New Cloudflare Report Shows Organizations Struggle to Identify and Manage Cybersecurity Risks of APIs

Rhea-AI Summary

Cloudflare, Inc. (NET) published its inaugural API Security and Management Report, revealing that APIs account for the majority of Internet traffic and remain largely unsecured. The report highlights the gap between organizations' use of APIs and their ability to safeguard the data, emphasizing the potential threats posed by unmanaged or unsecured APIs. Key findings include high spikes of API traffic in unlikely industries, APIs dominating global Internet traffic, and an increase in attack volume due to the rise in popularity of APIs.

Insights

Cybersecurity Expert

The exponential growth in API traffic underscores the escalating cybersecurity risks that organizations face. As APIs become ubiquitous in the digital ecosystem, they present a larger attack surface for cybercriminals. The report's revelation that a significant portion of API endpoints were identified through machine learning rather than customer declarations highlights a concerning oversight in organizations' cybersecurity strategies. It suggests that many companies may lack a comprehensive understanding of their digital footprint, leaving them vulnerable to 'shadow APIs'—unmonitored and potentially insecure API endpoints that can be exploited.

Effective DDoS mitigation tools are essential in safeguarding APIs against volumetric attacks, which can overwhelm systems and disrupt services. However, these solutions must be part of a broader, multi-layered security approach that includes secure authentication and authorization practices to address more sophisticated threats like Injection attacks. The findings suggest a need for improved visibility and management of APIs, which can be facilitated by advanced security solutions that provide comprehensive monitoring and protection capabilities.

Data Privacy Analyst

The report's findings have significant implications for data privacy and regulatory compliance. With APIs serving as conduits for sensitive data across various industries, the potential for data breaches is a major concern. The healthcare and legal services sectors, in particular, deal with highly sensitive information that requires stringent data protection measures. The gap between API usage and security could lead to serious privacy violations and non-compliance with regulations such as GDPR, HIPAA and others that mandate the protection of personal data.

Organizations must prioritize the identification and protection of all APIs to mitigate the risk of unauthorized data access and exfiltration. This includes implementing robust access controls, encryption and regular security audits. The report serves as a call to action for businesses to reassess their API security posture and invest in technologies that can detect and protect against both known and unknown API vulnerabilities.

IT Infrastructure Specialist

The surge in API traffic, particularly in regions like Africa and Asia, indicates a shift towards more interconnected and automated IT infrastructures. This trend is likely driven by the need for scalability and efficiency in services such as IoT, transportation and logistics. The report's data on the prevalence of API usage in these sectors suggests that APIs are now critical components in the architecture of modern IT systems.

However, the reliance on APIs also necessitates a robust infrastructure capable of handling the increased traffic and security demands. Organizations must invest in scalable network architectures and API management solutions that can support the high volumes of API calls while maintaining performance and uptime. The integration of API gateways and web application firewalls into the infrastructure design is crucial for mitigating threats and ensuring seamless and secure API interactions.

Insights reveal that while APIs account for the majority of Internet traffic, they remain largely unsecured

SAN FRANCISCO--(BUSINESS WIRE)-- Cloudflare, Inc. (NYSE: NET), the leading connectivity cloud company, today published its inaugural API Security and Management Report. Findings from this year's report reveal that APIs, a technology that underpins today’s most used sites and apps, are being leveraged by businesses more than ever—ultimately opening the door to more online threats than seen before. The report underscores the gap between organizations' use of APIs and their ability to safeguard the data those APIs touch.

APIs power the digital world—our phones, smartwatches, banking systems and shopping sites all rely on APIs to communicate. They can help ecommerce sites accept payments, enable healthcare systems to securely share patient data, and even give taxis and public transportation access to real-time traffic data. Nearly every business today now uses them to build and provide better sites, apps and services to consumers. However, if unmanaged or unsecured, APIs present a goldmine for threat actors to exfiltrate potentially sensitive information.

"APIs are central to how applications and websites work, which makes them a rich, and relatively new, target for hackers," said Matthew Prince, CEO and co-founder at Cloudflare. "It's vital that companies identify and protect all their APIs to prevent data breaches and secure their businesses."

Key findings from Cloudflare’s 2024 API Security and Management Report include:

• Even unlikely industries see high spikes of API traffic: The seamless integrations that APIs allow for have driven organizations across industries to increasingly leverage them – some more quickly than others. The IoT, rail, bus and taxi, legal services, multimedia and games, and logistics and supply chain industries saw the highest share of API traffic in 2023.
• API traffic accounts for the majority of Internet traffic: APIs dominate dynamic Internet traffic around the globe (57%), with each region that Cloudflare protects seeing an increase in usage over the past year. However, the top regions that explosively adopted APIs and witnessed the highest traffic share in 2023 were Africa and Asia.
• APIs face an array of frequent and increasing threats: As with any popular business critical function that houses sensitive data, threat actors attempt to exploit any means necessary to gain access. The rise in popularity of APIs has also caused a rise in attack volume, with HTTP Anomaly, Injection attacks and file inclusion being the top three most commonly used attack types mitigated by Cloudflare.
• Shadow APIs provide a defenseless path for threat actors: Organizations struggle to protect what they cannot see. Nearly 31% more API REST endpoints (when an API connects with the software program) were discovered through machine learning versus customer-provided identifiers – e.g., organizations lack a full inventory of their APIs.
• DDoS mitigation solutions are one of the most effective tools to protect APIs: Regardless if an organization has full visibility of all their APIs, DDoS mitigation solutions can help block potential threats. One-third (33%) of all mitigations applied to API threats were blocked by DDoS protections already in place.

“APIs are powerful tools for developers to create full-featured, complex applications to serve their customers, partners, and employees, but each API is a potential attack surface that needs to be secured,” said Melinda Marks, Practice Director, Cybersecurity, for Enterprise Strategy Group. “As this new report shows, organizations need more effective ways to address API security, including better visibility of APIs, ways to ensure secure authentication and authorization between connections, and better ways to protect their applications from attacks.”

Report Methodology: The findings in this report, including the statistics included above, are based on traffic patterns observed by Cloudflare’s global network (including Cloudflare’s web application firewall, DDoS protection, bot management, and API gateway services) between Oct. 1, 2022 and Aug. 31, 2023. For the quarter ended September 30, 2023, Cloudflare served over 50 million HTTP requests per second on average, and blocked an average of 170 billion cyber threats each day.

To learn more, please check out the resources below:

• 2024 API Security and Management Report
• Blog: Introducing Cloudflare’s 2024 API Security and Management Report
• Cloudflare API Security
• What is API Security?

About Cloudflare

Cloudflare, Inc. (NYSE: NET) is the leading connectivity cloud company. It empowers organizations to make their employees, applications and networks faster and more secure everywhere, while reducing complexity and cost. Cloudflare’s connectivity cloud delivers the most full-featured, unified platform of cloud-native products and developer tools, so any organization can gain the control they need to work, develop, and accelerate their business.

Powered by one of the world’s largest and most interconnected networks, Cloudflare blocks billions of threats online for its customers every day. It is trusted by millions of organizations – from the largest brands to entrepreneurs and small businesses to nonprofits, humanitarian groups, and governments across the globe.

Learn more about Cloudflare’s connectivity cloud at cloudflare.com/connectivity-cloud. Learn more about the latest Internet trends and insights at https://radar.cloudflare.com.

Follow us: Blog | X | LinkedIn | Facebook | Instagram

Forward-Looking Statements

This press release contains forward-looking statements within the meaning of Section 27A of the Securities Act of 1933, as amended, and Section 21E of the Securities Exchange Act of 1934, as amended, which statements involve substantial risks and uncertainties. In some cases, you can identify forward-looking statements because they contain words such as “may,” “will,” “should,” “expect,” “explore,” “plan,” “anticipate,” “could,” “intend,” “target,” “project,” “contemplate,” “believe,” “estimate,” “predict,” “potential,” or “continue,” or the negative of these words, or other similar terms or expressions that concern Cloudflare’s expectations, strategy, plans, or intentions. However, not all forward-looking statements contain these identifying words. Forward-looking statements expressed or implied in this press release include, but are not limited to, statements regarding Cloudflare’s products and technology, Cloudflare’s technological development, future operations, growth, initiatives, or strategies, future market trends, and comments made by Cloudflare’s CEO. Actual results could differ materially from those stated or implied in forward-looking statements due to a number of factors, including but not limited to, risks detailed in Cloudflare’s filings with the Securities and Exchange Commission (SEC), including Cloudflare’s Quarterly Report on Form 10-Q filed on November 2, 2023, as well as other filings that Cloudflare may make from time to time with the SEC.

The forward-looking statements made in this press release relate only to events as of the date on which the statements are made. Cloudflare undertakes no obligation to update any forward-looking statements made in this press release to reflect events or circumstances after the date of this press release or to reflect new information or the occurrence of unanticipated events, except as required by law. Cloudflare may not actually achieve the plans, intentions, or expectations disclosed in Cloudflare’s forward-looking statements, and you should not place undue reliance on Cloudflare’s forward-looking statements.

© 2024 Cloudflare, Inc. All rights reserved. Cloudflare, the Cloudflare logo, and other Cloudflare marks are trademarks and/or registered trademarks of Cloudflare, Inc. in the U.S. and other jurisdictions. All other marks and names referenced herein may be trademarks of their respective owners.

View source version on businesswire.com: https://www.businesswire.com/news/home/20240109533109/en/

Cloudflare, Inc.

Daniella Vallurupalli

Vice President, Head of Global Communications

press@cloudflare.com

Source: Cloudflare, Inc.

FAQ

What is the company name and ticker symbol mentioned in the report?

The company mentioned in the report is Cloudflare, Inc. and its ticker symbol is NET.

What are the key findings from Cloudflare's 2024 API Security and Management Report?

The report reveals high spikes of API traffic in unlikely industries, APIs dominating global Internet traffic, and an increase in attack volume due to the rise in popularity of APIs.

What are the top three most commonly used attack types mitigated by Cloudflare?

The top three most commonly used attack types mitigated by Cloudflare are HTTP Anomaly, Injection attacks, and file inclusion.

What are the effective tools to protect APIs mentioned in the report?

DDoS mitigation solutions are mentioned as one of the most effective tools to protect APIs, with one-third of all mitigations applied to API threats being blocked by DDoS protections already in place.

What is the methodology used for the findings in the report?

The findings in the report are based on traffic patterns observed by Cloudflare's global network between Oct. 1, 2022, and Aug. 31, 2023, including statistics from Cloudflare's web application firewall, DDoS protection, bot management, and API gateway services.