EBOOK

The CISO’s Guide

to API Security
Strategies for preventing data breaches, shadow
APIs, abuse, and other common challenges
Content

3 Explosive growth in APIs is leaving security teams behind

4 Five challenges CISOs often face with API security and management

8 Compare API security approaches

1 888 99 FLARE | [email protected] | www.cloudflare.com

Cloudflare | The CISO’s Guide to API Security 3

Explosive growth in APIs is

leaving security teams behind
APIs present exciting business opportunities to

58
deliver products faster and improve customer
experience. Now, security leaders have to balance %1
securing their APIs, on top of their web apps, without
slowing down innovation. of dynamic HTTP traffic is through APIs

In recent years, data breaches and leaks through APIs

have made news headlines — including JustDial in
India, LinkedIn and Twitter in the social media space,
By 2025,
and even T-Mobile.

Why is this the case? Unfortunately, attackers often

see APIs as a ‘softer target’ than an organization’s
less than 50 %2
of enterprise APIs will be managed, as
core web applications. And without proper API
management, this assumption often proves true.
explosive growth in APIs surpasses the
capabilities of API management tools,
Modern CISOs recognise the need for consolidating according to Gartner®
web application and API security. They need to secure
customers’ sensitive data while enabling business
operations across web app and API properties.

Customer trust is at stake, after all.

The API security maturity curve — stages and next steps

LEVEL 1: LEVEL 2: LEVEL 3:

Starting out with API security Using home-grown processes Consolidating security tooling

Start by identifying all APIs in use Can your tools meet the visibility Check out Web Application and
within your organization. and compliance needs of your API Protection (WAAP) if you
leadership and the usage needs are looking for easy to deploy,
Many ways to discover APIs: of security teams? runtime-focused and cost-
use API discovery tools, review effective solutions for security
technical documentation and Integrate tools better to reduce teams.
agreements, speak to your data breach, data leakage,
developers and monitor your shadow API, and availability
web traffic. and resilience risks.

1 2022 analysis from Cloudflare Radar

2 Gartner® “Innovation Insight for API Protection”, Analyst(s) Dionisio Zumerle, Jeremy D’Hoinne, Mark O’Neill,
10 October 2022. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in
the U.S. and internationally and is used herein with permission. All rights reserved.
Cloudflare | The CISO’s Guide to API Security 4

Five challenges CISOs face with

API security and management

Challenge Shadow APIs: Modern CISOs need visibility around all the APIs in production - be
#1 it APIs developed outside of IT or legacy APIs that are still in use. The pace of API
development is only increasing in every organization.

Challenge Security breaches: Modern CISOs need to ensure their organization’s APIs ask for
#2 appropriate authentication and authorisation. Many API access control measures have
been easily exploited by attackers till date.

Challenge Data leakage: Modern CISOs need security visibility and controls over the sensitive
#3 data exchanged through APIs - be it PII/PCI/PHI data or credential or tokens.

Challenge API abuse: Modern CISOs recognise that APIs being overwhelmed with abusive traffic
#4 can be just as harmful to your organization as a threat actor exploiting a security
vulnerability.

Challenge Compliance: Modern CISOs must ensure their customer facing APIs meet industry and
#5 organization standards - be it PCI, HIPAA, GDPR, FFIEC and FCA.

Is API security different from web application security?

Yes. APIs are a unique attack surface due to the following characteristics:

• APIs exchange data between systems. Web applications are accessed by end users
through a web browser
• APIs use a different format (usually JSON) to transport data. Web apps accept user input
and visualise data from the backend (using HTML, CSS and JavaScript)
• APIs access backend systems directly, often serving as the intermediary between modern
web apps and their backend databases and servers
• Successful API transactions assume legitimate access
• APIs are easily overlooked as they are not visible to end users

Compared to web application security, API security requires significant business context,
different discovery methods, deeper access verification controls, and intelligent
abuse protection.

The detection methodology for API security differs from web app security even in overlapping
vulnerability categories such as injection attacks and access risks. For example, every API
operation must verify the caller’s identity and permissions before performing any work on the
caller’s behalf.
Cloudflare | The CISO’s Guide to API Security 5

Challenge #1: Shadow APIs Challenge #2: Security breaches

Security considerations for leaders Security considerations for leaders

Shadow APIs are a growing concern in modern
organizations. Most IT and security can’t find and
manage APIs as fast as developers build the APIs.
Many current processes for tracking APIs are broken,
consisting of manual approaches with security teams
pestering development teams for updates.
Security teams are more pressure than ever to
prevent their organizations from becoming news
headlines with security breaches. Attackers
have started to exploit weak authentication and
authorization measures in many APIs.
Some questions to ask your teams:

Some questions to ask your teams: • How are you validating authentication and
authorization in your APIs?
• How do you discover and manage public APIs
• Do your APIs follow consistent specifications and
today?
formats?
Security considerations for teams
Security considerations for teams
Conduct regular API discovery on your environments,
Ensure your APIs are validating authentication and
just as you would for IT devices and apps.
authorization tokens on every API operation
Useful metrics to report on to leadership:
Useful metrics to report on to leadership:
• Identify the groups with the most shadow APIs,
• API asset inventory - highlight those carrying
thus posing greater risks to prioritize process
sensitive data, are out of compliance or use weak
improvements.
authentication or authorization methods

“We were facing DDoS attacks, data scrapers, and cumbersome certificate
management across all our web properties as they grew in number.
We wanted a security layer that could protect our web properties and
APIs without adding significant overhead.”

