Blog

What is API Security?

August 12, 2025 | 10 MIN READ

by Jeff Harrell

A stylized depiction of the API lifecycle.
API Security
LinkedIn

Today’s world is software-driven and widely interconnected. From banking to social media, that software communicates through an intricate web of application programming interfaces (APIs). They are particularly crucial in creating links between online services, allowing for the rapid development and deployment of new applications, and enabling existing systems to expand their functionality with minimal changes. No matter an organization’s size or industry, it’s assuredly running numerous – often thousands – of APIs.

An API is a set of rules and protocols for building and interacting with software applications. It defines the methods and data formats that developers use when programming software components to interact with each other. Essentially, APIs allow different pieces of software to connect and communicate with each other without needing to know how they’re implemented. This abstraction enables developers to build complex systems more efficiently and makes it easier to integrate disparate systems.

This article discusses the following themes:

The Open Web Application Security Project (OWASP) is a non-profit organization dedicated to improving software security. It produces security reference frameworks of categorized security risks intended to be baseline security controls for application security practitioners to follow. One of the most well-known is the OWASP Application Security Top 10. It is a testament to the importance of APIs and their protection that OWASP now maintains a separate API Security Top 10 to help guide best practices.

The most recent version of the OWASP API Security Top 10 was released in 2023 and includes the following categories. As you can see, the risks are quite broad – security practitioners have their work cut out for them.

  1. API1:2023 – Broken Object Level Authorization
  2. API2:2023 – Broken Authentication
  3. API3:2023 – Broken Object Property Level Authorization
  4. API4:2023 – Unrestricted Resource Consumption
  5. API5:2023 – Broken Function Level Authorization
  6. API6:2023 – Unrestricted Access to Sensitive Business Flows
  7. API7:2023 – Server-Side Request Forgery
  8. API8:2023 – Security Misconfiguration
  9. API9:2023 – Improper Inventory Management
  10. API10:2023 – Unsafe Consumption of APIs

We’ve also written a deep dive into the OWASP API Security Top 10 if you’d like more detail.

APIs have become the core communication method for today’s internet-connected systems. A recent report revealed that over 50% of dynamic internet traffic came from APIs. They are used to connect user-facing applications with back-end systems, internal applications to each other, and even to external organizations. APIs are well-documented and easy to use portals to the organization’s network and its critical customer and company data, which make them a common target of attack. If an API is compromised, the data accessible by that API – whether it be financial information, customer details, or other sensitive data – is at risk.

The security of APIs is essential not only for safeguarding sensitive information but also for ensuring that the services provided by APIs remain reliable and available. Effective API security controls prevent unauthorized access and data breaches, which are critical in maintaining user trust and compliance with data protection regulations.

The Business Cost of API Vulnerabilities

Security vulnerabilities in APIs can impact an organization’s business in many ways. Exploited API vulnerabilities can lead to loss of revenue, data exposure or data loss, reputational damage, and operational disruptions such as downtime. Organizations also need to be aware of third-party API risks which can lead to supply chain attacks, which can occur when a third-party system is compromised and used to launch attacks on other organizations. Read more about the business impacts of API security breaches.

Some high-profile breaches that occurred due to API attacks include:

  • Duolingo leaked data on 2.6 million users due to insufficient authentication methods.
  • Attackers exploited a Facebook API to steal the access tokens for 30 million users.
  • Twitter’s API was exploited to gain access to 250,000 user accounts.

Read more about recent API security breaches.

Industry-Specific API Security Challenges

Industry verticals often have their own, industry-specific API security challenges. For example, healthcare is subject to strict data privacy regulations such as HIPAA and highly private information about patients in their care. Financial services must be compliant with regulations such as GLBA, PSD2, and DORA, has a high number of API interconnections with other organizations, and is always one of most-targeted industries by malicious actors. Retail organizations that process credit cards must be compliant with PCI DSS and must defend against account takeover (ATO), price scraping, credential stuffing, and many other attacks, often at high volume.

Why is Authentication and Authorization Crucial for API Security?

In the context of API security, authentication determines whether someone can access an API, and once authenticated, authorization determines what data and functions they can access. There are several common methods of authenticating API users, including:

  • Username and password combination – standard credentials can be added to API requests to access an API and are checked against a database to determine access.
  • API key – clients may be assigned an API key, which is a unique string of characters, to use a particular API, and the key can be embedded in the API request. It is critical to encrypt these requests so that attackers cannot extract the API key from the request and use it themselves.
  • OAuth token – the OAuth protocol uses a trusted authentication server to ensure the client is who they say they are. This enables authentication without sharing user credentials.

Whatever model is used, it’s critical to be aware of all APIs in use by the organization and ensure the authentication methods are strong.

