Skip to main content
API Security:
"
},
"elements Application Security Pillar
API Security:
Protect Your Digital Attack Surface
APIs carry more business logic and sensitive data than any other interface. They are also the most attacked. This guide covers the OWASP API Top 10, authentication architecture, shadow API governance, penetration testing, and compliance -- sourced from NIST, OWASP, and industry research.
150B
API Attacks Globally
84%
Orgs With API Incidents
$87B
Annual Global Cost
10x
More Data Leaked vs Traditional
The Foundation
What Is API Security?
API security is the practice of protecting application programming interfaces from exploitation, misuse, and unauthorized access. APIs serve as the connective tissue between applications, microservices, cloud infrastructure, and third-party integrations. When an API is compromised, attackers gain direct access to backend systems and the data they process.
Unlike traditional web application attacks that exploit rendering logic or browser behavior, API attacks target business logic, authorization models, and data exposure at the programmatic layer. A single misconfigured endpoint can expose millions of records without triggering a traditional web application firewall.
Who Needs This
Why This Matters Now
84% of organizations experienced an API security incident in the past 12 months -- the third consecutive year of increases. The average remediation cost in the US is $591,000 per incident. API breaches leak 10x more data than traditional web application breaches. As organizations adopt microservices, AI agents, and third-party integrations, the API attack surface expands faster than security teams can inventory it.
Key Concepts
API security spans authentication (proving identity), authorization (enforcing access), input validation (preventing injection), rate limiting (stopping abuse), encryption (protecting data in transit), and governance (knowing what APIs exist). This page covers each domain with practitioner-level depth.
Threat Intelligence
The API Threat Landscape
Industry research from Akamai, Traceable AI, and Imperva quantifies the scale of API attacks. These numbers represent verified incidents, not theoretical risk.
150B
API attacks observed globally (2023-2024)
Akamai State of the Internet
84%
Organizations experienced API incidents (3rd year increase)
Traceable AI State of API Security
$591K
Average US remediation cost per API incident
Traceable AI / Ponemon Institute
27%
Know which APIs return sensitive data
Traceable AI Survey
$943K
C-suite estimated average cost per incident
Traceable AI Executive Survey
$832K
Financial services average remediation cost
Industry Vertical Report
50%
Enterprise API traffic from shadow (undocumented) APIs
Shadow API Research
12x
Increase in AI-related API vulnerabilities (2024)
Wallarm API ThreatStats
Risk Framework
OWASP API Security Top 10 (2023)
The industry standard classification of API vulnerabilities. Each risk includes a real-world breach example. Click any risk to expand details.
API1
Broken Object Level Authorization (BOLA)
Critical
+ Expand
API2
Broken Authentication
Critical
+ Expand
API3
Broken Object Property Level Authorization
Critical
+ Expand
API4
Unrestricted Resource Consumption
High
+ Expand
API5
Broken Function Level Authorization
Critical
+ Expand
API6
Unrestricted Access to Sensitive Business Flows
High
+ Expand
API7
Server-Side Request Forgery (SSRF)
High
+ Expand
API8
Security Misconfiguration
High
+ Expand
API9
Improper Inventory Management
High
+ Expand
API10
Unsafe Consumption of APIs
High
+ Expand
Glossary
Key API Security Terms
Essential terminology for security practitioners, developers, and executives. Each term links to deeper coverage in the Security Hub glossary.
BOLA (Broken Object Level Authorization)
A vulnerability where an API fails to verify that the requesting user is authorized to access a specific object. The #1 API risk. Attackers enumerate object IDs to access other users' data.
Shadow API
An undocumented, untracked API endpoint that exists outside the organization's IT governance. Shadow APIs lack authentication, rate limiting, and input validation because security teams don't know they exist.
Zombie API
A deprecated API endpoint that was never fully decommissioned. It remains live on legacy load balancers or partner integrations and may expose old vulnerabilities that have been patched in current versions.
OAuth 2.1
The next-generation authorization framework that consolidates a decade of security best practices into mandatory requirements. Eliminates implicit flow and password credentials, requires PKCE for all clients.
PKCE (Proof Key for Code Exchange)
A security extension to the OAuth authorization code flow. The client generates a cryptographic verifier, proving it initiated the request. Prevents authorization code interception attacks. Mandatory in OAuth 2.1.
API Gateway
A centralized entry point that manages north-south traffic (external clients to internal services). Handles authentication, rate limiting, request routing, and schema validation at the network edge.
Service Mesh
An infrastructure layer managing east-west traffic (service-to-service) inside a microservices architecture. Uses sidecar proxies for mTLS encryption, traffic shaping, and observability without modifying application code.
mTLS (Mutual TLS)
Mutual Transport Layer Security requires both client and server to authenticate with certificates. NIST SP 800-204 mandates mTLS for internal service communication to prevent API gateway bypass attacks.
