API-related activity has been steadily growing over the past couple of years, becoming a target for online attacks. As API attacks become a commonplace threat, having a dedicated defense system is imperative. This is why Cloudflare decided to add the Cloudflare API Shield service to their offering. APIs (Application Programming Interfaces) are the middlemen between applications, taking information to and fro various servers, devices, users, etc.
It is the very nature of web APIs (always staying online, open to queries from anyone) that makes them vulnerable to attack.
That is why web API security should be taken very seriously. As companies keep moving to the cloud and API activity rises, the risks will do so as well.
In recent times we have seen just how much consumers care about the way their personal data is being handled and stored by companies. When you do any type of business over the Internet where you store data, you are making a promise to your users that you will keep it safe. If that promise is broken, you may find your reputation (and by extension your bottom line) taking a hit.
Yes, targeted attacks do happen, but the more likely culprits in these stories are bots! Little bits of code programmed to crawl the Internet for activity and test for weaknesses. Think of your protection system as a wall and the bots as enthusiastic carpenters with tiny hammers, just poking and prodding at your defenses until they spot a vulnerability and make their way through. They are tireless and relentless, so your advanced API security should be top-quality to keep them away.
Luckily, we believe we have found a suitable candidate in Cloudflare API Shield. Let’s take a closer look at the risks it aims to mitigate and the features with which it will do so!
OWASP Top 10 API Risks
The Open Web Application Security Project (OWASP) has made a dedicated list of the top 10 API security risks. Cloudflare API Shield has been built with addressing these in mind. We will provide a few more details about the ones we consider to be the most pressing.
- Broken Object Level Authorization – Exposed endpoints that handle objects offer a wide avenue of attack. By manipulating object IDs within a request, attackers can get unauthorized access to sensitive data.
- Broken User Authentication – Authentication systems are often improperly implemented or absent altogether. This allows attackers to falsely assume another user’s identity and log in as them. API security hinges on systems correctly authenticating users.
- Excessive Data Exposure
- Lack of Resources & Rate Limiting – APIs don’t often impose restrictions on the amount or size of resources requested by a single user. This can lead to Denial of Service (DoS) and leaves a system vulnerable to brute-forcing.
- Broken Function Level Authorization
- Mass Assignment – This occurs when companies bind client-provided data to data models, without properly applying properties filtering based on an allowlist. This allows attackers to modify objects they aren’t supposed to.
- Security Misconfiguration
- Improper Assets Management
- Insufficient Logging & Monitoring
Cloudflare API Shield Features
API L7 DDoS Protection
This feature protects against layer 7 DDoS attacks. By leveraging rate limiting, API usage limits and DDoS protection, it deflects denial-of-service attacks and brute force attempts to log in.
A schema is part of a positive security model and refers to a set of rules governing the way others are expected to interact with an API. Instead of a negative security model (where characteristics are set for what a request must have to trigger an action) this model only allows requests that have been verified and approved according to the schema. It can set up things like requests, methods and operations on each endpoint, or parameters (input/output) for all operations. The most well-known schema for defining an API is OpenAPI v3 (aka the Swagger standard) which is the standard for defining RESTful interfaces.
Certificate-based identity should be verified with mutual TLS. This is a positive, allowlist model used by mobile and IoT devices that blocks connection requests from clients with invalid certificates.
Exposed Credentials Checks
Sometimes, credentials are exposed by third-party database breaches. When that happens, attackers can cycle through these and attempt to log in to your website. To prevent it, the security system takes the credentials and automatically scans them against a database of leaked information. If there is a match, the login attempt is blocked and multi-factor authentication is triggered.
If you don’t know it’s there, you can protect it. It’s that simple. When companies have thousands of APIs, unaccounted ones can quickly become a vulnerable spot and a complex issue to resolve. Automatic API discovery resolves the problem of rogue/shadow APIs by making sure all API endpoints are discovered and monitored.
Sometimes individual API endpoints can experience volumetric anomalies. There is no blanket prevention method since every endpoint is being reached a different number of times and requires a unique threshold.
This advanced API security system makes full use of unsupervised machine learning to determine separate baselines for all APIs. It predicts the number of requests that will be made for a particular API. So if it receives 150 requests to reset a password, it knows to block the session as anomalous, since it is probably an account takeover attempt.
Final Words On The Cloudflare API Shield
We hope we have convinced you of the utility that Cloudflare API Shield can bring to the table when it comes to protecting your business.
Cloudflare as a company has been committed to improving and protecting the businesses that they work with, and we are very excited for what the future will bring.
If you wish to find out how you can make the most out of Cloudflare API Shield you can contact us right here. We will be more than happy to lend our experience and passion for technology and business scaling! We will schedule a call right away to create an action plan that will help us take you from your vision to a satisfying and profitable reality!
We hope to hear from you soon!