Users typically interact directly with applications, while APIs are utilized behind the scenes for software-to-software connections. Application security protects the application itself, while API security focuses on APIs and their transactions with other APIs.

Applications used to be the primary entry point to an organization and its data, but the proliferation of APIs has added a new attack surface that attackers can exploit. While attackers may previously have focused on applications, they now often attack the underlying APIs directly. This has required organizations to employ API security controls in addition to the application security tools and processes they likely already had in place.

There are several types of APIs developed over the years for different types of data and transactions. Some of the most common include:

  • SOAP – a mature, XML-based API architecture used when security and reliability are important, such as in financial services. It’s also complex and verbose and perhaps not an ideal choice when speed is a factor.
  • REST – an architecture built on top of HTTP methods that is widely-used by web services such as YouTube. It’s easy to implement, but not the best API to use for real-time data.
  • GraphQL – originally developed by Facebook, it allows clients to ask for specific data, eliminating over- or under-fetching. It’s fast and efficient, making it an excellent choice for applications with granular data requirements.
  • gRPC – a modern, high-performance architecture ideal for microservices.

APIs are designed for software to interact with other software, with no user interface or front-end. This means traditional forms of web and application security such as a Web Application Firewall (WAF) or API gateway.

  • Web Application Firewalls: As the name implies, WAFs focus on protecting the web applications themselves, not necessarily the underlying APIs. WAFs are still an important complementary part of a security program but shouldn’t be relied upon to protect APIs.
  • API Gateways: API gateways help organizations aggregate and manage APIs and provide basic security functions such as rate limiting and IP blocking. However, security is not their main function, and they are not a complete API security solution.

Every organization has different priorities when it comes to API security, but it’s important to view it holistically and address the full API lifecycle, from development to production. API security best practices include:

  • API attack surface discovery: What does a potential attacker see when they scan for potential APIs? API attack surface discovery can discover accidental and unknown exposure of APIs and related resources.
  • API inventory and risk assessment: Cataloging APIs goes beyond external attack surface discovery and can be a revelation for a security team, revealing just how many internal and external APIs exist across an organization. The inventory should determine not just which APIs are in use, but what department owns each one, and whether there are any known risks associated with them. Inventory and risk assessment should also be done continually to identify and assess new APIs as they come online.
  • API threat detection: There are numerous ways for attackers to take advantage of weak API authentication or any other API vulnerability. A good detection process will scan for business logic abuses, data leaks, and other common attack types.
  • API attack response: Controls should be in place to detect API attacks and general API abuse. Any API, even one that is coded perfectly, can be subject to an attack. Appropriate responses include mitigation such as logging, alerting, and blocking. Blocking should ideally be done natively, without relying on an external, third-party product that may not be able to handle the load that a full-on attack typically creates.
  • Pre-production and runtime application security testing: API security testing should be part of the DevOps process as part of a “shift left, shield right” strategy to ensure that APIs are secure prior to deployment, and stay that way after implementation.

No matter your industry or the size of your organization, there’s a good chance your level of API usage deserves a comprehensive response. Anything less could leave your vital applications and sensitive data vulnerable, as API attacks aren’t slowing down.

Malicious bots, or automated attack software, are one of the biggest threats to APIs, but bots can attack applications as well, so they’re not an API-only problem. However, bots are a major attack vehicle for APIs and a good API security program must include bot management. Common bot attacks include:

  • Account takeovers (ATO)
  • Fake account creation
  • Distributed denial of service (DDoS)
  • Gift card or loyalty program abuse

Many of today’s bot management solutions require client- or server-side code changes or are unable to handle the scale of today’s distributed bot attacks, so a successful API security and bot management program needs a solution that pushes beyond those boundaries.

It may seem daunting, but getting started with API security is best done by breaking it down into steps. Start by doing a lightweight, outside-in assessment of your public-facing APIs so you can see what an attacker would see. Then you can move on to full API discovery and inventory, protection, and security testing. A very low friction way to get started is with Cequence’s free API security assessment. Give it a try and take the first step on your API security journey.

Other Frequently Asked Questions

How Big Is the API Security Problem?

API usage has exploded as companies have moved their infrastructure to the cloud and leveraged microservices, which use APIs to connect to each other. This has dramatically expanded the attack surface, especially as many organizations lack the discovery and defense tools necessary to protect APIs. The lack of effective defense tools is evident in the sharp rise of API-related security incidents and breaches such as those at Trello and Twilio.

What Are the Most Common API Misconfiguration Mistakes?