Rate Limiting
Restricting the number of API requests a client can make within a time window. Prevents brute-force attacks, credential stuffing, resource exhaustion, and automated abuse of business-critical flows.
JWT (JSON Web Token)
A compact, self-contained token format for stateless authentication. Best practice: short lifespans (15-30 minutes), refresh token rotation, RS256 or ES256 signing algorithms, and never storing sensitive data in the payload.
Authentication & Architecture
Securing the API Layer
Authentication proves identity. Authorization enforces access. Architecture determines whether attackers can bypass both. Explore the three pillars of API security architecture.
OAuth 2.1: Mandatory Security Upgrades
IETF Draft-15 (Stable) · Replaces OAuth 2.0 Implicit & ROPC Flows
OAuth 2.1 consolidates a decade of security best practices into mandatory requirements. It breaks backward compatibility in several places -- intentionally. Organizations still running implicit grants or optional PKCE are exposed to attack vectors that OAuth 2.1 specifically closes.
Removed: Implicit Flow
Tokens were exposed in browser URLs. All clients now use Authorization Code + PKCE.
Removed: Password Credentials
Apps can no longer collect user passwords directly. Use authorization code flow instead.
Required: PKCE for All Clients
Proof Key for Code Exchange prevents authorization code interception. No longer optional.
Required: Exact Redirect URI
No wildcards, no partial matches. Every redirect URI must be explicitly registered.
Required: Tokens Out of URLs
Access tokens must be in Authorization headers or POST bodies. Never in query strings.
Required: Refresh Token Rotation
Each use issues a new refresh token and invalidates the old one. Limits stolen token damage.
API Gateway: The Front Door
North-South Traffic Management · Edge Security Layer
An API gateway sits at the network edge, managing all communication between external clients and internal services. It provides centralized authentication, rate limiting, schema validation, and request routing before traffic reaches backend services.
Traffic Direction
North-South: external clients to internal services
Core Functions
Authentication, rate limiting, request routing, schema validation, API versioning
When to Use
Exposing services to external clients, monetizing APIs, enforcing perimeter security
Protocol Support
HTTP/HTTPS primary. Some support WebSockets, gRPC, GraphQL
Service Mesh: The Internal Network
East-West Traffic Management · Sidecar Proxy Architecture
A service mesh manages internal service-to-service communication using sidecar proxies (like Envoy) deployed alongside each microservice. It enforces mTLS encryption, provides observability, and handles traffic shaping without modifying application code.
Traffic Direction
East-West: service-to-service within microservices architecture
Core Functions
mTLS, service discovery, traffic shaping, retries, circuit breaking, observability
When to Use
Complex microservices requiring fine-grained internal traffic control and deep observability
NIST SP 800-204
Mandates mTLS for internal communication. Recommends centralized policy with embedded PDP via sidecar
Zero Trust API Architecture
Gateway + Mesh Combined · NIST SP 800-204 Guidance
In a zero trust architecture, the API gateway and service mesh work together. The gateway secures the perimeter from outside threats, while the mesh ensures that if the perimeter is breached, the internal network remains secure. Every request is authenticated and authorized, regardless of source.
Gateway Bypass Prevention
mTLS on all internal calls ensures compromised services can't pivot laterally without valid certificates
Embedded PDP Pattern
Access control rules managed centrally, deployed locally via sidecar proxy for low-latency, in-memory evaluation
Authorization Models
RBAC (role-based) + ABAC (attribute-based) for fine-grained, context-aware access decisions
Policy Engine
Open Policy Agent (OPA) for externalized, auditable authorization rules across large environments
Secure Development
API Producer Lifecycle: 8 Security Stages
A governed API follows a strict lifecycle where security travels with the workflow from conception to retirement. Each stage is a checkpoint for threat resilience and data confidentiality.
1
Define
Establish operational, business, and security requirements. Express security requirements with the same rigor as functional stories.
+ Expand
2
Design
Standardize architecture patterns and conduct threat modeling. Map trust boundaries, privilege levels, and input sources through data flow diagrams.
+ Expand
3
Develop
Apply OWASP secure coding standards. Enforce input validation, type safety, and IDE security plugins to catch issues early.
+ Expand
4
Test
Run SAST, DAST, and IAST across the API surface. Contract tests ensure APIs don't deviate from their design specification.
+ Expand
5
Secure
Dedicated vulnerability scanning phase. Validate authentication logic and scan for OWASP API Top 10 weaknesses across the full API landscape.
+ Expand
6
Deploy
Route through CI/CD pipelines and API gateways. Every batch of changes is tested and secured before reaching a consumer.
