According to the State of API Security Report by Salt Security, 99% of companies have experienced at least one API security issue in the past 12 months, and 55% have delayed the release of new applications due to concerns related to their exposure. These figures clearly show why protecting application interfaces has become a systemic challenge, capable of influencing business decisions.
In this article, we take an in-depth look at API Security: what it is, why it has become so central to modern cybersecurity strategies, what the main threats are, and, most importantly, which practices to adopt to fully leverage the benefits of APIs while mitigating their risks.
Benefits and Risks of APIs
In today’s application landscape, APIs represent the backbone of interoperability between services, systems, and platforms.
Whether exposed externally or used to orchestrate microservices, application interfaces are everywhere: from mobile apps to e-commerce platforms, from payment systems to banking services, all the way to IoT devices. Research conducted by Akamai several years ago estimated that 83% of internet traffic was generated by API calls; it would not be surprising if today that percentage has well exceeded 90%.
It is precisely the ubiquity of APIs, combined with their central role in managing and transmitting application data, that makes them a primary target for attackers. APIs are not simple integration points, but the channel through which requests, identities, authorizations, and sensitive information flow. Attacking them means gaining direct access to the core of digital systems: compromising data, obtaining unauthorized privileges, altering application behavior, or disrupting operations.
API Security: threats to defend against
Once it is clear why protecting APIs is essential, it is equally important to understand what they must be protected from. By their very nature, APIs are designed to be exposed, accessible, and easily integrable, creating fertile ground for malicious actors.
Like any software component, APIs are not immune to vulnerabilities. Design flaws, rushed implementations, or suboptimal configurations can introduce weaknesses that, once identified, are quickly exploited. Let’s look at three emblematic cases.
Weak Authentication and Authorization
Among API vulnerabilities, one of the most common concerns is weak or incomplete authentication and authorization mechanisms. In the absence of strict controls, an attacker can exploit compromised tokens or manipulate requests to query the system and gain access to resources or data they should not be able to see. This type of attack is particularly insidious because it does not require sophisticated techniques.
Automated Attacks (DDoS)
Another layer of risk is represented by automated attacks, which use APIs as a channel for scraping activities, fraud, or abnormal resource consumption. DDoS attacks, in particular, consist of generating large volumes of requests to APIs with the goal of progressively (or instantly) saturating available resources. The targeted service is not necessarily taken offline, but slowed down and made unstable, with a direct impact on application performance and user experience.
Lack of Visibility into the API Ecosystem
There is also a less obvious but equally dangerous threat: the lack of visibility and control over the API ecosystem. In complex and rapidly evolving environments, made up of hundreds or thousands of APIs developed at different times and with different methodologies, it is easy for some APIs to remain active beyond their lifecycle or to be insufficiently documented and monitored. These shadow APIs become ideal entry points for those looking to exploit known vulnerabilities or neglected configurations.
API Security: How to strengthen it in 5 steps
Protecting APIs does not mean adding a single control or adopting one security tool. Rather, it is a discipline that should accompany APIs throughout their entire lifecycle: from design to development, from production deployment to decommissioning. In other words, security must be integrated by design.
Visibility: Knowing your API Ecosystem
The first requirement of a solid strategy is visibility. An organization must know how many APIs are in production, where they are exposed, what data they handle, and which systems or users consume them. This applies both to documented APIs and to those created informally or left active beyond their original purpose.
Knowing your API ecosystem means clearly understanding the criticality level of each API: some are purely informational, others enable transactions, payments, or access to sensitive data. A comprehensive view must also map dependencies, communication flows, and usage contexts, both internal and external to the organization.
Integrating Protection into Development
An effective API security strategy takes shape in the earliest stages of development. Even before writing code, teams need to be fully aware of the most common threats, referring to internationally recognized frameworks such as the OWASP API Security Top 10. This allows specialists to design APIs robustly, avoiding architectural mistakes and well-known vulnerabilities from the outset—issues that become difficult and costly to fix once they reach production.
Once the relevant threats have been identified, secure coding practices and security controls must be integrated throughout the development lifecycle. Automated testing, request validation, checks on authentication and authorization mechanisms, as well as controls on the correct data exposure by endpoints, must become an integral part of development and release workflows.
Governance: Defining and Enforcing Consistent Policies
In the context of API security, governance means defining granular and consistent policies that regulate the entire API lifecycle.
In this regard, authentication and authorization policies are fundamental: who can access a given API, with which credentials, for how long, and with which privileges. These are complemented by data access policies, which determine what information can be exposed and in which contexts, rigorously applying the principle of least privilege. Other relevant measures include rate limiting—the mechanism that restricts the number of requests allowed within a given time frame to prevent abuse and automated attacks—and version management, which is essential to avoid obsolete APIs from remaining exposed without adequate protections.
The Right Tools: the Key Role of the API Gateway
Tools also play a decisive role in an effective defense strategy, and the API Gateway is the starting point. The gateway serves as the entry point through which requests to APIs are passed, performing control, routing, and mediation functions between clients and application services.
It is precisely at this level that many of the policies defined by governance are enforced. These controls help reduce ecosystem complexity while ensuring a consistent and uniform level of security.
Continuous Monitoring: from Prevention to Resilience
Even the best prevention strategy does not eliminate risk. For this reason, analyzing API traffic in real time makes it possible to identify anomalous behavior, abuse attempts, and suspicious patterns that escape static controls.
Monitoring is not only about request volume, but above all about behavior: unusual call sequences, access to uncommon resources, sudden changes in volumes, or in the endpoints being used. This observation capability is crucial for detecting stealthy attacks that leverage legitimate APIs to move laterally within systems.
Kirey: leveraging API ecosystems safely and sustainably
At Kirey, we support organizations in digital transformation journeys aimed at strengthening their competitiveness, without losing sight of the risks introduced by transformation itself.
API security represents the perfect intersection of two of Kirey’s core areas of expertise. On one side, software development and lifecycle management based on modern paradigms, such as cloud-native architectures, microservices, and advanced integrations; on the other, a vision of cybersecurity as the foundation of every digital solution, rather than an ancillary or subsequent activity.
It is from the combination and synergy of these capabilities that we can help enterprises enhance their API ecosystems, turning them into a true enabler of new digital services, competitiveness, and innovative business models.
Contact us to discover how we can support you on this journey.
