Many IT departments still don’t know how many APIs they have: Report

Share post:

IT departments still don’t have an accurate count of the number of application programming interfaces (APIs) their app developers are putting into production, says a new report.

That’s one of several conclusions researchers at Cloudflare came to in a report on API security and management released today.

APIs, which allow applications to communicate with each other, outpace other internet traffic, the report found. They comprised more than half (57 per cent) of the dynamic internet traffic processed by Cloudflare last year.

However, many organizations don’t know how many APIs they are supposed to oversee. Cloudflare found some organizations have 30 per cent more API endpoints than they think they have.

“You can’t protect what you don’t know exists,” John Cosgrove, product manager for Cloudflare’s API gateway, commented in an interview about the report.

Not only that, the report says, IT may unintentionally block legitimate traffic because they don’t know how many APIs to protect.

So called ‘zombie’ or ‘shadow’ APIs may have been undocumented by developers who created them, but who have left the organization, Cosgrove said, or they may be hanging around from abandoned projects.

If exploited, these APIs can lead to data exposure, unpatched vulnerabilities, data compliance violations, lateral movement and other problems.

The 2019 data breach of a medical diagnostics company exposed the data of nearly 12 million patients when an unauthorized user gained access to an API that was sending information to billing vendors, the report notes.

“API threats are out there,” Cosgrove said. “They can be as old as SQL injection or as new as a broken authentication attack. You need to have a tool that compiles an API inventory and then you need protection from all these attacks.”

Some CISOs may be worried about advanced attacks, he said, but “if your web application firewall isn’t even protecting your APIs, the ‘old’ threats will still come and get you.” One problem, he said, is that a lot of APIs weren’t written to withstand large volumetric distributed denial of service attacks.

The report is based on traffic data collected by Cloudflare’s global network between Oct. 1, 2022 and Aug. 31, 2023.

Another possible problem the report discovered is the misinterpretation of API errors. For example, the most frequent HTTP status code error IT departments see is 429, which means the API server has automatically throttled traffic because of a certain action, such as an IP address exceeding a set number of requests per minute per endpoint. However, the report says, a wrongly-set request rate limit may be triggering that error.

As consumers and end users continue to expect faster, more dynamic web and mobile experiences, the report warns, development and API teams will come under more pressure to deploy and maintain many more APIs.

“These well-meaning app developers will continue to deploy APIs fast — sometimes without consulting other IT and security stakeholders,” the report says. This lack of a cohesive approach will force enterprises into difficult corners as they face several challenges, including an increase in business logic-based fraud attacks.

CISOs at the very least have to pay attention to API discovery, Cosgrove said. Those with more mature security programs should look at their rate-limiting strategies. Those who have no API security posture should at least have the bare basics, he added, including DDoS protection.

The report can be downloaded here. Registration is required.

The post Many IT departments still don’t know how many APIs they have: Report first appeared on IT World Canada.
Howard Solomon
Howard Solomonhttps://www.itworldcanada.com
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Tech Jobs

SUBSCRIBE NOW

Related articles

Cyber Security Today, Week in Review for week ending Friday, Feb. 23, 2024

This episode features discussion on the takedown of the LockBit ransomware gang

Breaking news: RCMP facing ‘alarming’ cyber attack

The RCMP is facing a serious cyber attack from an unspecified threat actor. The Mounties told CBC News today that a “breach of this magnitude is alarming.” “The situation is evolving quickly but at this time, there is no impact on RCMP operations and no known threat to the safety and security of Canadians,” a spokesperson

Leaked documents may show the inside of China’s hacking strategy

Documents apparently stolen by disgruntled employees to embarrass their firm may give insight into China's cyber

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways