Cloudflare Report Surfaces Lots of API Insecurity

A report published by Cloudflare today finds machine learning algorithms employed by the content delivery network provider found 31% more REST application programming interface endpoints than its customers have self-reported.
More than 15,000 accounts using Cloudflare had API endpoints that were only discovered using machine learning algorithms.
The report noted that a third of API mitigations involved blocking distributed denial-of-service attacks.
Overall, API requests now account for 57% of the internet traffic flowing across the Cloudflare CDN, the report found.
John Cosgrove, a product manager for Cloudflare, said the report makes it clear that given the current lack of visibility into that traffic, more organizations need to focus on discovering external-facing APIs that need to be secured.
The issue many organizations encounter is that it's not always clear who is responsible for API security.
The bulk of those APIs are based on REST architecture, but other types of APIs based on, for example, GraphQL, are now gaining traction as well.
The core problem is that the developers that create these APIs don't have a lot of cybersecurity expertise, so there's plenty of opportunity for mistakes to be made that enable cybercriminals to exfiltrate data via an API. Cybersecurity teams don't tend to have much visibility into how these APIs are being created and deployed.
As a result, all these APIs become a type of unsecured endpoint.
The bulk of these APIs are internally facing, so the immediate crux of the issue is the security of the APIs that are externally accessible.
While there are fewer of these APIs, cybersecurity teams should remember that it doesn't take much for development teams to make an internal API accessible to external users.
An API that may seem secure enough today can become a very big issue tomorrow when some business unit decides to make an existing API accessible to some entity outside the company for whatever reason.
In theory, at least, developers are assuming more responsibility for API security as part of the general shift left of responsibility for application security via adoption of DevSecOps best practices.
The number of APIs that have already been created measures in the millions, with many so-called rogue APIs being deployed that cybersecurity teams don't know exist.
Ultimately, the same cybersecurity issues that have plagued web applications for years also affect APIs.
The problem is there are orders of magnitude more insecure APIs than web applications.
Cybersecurity teams today don't have a lot of API security expertise, so the probability most organizations will experience an API security issue is fairly high.
Naturally, the responsibility for securing APIs often falls to cybersecurity teams, who will be held accountable for any breach.
The issue is that, as always, cybersecurity teams can't secure endpoints they don't know exist.


This Cyber News was published on securityboulevard.com. Publication date: Tue, 09 Jan 2024 15:43:04 +0000