APIs are highly flexible, and with that flexibility comes a wide range of potential misconfiguration risks. Common API misconfiguration errors include:

  • Broken object-level authorization, or BOLA, is a misconfiguration or error that allows someone to access data (objects) that they don’t have the authorization to access. BOLA attacks can occur even if authentication is correctly configured. BOLA is API1 on the OWASP Top 10 API Security Risks.
  • Broken (or lack of) authentication is very common and is the source of many of the larger security breaches. It enables anyone to access the API and whatever it connects to without credentials. This issue is API2 on the OWASP Top 10 API Security Risks.
  • Resource overuse occurs when API requests overload network bandwidth, CPU, memory, or other resources. The effect can be denial of service or increase in operational costs such as bandwidth or cloud costs. Unrestricted resource consumption is API4 on the OWASP Top 10 API Security Risks.

What are the Types of API Security?

The types of API security solutions available can include API gateways, web application firewalls (WAF), API specific security tools and Unified API Protection. It’s important to understand how each of these tools addresses an organizations’ API security requirements, which typically entail API discovery, threat and risk detection followed by mitigation and remediation.

API Gateways
API gateways are designed to aggregate and manage APIs. API gateways include basic security functions such as rate limiting and IP block lists. API gateways are unable to proactively discover APIs and do not perform threat detection, risk analysis, remediation or mitigation.

Web Application Firewall (WAF)
WAFs are designed to protect web applications and do not perform automated API discovery or uncover coding errors. WAFs use signatures to detect known vulnerabilities found in the OWASP Web Application Top 10 Threats list.

Shift-Left API Security
“Shift-Left API Security” is an API-specific toolset which focuses on improving API security by reducing errors and vulnerabilities in the development cycle prior to production. These tools typically don’t perform runtime activities such as API discovery, inventory, or threat posture management.

Unified API Protection
The most complete type of API security is a Unified API Protection solution, complete with API discovery, threat and risk detection followed by mitigation and remediation. Unified API Protection goes beyond using point products to address individual phases, such as compliance or testing, along with legacy security technologies to protect your APIs.

What is Unified API Protection?

Unified API Protection combines API security and bot management to protect APIs and applications. It covers the entire API protection lifecycle: API discovery, inventory, risk analysis and compliance, API security testing, threat detection, and attack mitigation. Unified API Protection goes beyond the using point products to address individual phases, such as compliance or testing, along with legacy security technologies to protect your APIs.

Unified API Protection begins with the discovery and inventory of all public-facing APIs along with their associated resources. Then using that inventory to continually track all APIs – managed, unmanaged, shadow, zombie, third-party, internal and external.

Unified API Protection continues with compliance, accomplished by analyzing APIs to enforce OpenAPI specification conformance, and adherence to government regulations such as PCI. Compliance also entails continuous risk assessment to find coding errors quickly. Unified API Protection solutions include threat detection to find vulnerability exploits and business logic attacks.

Finally, Unified API Protection solutions also include API security testing and attack mitigation. API security testing uses API specific test cases to help security and development teams uncover and remediate errors in development as well as runtime. Attack mitigation includes logging, real-time blocking, and even deception for attack response without the need for third-party mitigation tools.

What is an API Vulnerability?

An API vulnerability is a weakness or flaw in the design, implementation, or configuration of an API that can be exploited by an attacker to gain unauthorized access, manipulate data, or disrupt services. Vulnerable APIs can allow attackers to bypass traditional security measures like firewalls or authentication layers.

What are Common API Security Risks and Types of API Attacks?

Common API security risks are those defined by the Open Web Application Security Project (OWASP) API Security Top 10, business logic attacks, and coding errors.

Common API security risks defined by the OWASP API Security top 10 list include a threat definition and how to address them. Examples include sensitive data exposure, authentication errors, and resource and rate limiting. The top 10 list is just that, the top 10, so it’s important to use OWASP API Top 10 as a starting point.

A common API security risk often overlooked is business logic abuse which are attacks on perfectly coded APIs. Examples include large scale shopping bots, enumeration attacks and account takeovers – all against properly coded APIs.

Another group of common API security risks are unknown vulnerability exploits caused by API coding errors. These risks places significant emphasis on API testing as well as continuous threat detection and mitigation to protect the improperly coded API while a fix is rolled out.

What is the difference between API Security and API Protection?

API security and API protection are two terms often used interchangeably in cybersecurity. However, these terms refer to distinct yet overlapping concepts. You can secure your APIs but clever hackers will always find a way to launch attacks on perfectly coded APIs. This is why organizations need to protect APIs in addition to securing them.

API security focuses on the principles and methods used to secure an Application Programming Interface (API) from malicious exploits, unauthorized access, and other potential cyber threats. It involves a broad range of practices such as authentication, authorization, encryption, and input validation to safeguard the API. The goal is to ensure that only authorized entities can interact with the API and that they can only perform actions that align with their granted permissions. API security is about managing the risks associated with exposing APIs, which are the critical interfaces that connect systems, services, and data.

