Cloudflare's Traffic Control Could Be Used to Target Specific API Security Concerns

One of the things we at ProgrammableWeb often discuss is how organizations that are embarking on their API journey should seek out a comprehensive API management solution to support their journeys. The rationale we use is pretty simple. If you were to launch a blog for your company, you wouldn't roll your own content management and publishing system, would you? You'd use one of the cloud-based blogging systems like Wordpress or maybe download and run your own on-premises version. In our minds, the same holds true for API management. Managing the entire API management lifecycle is already difficult as it is and there are over a dozen relatively mature offerings on the market. Do you really want to write a few million lines of code to re-invent a wheel that's already been invented and that continues to evolve according to the market's needs? 

Even so, there are a lot of organizations that insist that if they do it themselves, they can do it better and it will be better tuned to the needs of the business they run in the industry that they run it in. We're not so sure. But rather than argue, we're happy to acknowledge the pioneering spirit while, from time to time, pointing out a la carte solutions that might cover them for some functionality that might otherwise be included in a comprehensive API management offering. If you're concerned about API security and don't have all the bases covered by what you've got in place, you might give a closer look to Cloudflare's Traffic Control, announced today by the San Francisco, CA-based company. 

So, what problem does Cloudflare's Traffic Control solve? It was just yesterday that we published a list of the top five things that every organization with APIs (or even without them) should do immediately in response to last week's breach of over 500 million Yahoo! end user accounts. Historically, when large databases involving user credentials have been breached the way Yahoo was, another wave of breaches follow as the hackers try to use the credentials they discovered to break into other sites -- a technique known as credential stuffing. While these attempted break-ins often involve the standard user login process, they also involve the target sites' APIs. Essentially, the hackers are looking for (or already know about) APIs that are protected by nothing more than user ID and password (otherwise known in the API business as "basic Authentication"). But even with APIs that are only protected by basic authentication, the implementation of a rate limiter can stop hackers from running software bots that loop through thousands of user ID and password combinations until one works. 

Such Rate Limiting is one of the features of Cloudflare's Traffic Control. According to a prepared release from Cloudflare, API providers can "set specific request limits, per second or for a longer time period, for individual URLs or patterns, and with matching parameters including IP address, headers, and HTTP response codes." If it's true (we haven't tested the feature), what this means is that Cloudflare's rate limiting technology is configurable in a way that supports pattern-based rate-limiting. In other words, it could be programmed to tell the difference between attempted credential stuffing and legitimate authentication and API requests. Cloudflare's Traffic Control has some other features that hang together nicely with the rate limiting feature and that taken together, could help you to better manage Endpoint security. These include custom responses and traffic profiling.

Be sure to read the next Security article: Node.js Foundation to Oversee Node.js Security Project