+ Expand
7
Observe
Continuous runtime monitoring and alerting. Detect anomalies before they negatively impact partners or customers.
+ Expand
8
Distribute
Publish to centralized, authenticated API catalogs. Reduce API sprawl and the risk of unmanaged shadow APIs.
+ Expand
API Governance
Shadow APIs, Zombie APIs & the Governance Gap
Organizations with formalized API governance experience 70% fewer shadow API incidents. The maturity model below shows where your program stands and where it needs to go.
The Hidden Attack Surface
Shadow APIs are undocumented endpoints that bypass formal security review. They lack authentication, rate limiting, and input validation. 50% of enterprise API traffic flows through shadow endpoints.
Zombie APIs are deprecated endpoints that were never fully decommissioned. They remain live on legacy load balancers and expose old vulnerabilities patched in current versions. 31% of malicious API attacks target shadow and zombie endpoints.
Shadow API Risk Maturity Model
Level 0-1
Unaware / Reactive
No API inventory exists. Shadow APIs are discovered only after incidents. Discovery relies on manual inspection and tribal knowledge. No registration or approval policies.
Level 2-3
Emerging / Managed
Basic cataloging starts. Traffic analysis detects some unmanaged endpoints. Security scans validate auth and encryption. Central inventory, versioning rules, and registration policies are implemented.
Level 4-5
Advanced / Optimized
Continuous mapping and governance dashboards ensure near-zero unmanaged APIs. Automated discovery in CI/CD catches shadow APIs before production. Real-time compliance scoring.
Governance KPIs to Track
MTTD: Mean Time to Detection for new endpoints. Shadow API Coverage Ratio: % total APIs inventoried vs discovered. Inventory Completeness Score: % APIs with owners, docs, and controls. MTTR: Days from detection to secure/deprecate.
Security Testing
API Penetration Testing Methodology
API pentesting simulates real-world attacks across five phases: Reconnaissance, Scanning, Vulnerability Assessment, Exploitation, and Reporting. Three access levels determine depth and approach.
Access Level
Black Box
No prior knowledge or documentation. Testers rely on reconnaissance, dictionary attacks to enumerate routes, and searching for exposed swagger.json files or subdomains.
- Route enumeration via wordlists
- Exposed OpenAPI/Swagger discovery
- Subdomain and endpoint fuzzing
- Authentication bypass testing
Access Level
Grey Box
Provided with API documentation (OpenAPI/Swagger) and test accounts. Deep analysis of roles, BOLA testing, and Server-Side Request Forgery (SSRF) validation.
- Role-based access control testing
- BOLA and BFLA exploitation
- SSRF and injection testing
- Business logic abuse scenarios
Access Level
White Box
Full source code and environment access. Code review to find improper authorization decorators, hardcoded secrets, command injection, and insecure deserialization.
- Source code review for auth flaws
- Hardcoded secret detection
- Dependency vulnerability analysis
- Complete coverage guarantee
DevSecOps Integration
SAST analyzes source code without executing it -- catches risky code paths, unvalidated inputs, and hardcoded secrets during development. DAST interacts with the running API from outside -- finds injection points, authentication bypasses, and configuration errors in staging/production. SCA identifies vulnerable open-source dependencies. All three should run automatically in CI/CD pipelines, blocking vulnerable deployments before they reach production.
Regulatory Landscape
API Security Compliance Requirements
Regulations increasingly hold organizations accountable for API security. Non-compliance after an API breach compounds financial damage with regulatory fines.
PCI DSS
Version 4.0 · Payment Card Industry
Mandates strong cryptographic protections, rigorous access controls, and regular API penetration testing for APIs handling cardholder data.
- TLS 1.2+ encryption for all API traffic
- Regular API penetration testing
- Input validation and rate limiting
- Secure endpoint configuration audit
HIPAA
Health Insurance Portability · ePHI Protection
Requires continuous risk analysis for APIs processing electronic Protected Health Information. Enforces encryption, access controls, and tamper-proof audit logging.
- OAuth 2.0 / OpenID Connect authentication
- RBAC and ABAC access controls
- Tamper-proof audit logs for all data access
- Business Associate Agreements for API vendors
GDPR / CCPA
Article 32 · Data Protection by Design
Mandates regular security testing, data minimization in API responses, and privacy-enhancing technologies like tokenization and pseudonymization.
- Data minimization in API responses
- Support for data erasure requests
- Tokenization / pseudonymization of PII
- Comprehensive logging for audit trails
Compliance Mapping
API Security & Compliance Controls
How API security maps to the compliance frameworks your organization is audited against.
PCI DSS v4.0
Requirement 6: Develop and maintain secure systems and software. Covers API input validation, authentication, and secure coding.
Requirement 2: Apply secure configurations, including API gateway hardening.
