A report published by Cloudflare today finds machine learning algorithms employed by the content delivery network (CDN) provider found 31% more REST application programming interface (API) endpoints than its customers have self-reported. More than 15,000 accounts using Cloudflare had API endpoints that were only discovered using machine learning algorithms.

In addition, the report noted that a third (33%) of API mitigations involved blocking distributed denial-of-service (DDoS) attacks.

Overall, API requests now account for 57% of the internet traffic flowing across the Cloudflare CDN, the report found.

John Cosgrove, a product manager for Cloudflare, said the report makes it clear that given the current lack of visibility into that traffic, more organizations need to focus on discovering external-facing APIs that need to be secured.

The issue many organizations encounter is that it’s not always clear who is responsible for API security. Developers routinely create APIs to share data. The bulk of those APIs are based on REST architecture, but other types of APIs based on, for example, GraphQL, are now gaining traction as well. The core problem is that the developers that create these APIs don’t have a lot of cybersecurity expertise, so there’s plenty of opportunity for mistakes to be made that enable cybercriminals to exfiltrate data via an API.

Cybersecurity teams don’t tend to have much visibility into how these APIs are being created and deployed. As a result, all these APIs become a type of unsecured endpoint. Fortunately, the bulk of these APIs are internally facing, so the immediate crux of the issue is the security of the APIs that are externally accessible. While there are fewer of these APIs, cybersecurity teams should remember that it doesn’t take much for development teams to make an internal API accessible to external users. An API that may seem secure enough today can become a very big issue tomorrow when some business unit decides to make an existing API accessible to some entity outside the company for whatever reason.

In theory, at least, developers are assuming more responsibility for API security as part of the general shift left of responsibility for application security via adoption of DevSecOps best practices. However, the number of APIs that have already been created measures in the millions, with many so-called rogue APIs being deployed that cybersecurity teams don’t know exist. There are also untold numbers of “Zombie APIs” that have been abandoned by development teams but which still provide access to data.

Ultimately, the same cybersecurity issues that have plagued web applications for years also affect APIs. The problem is there are orders of magnitude more insecure APIs than web applications. Cybersecurity teams today don’t have a lot of API security expertise, so the probability most organizations will experience an API security issue is fairly high.

Naturally, the responsibility for securing APIs often falls to cybersecurity teams, who will be held accountable for any breach. The issue is that, as always, cybersecurity teams can’t secure endpoints they don’t know exist.