Cloudflare has announced a set of new services that are intended to bolster application security by limiting API abuse. The new API Discovery and API Abuse Detection tools are designed to provide critical context for application security issues that are often handled through overly simplistic measures.
In announcing these new products, Cloudflare highlighted a correlation between an ever-increasing number of APIs that exist throughout enterprise applications and an increased surface area that application owners are tasked with protecting from security vulnerabilities. Whether the issue is APIs being used for unintended purposes or distributed attacks, its clear that application owners need to take API abuse seriously.
These problems aren’t new, and Cloudflare explains that existing security measures such as rate-limiting are effective, but struggle to Function properly without proper insight into how to set the point at which you throttle access. Similarly, the company notes that DDoS attacks can be mitigated through various measures, but without real-time analytics, it is challenging to determine what portion of the increased traffic is legitimate and what is potentially nefarious. For these reasons, Cloudflare decided to design a solution that hopes to limit API abuse by analyzing the intent behind API usage anomalies.
First up is the new API Discovery tool, which Cloudflare uses to help customers map out all APIs that have been implemented in their application. This provides a starting point for a broader analysis of how API security is performing and what risk mitigation steps remain necessary.
Additionally, the new API Abuse Detection service looks for volumetric anomalies and then applies flexible rate-limiting that is designed to be responsive to application changes. The amount of traffic designated for each API is based on the result of API mapping and intent analysis. This service also adds “sequential anomaly detection” which Cloudflare describes as:
“… we start by running path normalization to find a finite set of states. In one test, this process reduced about 10,000 states to just 60, massively simplifying the API problem. Then we use Markov Chains to build a transition matrix, which is a map of all the states and where they commonly lead. We finish by assigning probabilities to each transition.”
This process allows Cloudflare to visualize movement on a site and infer intent based on this movement.
These new products are not yet generally available, although that should change in the next several months. Developers interested in utilizing these tools sooner should reach out to the company.