Requirement 7: Restrict access to system components — applies to API authorization controls.
Requirement 11: Test security regularly — includes API penetration testing.
Requirement 2: Apply secure configurations, including API gateway hardening.
Requirement 7: Restrict access to system components — applies to API authorization controls.
Requirement 11: Test security regularly — includes API penetration testing.
SOC 2
CC6.1: Logical access controls — API authentication and authorization mechanisms.
CC6.6: System boundaries — API gateway as the system boundary enforcement point.
CC6.7: Data transmission — TLS/mTLS for API communications.
CC7.1: Monitoring — API traffic monitoring and anomaly detection.
CC6.6: System boundaries — API gateway as the system boundary enforcement point.
CC6.7: Data transmission — TLS/mTLS for API communications.
CC7.1: Monitoring — API traffic monitoring and anomaly detection.
ISO 27001:2022
A.8.9: Configuration management — API gateway and service mesh configurations.
A.8.24: Use of cryptography — API token encryption and TLS requirements.
A.8.25: Secure development lifecycle — API design reviews and security testing.
A.8.26: Application security requirements — API input validation and output encoding.
A.8.24: Use of cryptography — API token encryption and TLS requirements.
A.8.25: Secure development lifecycle — API design reviews and security testing.
A.8.26: Application security requirements — API input validation and output encoding.
NIST CSF 2.0
PR.AA: Identity management, authentication, and access control for API consumers.
PR.DS: Data security — API data-in-transit and at-rest protections.
PR.PS: Platform security — API gateway and infrastructure hardening.
DE.CM: Continuous monitoring — API traffic analysis and threat detection.
PR.DS: Data security — API data-in-transit and at-rest protections.
PR.PS: Platform security — API gateway and infrastructure hardening.
DE.CM: Continuous monitoring — API traffic analysis and threat detection.
Career Development
API Security Certifications
Certifications that validate API security expertise across penetration testing, DevSecOps, and application security domains.
Practical DevSecOps
Certified API Security Professional (CASP)
Focused entirely on securing and auditing REST, GraphQL, and SOAP APIs against the OWASP API Top 10. Hands-on browser-based labs.
EC-Council
Certified Penetration Testing Professional (CPENT AI)
Advanced penetration testing covering networks, APIs, and AI-augmented testing phases. 110+ hands-on labs across 5 multi-disciplinary ranges.
Practical DevSecOps
Certified DevSecOps Professional (CDP)
Embeds API security scanning (SAST, DAST, SCA) into CI/CD workflows. Covers secure SDLC integration and Security as Code practices.
EC-Council
Web Application Hacking & Security (W|AHS)
Trains developers and security professionals on secure coding practices and mitigating web and API vulnerabilities with hands-on methodology.
Deep Dives
API Security Articles
Practitioner-written guides covering specific API security domains in depth. Built from verified sources, not vendor whitepapers.
OWASP API Top 10 Explained: What Every Developer Needs to Know
Plain-language breakdown of all 10 API risks with code examples, real breaches, and fix checklists for each vulnerability class.
OAuth 2.1 Migration Guide: Breaking Changes and Implementation Steps
Practical migration plan from OAuth 2.0 to 2.1. Covers PKCE enforcement, redirect URI hardening, refresh token rotation, and SPA-specific guidance.
Zero Trust API Architecture with NIST SP 800-204
Deploying API gateways and service meshes together. mTLS enforcement, embedded PDP patterns, and Open Policy Agent for microservices authorization.
Shadow API Discovery: A CISO's Guide to the Hidden Attack Surface
Building a shadow API discovery program. Maturity model assessment, CI/CD integration, governance KPIs, and the path from Level 0 to Level 5.
API Penetration Testing: Black Box, Grey Box, and White Box Methodology
Complete API pentesting methodology across all three access levels. Tool recommendations, BOLA exploitation walkthrough, and CI/CD integration for automated security testing.
API Security Compliance: PCI DSS, HIPAA, and GDPR Requirements
Mapping compliance frameworks to API security controls. Checklist-driven guide for organizations processing payment, health, or personal data through APIs.
Application Security Pillar
Start Securing Your API Attack Surface
Explore the full Application Security pillar -- API security, OWASP Top 10, secure coding, and DevSecOps integration. Practitioner resources, no sales pitch.
Sources Informing This Page
OWASP API Security Top 10 (2023)
NIST SP 800-204
Akamai State of the Internet
Traceable AI State of API Security
OAuth 2.1 (IETF Draft-15)
NIST SSDF SP 800-218
PCI DSS v4.0
OWASP SAMM
Related Pillars
Continue Your Journey
API security connects to identity management, compliance, and incident response. These pillars complement what you've learned here.
More from TJS