On the other hand, API protection encompasses API security but also extends beyond it. While API security is more focused on preventing unauthorized access and malicious attacks, API protection involves a more holistic view of maintaining the integrity, availability, and performance of APIs. In addition to API security, it includes two other key components:

  1. Discovery – Detecting all APIs using both inside-out and outside-in methods to know exactly where we need to apply API security tools.
  2. Threat Protection – Once threats are detected, stop them in their tracks natively without relying on a third-party solution such as a WAF. It includes measures to protect against threats such as Denial of Service (DoS) attacks, rate limiting to manage the number of requests an API can handle, and continuous monitoring to detect any unusual activities or anomalies.

Furthermore, API protection includes managing the API lifecycle, versioning, and deprecation to ensure that the APIs continue to serve their intended purpose without disruption. It also deals with the quality of the APIs, ensuring that they are robust, reliable, and efficient. API Protection takes into account not just security but also the overall health and performance of APIs.

 

What Are API Endpoints and Why Are They Important?

APIs and API endpoints are closely related, but aren’t exactly the same. A common metaphor suggests that APIs are like waiters at a restaurant, and API endpoints are like menu items. You look at the menu (the API specification which lists each function/endpoint of the API), tell the waiter (the API) what you want to eat (the data you want retrieved, process you’d like executed, etc.) and the waiter puts in your order with the kitchen (backend processes). So, APIs provide access to systems, and the endpoints provide access to specific functions of those systems.

In the context of security, discrete API endpoints enable access to certain functions of a system without providing blanket access to the system as a whole. This is especially important in the era of agentic AI, as you want to provide only specified access to backend systems.

Many organizations struggle with shadow and zombie APIs. Shadow APIs are those that are unknown and unmanaged by IT, while zombie APIs are leftover or forgotten APIs. Both can be security concerns as attackers can find them and exploit them.

How Can You Protect Third-Party APIs and Internal APIs?

Most people assume that if APIs aren’t public facing that they’re safe. However, internal APIs (for communication between software within the company) and third-party APIs (for communication with partners and other outside parties) can still be subject to abuse such as supply chain attacks. Securing these APIs requires comprehensive API discovery, which is best handled with a network-based approach that can detect any API traffic. This approach can also identify API risks and vulnerabilities and flag them for remediation. Discovering and securing third-party and internal APIs is a critical part of unified API protection.

What are API Security Best Practices and Strategies?

APIs have become an integral part of modern software development, enabling seamless integration and communication between various applications, services, and platforms. As the reliance on APIs grows, so does the need for robust API security measures to protect sensitive data and ensure the overall stability of digital ecosystems. Below are some details on the key components of effective API security, best practices, and steps to create a comprehensive API security strategy.

Key components of effective API security include

  • API Discovery and Inventory
  • API Risk and Threat Detection
  • API Risk Remediation and Threat Mitigation

API security best practices

  • Implement Strong Authentication and Authorization
  • Detect attacks on both managed and unmanaged APIs
  • Apply Rate Limiting and Throttling
  • Encrypt Data in Transit and at Rest
  • Validate Input Data and Use Parameterized Queries
  • Regularly Monitor and Audit API Inventory and Activity
  • Keep APIs Updated and Patched

Building a comprehensive API security strategy

  • Creating an API Security Inventory
  • Performing risk and compliance analysis on APIs
  • Creating an API Security Policy
  • Integrating Security into the API Development Lifecycle
  • Conducting Regular Security Assessments and Penetration Testing
  • Detecting and stopping live API attacks
  • Ensuring Continuous Improvement and Adaptation
Jeff Harrell

Author

Jeff Harrell

Director of product marketing

Jeff Harrell is the director of product marketing at Cequnce and has over 20 years of experience in the cybersecurity field. He previously held roles at McAfee, PGP, Qualys, and nCircle, and co-founded the company that created the first commercial ad blocker.

Related Articles

SIM Swapping and How to Prevent it

January 9, 2025 | 5 MIN READ

Read Blog
Accurate and Effective Bot Management – Without CAPTCHA

May 1, 2025 | 5 MIN READ

Read Blog
Cequence Security – A Leader and Outperformer in GigaOm API Security Radar Report

October 25, 2024 | 4 MIN READ

Read Blog
Cequence Security
5201 Great America Parkway
Suite 240
Santa Clara, CA 95054

+1 650 437 6338
Contact Us
Book a Demo
FOLLOW US
Twitter LinkedIn Youtube
PRODUCTS & SERVICES
INDUSTRIES
RESOURCES
SOLUTIONS
PARTNERS
COMPANY
© 2018-2025 Cequence Security, Inc. All rights reserved.
Privacy Policy | Cookie Policy | Responsible Disclosure Policy.