Cyber News related to Cloudflare Report Surfaces Lots of API Insecurity

Cloudflare discloses breach related to stolen Okta data - Last fall, Cloudflare announced it mitigated an attempted cyberattack stemming from the infamous Okta breach. Cloudflare disclosed in a blog post that it had been breached by an unnamed nation-state threat actor using an access token and three ...
10 months ago Techtarget.com
Cloudflare Dashboard and APIs down after data center power outage - An ongoing Cloudflare outage has taken down many of its products, including the company's dashboard and related application programming interfaces customers use to manage and read service configurations. The complete list of services whose ...
1 year ago Bleepingcomputer.com
Polyfill.io, BootCDN, Bootcss, Staticfile attack traced to 1 operator - The recent large scale supply chain attack conducted via multiple CDNs, namely Polyfill.io, BootCDN, Bootcss, and Staticfile that affected anywhere from 100,000 to tens of millions of websites has been traced to a common operator, according to ...
5 months ago Bleepingcomputer.com
Cloudflare Report Surfaces Lots of API Insecurity - A report published by Cloudflare today finds machine learning algorithms employed by the content delivery network provider found 31% more REST application programming interface endpoints than its customers have self-reported. More than 15,000 ...
10 months ago Securityboulevard.com
Defining Good: A Strategic Approach to API Risk Reduction - A good API security strategy starts with a well thought out API security posture governance program that spans from design to deployment. That standard, if communicated and enforced effectively, will not only positively affect how a developer designs ...
10 months ago Securityboulevard.com
How to Arm Yourself With CloudFlare Security Solutions - Securing your website or digital asset is a critical part of running a successful business or website. With the rise of the digital era, the need to protect yourself from cyber-attacks is essential. That's why CloudFlare, the leading cloud solution ...
1 year ago Blog.cloudflare.com
Salt Security Delivers API Posture Governance Engine - PRESS RELEASE. PALO ALTO, Calif., Jan. 17, 2024 /PRNewswire/ - Salt Security, the leading API security company, today announced multiple advancements in discovery, posture management and AI-based threat protection to the industry leading Salt ...
10 months ago Darkreading.com
Cloudflare publishes details of Thanksgiving security breach The Register - Cloudflare has just detailed how suspected government spies gained access to its internal Atlassian installation using credentials stolen via a security breach at Okta in October. In a write-up on Thursday, CEO Matthew Prince, CTO John ...
10 months ago Go.theregister.com
9 Best DDoS Protection Service Providers for 2024 - eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More. One of the most powerful defenses an organization can employ against distributed ...
11 months ago Esecurityplanet.com
Imperva Named an Overall Leader in the KuppingerCole Leadership Compass: API Security and Management Report - We're thrilled to share that Imperva has achieved the prestigious status of Overall Leader in the KuppingerCole Leadership Compass: API Security and Management report. A notable achievement is being recognized as one of the few non-gateway-first ...
11 months ago Imperva.com
Cyber Insecurity and Misinformation Top WEF Global Risk List - The latest World Economic Forum Global Risks Report 2024 highlighted the rising tide of cyber threats and places misinformation and disinformation as the most severe risk globally. It also warned of low-cost crime havens and issues surrounding ...
10 months ago Infosecurity-magazine.com
Cloudflare hacked using auth tokens stolen in Okta attack - Cloudflare disclosed today that its internal Atlassian server was breached by a 'nation state' attacker who accessed its Confluence wiki, Jira bug database, and Atlassian Bitbucket source code management system. The threat actor first gained access ...
10 months ago Bleepingcomputer.com
That time I broke into an API and became a billionaire - This included an internal API with a dependency on a third-party banking API. We'll get to the banking API later in this story. That's all thanks to developers embracing agile development, microservices, and API gateway redirection that exposed ...
11 months ago Securityboulevard.com
Unified API Protection - A massive segment of organizations' digital footprint today is built around internal and external APIs. As more IT leaders realize and acknowledge the size of APIs' influence, it's become clear that new methods are needed to secure those APIs. While ...
1 year ago Cequence.ai
What do CISOs need to know about API security in 2024? - According to Postman's 2023 State of the API Report, roughly 66% of participants indicated that their APIs contribute to generating revenue. A recent ESG survey on API security showed that 92% of organisations using APIs have experienced a breach in ...
11 months ago Cybersecurity-insiders.com
What's new in the MSRC Report Abuse Portal and API - The Microsoft Security Response Center has always been at the forefront of addressing cyber threats, privacy issues, and abuse arising from Microsoft Online Services. Building on our commitment, we have introduced several key updates to the Report ...
4 months ago Msrc.microsoft.com
Beware of OpenAI and ChatGPT-4 Turbo in Financial Services Organizations' Growing API Attack Surface - With every new API integration that OpenAI gets access to, the attack surface of a financial organization grows, creating new opportunities for attackers to exploit vulnerabilities and gain access to sensitive customer and financial data. APIs have ...
9 months ago Cybersecurity-insiders.com
Beware of OpenAI and ChatGPT-4 Turbo in Financial Services Organizations' Growing API Attack Surface - With every new API integration that OpenAI gets access to, the attack surface of a financial organization grows, creating new opportunities for attackers to exploit vulnerabilities and gain access to sensitive customer and financial data. APIs have ...
9 months ago Cybersecurity-insiders.com
Beware of OpenAI and ChatGPT-4 Turbo in Financial Services Organizations' Growing API Attack Surface - With every new API integration that OpenAI gets access to, the attack surface of a financial organization grows, creating new opportunities for attackers to exploit vulnerabilities and gain access to sensitive customer and financial data. APIs have ...
9 months ago Cybersecurity-insiders.com
Beware of OpenAI and ChatGPT-4 Turbo in Financial Services Organizations' Growing API Attack Surface - With every new API integration that OpenAI gets access to, the attack surface of a financial organization grows, creating new opportunities for attackers to exploit vulnerabilities and gain access to sensitive customer and financial data. APIs have ...
9 months ago Cybersecurity-insiders.com
Beware of OpenAI and ChatGPT-4 Turbo in Financial Services Organizations' Growing API Attack Surface - With every new API integration that OpenAI gets access to, the attack surface of a financial organization grows, creating new opportunities for attackers to exploit vulnerabilities and gain access to sensitive customer and financial data. APIs have ...
9 months ago Cybersecurity-insiders.com
Beware of OpenAI and ChatGPT-4 Turbo in Financial Services Organizations' Growing API Attack Surface - With every new API integration that OpenAI gets access to, the attack surface of a financial organization grows, creating new opportunities for attackers to exploit vulnerabilities and gain access to sensitive customer and financial data. APIs have ...
9 months ago Cybersecurity-insiders.com
Beware of OpenAI and ChatGPT-4 Turbo in Financial Services Organizations' Growing API Attack Surface - With every new API integration that OpenAI gets access to, the attack surface of a financial organization grows, creating new opportunities for attackers to exploit vulnerabilities and gain access to sensitive customer and financial data. APIs have ...
9 months ago Cybersecurity-insiders.com
Beware of OpenAI and ChatGPT-4 Turbo in Financial Services Organizations' Growing API Attack Surface - With every new API integration that OpenAI gets access to, the attack surface of a financial organization grows, creating new opportunities for attackers to exploit vulnerabilities and gain access to sensitive customer and financial data. APIs have ...
9 months ago Cybersecurity-insiders.com
Beware of OpenAI and ChatGPT-4 Turbo in Financial Services Organizations' Growing API Attack Surface - With every new API integration that OpenAI gets access to, the attack surface of a financial organization grows, creating new opportunities for attackers to exploit vulnerabilities and gain access to sensitive customer and financial data. APIs have ...
9 months ago Cybersecurity-insiders.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)