Many IT departments still don’t know how many APIs they have: Report

IT departments still don’t have an accurate count of the number of application programming interfaces (APIs) their app developers are putting into production, says a new report.

That’s one of several conclusions researchers at Cloudflare came to in a report on API security and management released today.

APIs, which allow applications to communicate with each other, outpace other internet traffic, the report found. They comprised more than half (57 per cent) of the dynamic internet traffic processed by Cloudflare last year.

However, many organizations don’t know how many APIs they are supposed to oversee. Cloudflare found some organizations have 30 per cent more API endpoints than they think they have.

“You can’t protect what you don’t know exists,” John Cosgrove, product manager for Cloudflare’s API gateway, commented in an interview about the report.

Not only that, the report says, IT may unintentionally block legitimate traffic because they don’t know how many APIs to protect.

So called ‘zombie’ or ‘shadow’ APIs may have been undocumented by developers who created them, but who have left the organization, Cosgrove said, or they may be hanging around from abandoned projects.

If exploited, these APIs can lead to data exposure, unpatched vulnerabilities, data compliance violations, lateral movement and other problems.

The 2019 data breach of a medical diagnostics company exposed the data of nearly 12 million patients when an unauthorized user gained access to an API that was sending information to billing vendors, the report notes.

“API threats are out there,” Cosgrove said. “They can be as old as SQL injection or as new as a broken authentication attack. You need to have a tool that compiles an API inventory and then you need protection from all these attacks.”

Some CISOs may be worried about advanced attacks, he said, but “if your web application firewall isn’t even protecting your APIs, the ‘old’ threats will still come and get you.” One problem, he said, is that a lot of APIs weren’t written to withstand large volumetric distributed denial of service attacks.

The report is based on traffic data collected by Cloudflare’s global network between Oct. 1, 2022 and Aug. 31, 2023.

Another possible problem the report discovered is the misinterpretation of API errors. For example, the most frequent HTTP status code error IT departments see is 429, which means the API server has automatically throttled traffic because of a certain action, such as an IP address exceeding a set number of requests per minute per endpoint. However, the report says, a wrongly-set request rate limit may be triggering that error.

As consumers and end users continue to expect faster, more dynamic web and mobile experiences, the report warns, development and API teams will come under more pressure to deploy and maintain many more APIs.

“These well-meaning app developers will continue to deploy APIs fast — sometimes without consulting other IT and security stakeholders,” the report says. This lack of a cohesive approach will force enterprises into difficult corners as they face several challenges, including an increase in business logic-based fraud attacks.

CISOs at the very least have to pay attention to API discovery, Cosgrove said. Those with more mature security programs should look at their rate-limiting strategies. Those who have no API security posture should at least have the bare basics, he added, including DDoS protection.

The report can be downloaded here. Registration is required.