The use of APIs is increasing all the time, but it also poses greater management and security risks as a result.
This concludes the research by Cloudflare. According to the researchers, APIs have increased again in 2023. About 57 per cent of global dynamic Internet traffic was generated by APIs last year.
However, this increase in API traffic results in more management and security issues. Especially since there are more API endpoints than companies stated in the survey.
By applying their ML algorithms, the researchers discovered that there were as many as 30.7 per cent more API endpoints than specified. Developers or individual end users often use these “Shadow APIs” to run specific business applications.
These “wild” APIs are challenging to manage and pose a significant security risk. With them, unknown threats can easily sneak into enterprise environments, exposing data, introducing unpatched vulnerabilities, generating data compliance issues, enabling lateral movement and other threats.
Recommendations
In their report, the researchers make several recommendations, including best practices, to make the use of APIs more secure. Important here is that companies should have a complete strategy for APIs that includes application development, visibility, performance and security. For example, a connectivity cloud environment that connects things like network connections, cloud environments, applications, and users in a single intelligent platform.
This should include a precise inventory of APIs, modern authentication and authorization processes and endpoint management. This is for monitoring metrics such as latency, errors and the size of responses.
Positive security model
A “positive” security model must also be implemented through an API gateway. More specifically, this model should work by allowing only verified and known behaviour and identities through an ‘API schema’ and denying the rest of the traffic. ML should also be applied to detect attack variants and distinguish between legitimate user traffic and potentially malicious (bot) traffic to and from APIs.
Tip: API security is starting to get the attention it deserves from organizations
17 hours ago
