Shadow APIs are opening organizations to attacks: Report

Cloudflare also observed that many organizations lack a full inventory of their APIs, making them difficult to manage. Nearly 31% more Representational State Transfer (REST) API endpoints, the API location responsible for accepting requests and sending back responses, were discovered by Cloudflare’s machine learning tools than those observed by customer-provided session identifiers.

According to Cloudflare, apps that have not been managed or secured by the organization using it — also known as Shadow APIs — are often introduced by developers or individual users to run specific business functions.

“A study of our own showed high percentages (67%) of open APIs for public consumption, (64%) connecting applications with partners, and (51%) connecting microservices, and high rates of API updates, including 35% with daily updates and 40% with weekly updates,” Marks said. “So, it’s an issue of an ever-increasing number of APIs, and the chance of hackers wanting to take advantage of vulnerabilities that are often the result of carelessness.”

DDoS is the leading API threat

Fifty-two percent of all API errors processed by Cloudflare were attributed to the error code 429, which is an HTTP status request code for “too many requests”. This is supported by the fact that 33% of API mitigations comprised blocking Distributed Denial of Service (DDoS).

“This is an important area – we sometimes underestimate or forget about the DoS and DDoS attacks,” Marks said. “The top application security driver is usually application uptime, so the ability to block DoS/DDoS attacks is often a priority for API security.”

Other leading API errors included bad requests (err code 400) at 13.8%, not found (err code 404) at 10.8%, and unauthorized (err code 401) at 10.3%.