Organizations use outdated approaches to secure APIs
Security teams are struggling to keep pace with the risks posed by organizations’ dependency on modern applications—the technology that underpins all of today’s most used sites, according to Cloudflare.
The report underscores that the volume of threats stemming from issues in the software supply chain, increasing number of distributed denial of service (DDoS) attacks and malicious bots, often exceed the resources of dedicated application security teams.
Web applications and APIs allow ecommerce sites to accept payments, healthcare systems to securely share patient data, and power activities we do on our phones. However, the more we rely on these applications, the more the attack surface expands.
This is further magnified by the demand for developers to quickly deliver new features—e.g., capabilities driven by generative AI. But if unprotected, exploited applications can lead to the disruption of businesses, financial losses, and the collapse of critical infrastructure.
“Web applications are rarely built with security in mind. Yet, we use them daily for all sorts of critical functions, making them a rich target for hackers,” said Matthew Prince, CEO at Cloudflare.
DDoS attacks continue to increase in number and volume
DDoS remains the most leveraged threat vector to target web applications and APIs, comprising 37.1 % of all application traffic mitigated by Cloudflare. Top targeted industries were gaming and gambling, IT and Internet, cryptocurrency, computer software and marketing and advertising.
Cloudflare observed faster exploitations than ever of new zero-day vulnerabilities, with one occurring just 22 minutes after its proof-of-concept (PoC) was published.
31.2% of all traffic stems from bots, 93% of which are unverified and potentially malicious. Top targeted industries were manufacturing and consumer goods, cryptocurrency, security and investigations, and US Federal Government.
Traditional web application firewall (WAF) rules that use a negative security model—the assumption that most web traffic is benign—are most commonly leveraged to protect against API traffic. Far fewer organizations use the more widely accepted API security best practice of a positive security model—strict definitions on traffic that is allowed, rejecting the rest.
Third-party software dependencies pose growing risk
Organizations use an average of 47.1 pieces of code from third-party providers and make an average of 49.6 outbound connections to third-party resources to help enhance website efficiency and performance—e.g., leveraging Google Analytics or Ads. But as web development has largely shifted to allow these types of third-party code and activity to load in a user’s browser, organizations are increasingly exposed to supply chain risk and liability and compliance concerns.
Zero-day exploits are increasing, as is the speed of weaponization of disclosed CVEs. 97 zero-days were exploited in the wild in 2023, and the number of disclosed CVEs between 2022 and 2023 increased by 15%.
More than 5,000 critical vulnerabilities were disclosed in 2023, yet the mean time to release a patch for a critical severity web application vulnerability is 35 days.
Enterprises often have a disjointed patchwork of legacy and point products for security that make it hard to connect and protect their SaaS apps, web apps, and other IT infrastructure. The IT sprawl makes it easier for attackers to find and exploit vulnerabilities.