels attacks

Closing the gaps legacy security has left

Modern APIs: Easy to use, difficult to secure

APIs — short for ‘application programming interface’ — are the building blocks of many modern web applications. More accurately, they connect servers, endpoints, and software in a way that makes it possible to execute any number of functions in mere milliseconds, from syncing mobile data to the cloud to enabling code-free application development.

As with anything connected to the Internet, the more widespread API usage becomes, the more appealing a target it presents to attackers. And, API attacks appear to have reached an all-time high; a recent survey noted that 53% of respondents had experienced a data breach due to compromised API tokens.

This proliferation highlights critical gaps within traditional security practices and solutions. As organizations move toward more modern security deployments, they must address three key challenges when protecting their APIs:

1. API services are difficult to secure across multiple cloud environments.

2. API development and security do not go hand-in-hand.

3. Legacy security services were not designed with API protection in mind.

To solve these gaps, modern API security solutions must provide scalable, automated API threat defense that enables Security and Engineering to stay ahead of zero-day exploits and tailored attacks. That’s where web application and API protection (WAAP) comes in: A dedicated platform of security services specifically designed to manage and protect APIs from a range of complex, emerging threats.

The cost of an API attack

Just like APIs themselves, API attacks are rapidly increasing in size and sophistication — and the price to remediate them is growing.

In a report from the United States Securities and Exchange Commission, T-Mobile disclosed a significant data breach caused by an exposed API. Over two months, the attacker gained access to the personal data of 37 million customer accounts, including billing information, email addresses, and phone numbers.

On an even larger scale, Twitter became a target due to an unpatched API vulnerability that allowed users to access email addresses and phone numbers associated. The bug was not caught for seven months; by then, attackers had already publicized account information belonging to 235 million users.

Even for organizations that service a smaller user base than these large enterprise companies, API vulnerabilities can open the door to devastating attacks. The exfiltration of sensitive user data may irrevocably damage brand reputation and customer trust, enable lateral movement within, or result in steep financial losses and lasting legal implications.

Exactly how much is this costing organizations? One estimate places the cost of API insecurity (breaches due to API errors or exploits) around 41 to 75 billion USD in annual losses.

3 challenges with securing APIs

In the race to secure APIs ahead of these attacks, organizations face three primary challenges:

1. API services are difficult to secure across hybrid and multicloud environments. The average large organization has hundreds of known APIs, often maintained in multiple cloud or hybrid environments. This kind of disjointed deployment makes the process of securing and overseeing APIs exponentially more complex, while also consuming valuable internal resources needed to scale. In one report, 78% of respondents said they manage over 250 different API tokens, keys, and certificates across their networks — and as their API usage grows, the burden of maintaining manual security processes across multiple environments can lead to inadvertent oversights.

2. API development and security do not go hand-in-hand. Engineers and Developers are continually creating and publishing APIs, but often don’t communicate work with Security to protect them. With the rapid increase in API development, it becomes almost impossible to detect and patch every vulnerability before shipping, forcing Security to play catch up.

3. Traditional security services were not built with API protection in mind. API attacks — from data exfiltration to authorization and authentication exploits — often depend on a deep, contextual understanding of a specific API’s functions and potential vulnerabilities. Although existing toolsets (including web application firewalls, bot management, DDoS mitigation, and more) have continued to expand their functions to protect APIs from common attacks, they were not designed for the specialized nature of API threats, nor do they offer the kind of granular controls needed to document, analyze, and defend APIs at scale.

Solving these challenges with WAAP

Attackers tailoring their tactics to specific API vulnerabilities requires organizations to customize threat defenses; including a deep understanding of API behaviors and risks while enabling Engineering and Security to streamline operations.

Increasingly, modern API security solutions fall under the umbrella of a cloud-based security stack Gartner calls “Web Application and API Protection (WAAP).” Common WAAP solutions include the following core features:

• A next-generation web application firewall (NGFW) to filter unwanted traffic, prevent zero-day exploits, and enforce network security policies.

• Distributed denial-of-service (DDoS) protection to mitigate both volumetric and long-lasting attacks.

• Bot management to block malicious bot behavior using a combination of fingerprinting, heuristics, and machine learning.

• API protection to analyze, categorize, and customize controls over API traffic — while providing robust client-side protection from JavaScript exploits.

One of the primary advantages of a WAAP solution is that it affords organizations greater visibility into and control over their APIs. API discovery capabilities allow Security to discover, catalog, and monitor API endpoints, while API abuse detection uses advanced anomaly detection to track and analyze malicious traffic patterns and stop volumetric attacks.

In addition to strengthening API defenses against complex and persistent attacks, WAAP also helps secure APIs across multiple cloud environments. A central API catalog helps establish a baseline of organizational APIs, from which Security can apply uniform policy without losing visibility.

A “Leader” in WAAP

During Gartner’s recent WAAP vendor evaluation, Cloudflare was designated a “Leader” in web application and API security.

With a global network that spans over 320 locations — and processes more than 45 million HTTP requests per second on average — Cloudflare has unique insight into network patterns, attack vectors, and API traffic. That visibility helps expand and strengthen a suite of integrated security services, including API discovery capabilities, API management and analytics, and layered API defenses that monitor traffic for anomalous behavior and mitigate volumetric DDoS attacks, malicious bot activity, and more.

Cloudflare’s WAAP portfolio lessens the burden of manual configuration and maintenance for Security. Cloudflare Security Center provides a single place for organizations to track, investigate, and mitigate threats across their API landscape — without additional deployments or scaling concerns.

This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.

Dive deeper into this topic.

Get the Gartner® Magic Quadrant™ for Web Application and API Protection (WAAP) to learn why Cloudflare is ranked as a Leader!

Get the report!

Key takeaways

After reading this article you will be able to understand:

• Why APIs remain a top target for attackers

• How 53% of organizations experienced a data breach due to compromised API tokens

• The 3 challenges of API security

• How WAAP addresses API concerns

Related resources

• Gartner Magic Quadrant for Web Application and API Protection

• OWASP API Security Top 10

• API Gateway datasheet