Marut Singh
CTO, CARS24
Cloudflare | The CISO’s Guide to API Security
Challenge #3: Data leakage
Security considerations for leaders
APIs will often carry sensitive data by their nature.
As a CISO, you want to ensure that your APIs are
not exposing the wrong sensitive data and APIs are
transmitting the data under strong encryption.
Some questions to ask your teams:
• Does your data loss prevention (DLP) program
include data loss through APIs?
• Are you up to date on the legal and industry-
specific data security mandates?
• Is your data at rest and in transit secure? Do you
use the appropriate encryption standards for your
industry and jurisdictions?
Security considerations for teams
• Check for exposed/leaked credentials used in API
requests
• Scan for personally identifiable information
(PII), credit card data and personal health care
information in API requests and responses
API security breaches
Article: LinkedIn - 700 million users’ data scraped
6
Challenge #4: API abuse
Security considerations for leaders
Quite often, APIs do not impose any restrictions
on the size or number of resources that can be
requested by the client/user.
Not only can this impact the API server’s
performance, leading to Denial of Service (DoS), but
it also leaves the door open to authentication flaws
such as brute force.
Just like with web applications, monitoring your API
traffic is critical to ensure the availability of your
business products and services to your customers.
Some questions to ask your teams:
• Can your tools throttle abusive API traffic?
• How do you know what are the appropriate traffic
limits for each API and the number of resources in
any response?
Security considerations for teams
Deploy intelligent rate limits on your APIs based on
observed traffic patterns for each endpoint.
Article: T-Mobile API vulnerabilities exploited
over the years
Cloudflare | The CISO’s Guide to API Security 7

Challenge #5: Compliance

API security breaches
Security considerations for leaders

Changing data privacy and locality regulations

in many industries and global regions are nearly
impossible to comply with without consistent
processes and tools.

Security tools can help you by identifying sensitive

data, push the relevant information into your
governance solutions and integrate with your SIEM /
SOAR to orchestrate appropriate responses.

Some questions to ask your teams:

Article: Twitter API exposes too much
• Do your security tools help you identify the information
relevant sensitive data seen in your APIs?
• Can you integrate your API security intelligence
with other security tools?

Security considerations for teams

Scan for personally identifiable information (PII),

credit card data and personal health care information
in API requests and responses.

Keep audit logs on API usage, security alerts and

response actions taken.

Useful metrics to report on to leadership: Article: JustDial’s legacy APIs expose

customer data
• Number of instances each applicable data type
was seen in your APIs
Cloudflare | The CISO’s Guide to API Security 8

Compare API security approaches

There are a number of approaches to manage and secure all the API growth in modern
organizations - full lifecycle API management, API observability, and, holistically, Web
application and protection.

For holistic security and performance around your public facing APIs without inhibiting
innovation, check out the approach taken by Web Application and API Protection solutions
such as Cloudflare API Gateway.

Web Application and Full Lifecycle API

API Observability Tools
API Protection (WAAP) Management

Use case: APIs in Use cases: APIs in produc-
pre-production tion, real-time monitoring, and
protection against abuse, zero
• Will require another tool to days and attackers
generate API traffic
• Provide real-time API
• Cannot protect APIs from protection compared to API
abuse/attacks; need to security point solutions
hook into a WAF to block
• Easier to deploy and
manage than full lifecycle
management solutions
• Integrate with your APIs,
irrespective of cloud
provider, API structure and
development language
Use case: APIs in highly reg-
ulated industries, legacy API
standards
• These tools often focus
on API management
while lacking in security
sophistication
• These tools can be more
cumbersome to integrate
for developers

Key Web Application and API Protection solution capabilities

• Shadow API discovery • Positive security model for real-time blocking and
traffic acceptance
• Centrally manage APIs and monitor use
• Threat intelligence from real-time traffic analysis
• Authentication validation (mTLS and JSON Web
Tokens) • Machine learning driven abuse and vulnerability
exploit protection
• Sensitive data detection for popular industry and
legal requirements • Optimised edge network to serve API traffic
without disruptions
• Data encryption in transit
Cloudflare | The CISO’s Guide to API Security 9

The Cloudflare application security portfolio

Cloudflare keeps applications and APIs secure and productive, thwarts DDoS attacks, keeps
bots at bay, detects anomalies and malicious payloads, and encrypts data in motion, all while
monitoring for browser supply chain attacks.

Integrated Management
& Analytics

Application DDoS
Block L7 DDoS attacks

WAF w/ advanced rate limiting

Stop attacks, abuse and exploits

Bot Management
Stop bot traffic

API Gateway
API security and management

Page Shield
Stop client-side attacks

TLS/SSL
Data security

Cloudflare Security Center

Attack surface management

Protect your APIs without Contact us

compromising innovation
© 2023 Cloudflare Inc. All rights reserved. The
Cloudflare logo is a trademark of Cloudflare.
All other company and product names may be
trademarks of the respective companies with
which they are associated.

1 888 99 FLARE | [email protected] | www.cloudflare.com

REV:BDES-4431.2023APR05