The Layered Shield: Winning Against API Threats

Rupesh Chokshi is Senior Vice President and General Manager of Akamai's Application Security Portfolio.

Your application programming interfaces (APIs) are under attack from all sides. Given this fact, API protection is a constant, like protecting your home from water damage or the ongoing battle against ants getting in your home.

If you haven’t yet been targeted, it may only be a matter of time. In an Akamai survey of security professionals in the U.S., U.K. and Germany, 84% of respondents experienced an API security incident in the 12 months before the survey was conducted, which was between June 2023 and July 2024. The average cost to remediate API incidents in the U.S. exceeded $591,000, with the financial services sector the hardest hit. When these attacks result in breaches that compromise customers’ sensitive personal information, the cost to a company’s reputation can be incalculable. Can you afford to take that risk?

Many of these attacks target vulnerabilities cited in the Top 10 Web Application Security Risks and Top 10 API Security Risks identified by OWASP (Open Worldwide Application Security Project). These range from missing authentication and access controls to exposed business flows and misconfigurations in third-party integrations. Indeed, our survey of security professionals found that only 27% of respondents know which APIs return the sensitive data that attackers seek.

We’re also seeing an increase in sophisticated business logic attacks, where bad actors exploit flaws in application design and implementation. APIs are a common vector for these attacks, which are often used to extract valuable data. In addition, we’ve seen an increase in bots targeting APIs, dramatically expanding the attacker’s ability to probe across an entire infrastructure to exploit a vulnerability.

You can’t choose which attacks come your way. Attackers don’t wait for an invitation, so your defenses need to cover every possible angle.

Layers Of Defense

So, what does a multilayered API security strategy look like? What are the essential elements?

A web application firewall (WAF) is the first layer of defense. It monitors traffic to and from a web application, looking for potential threats listed in the public Common Vulnerabilities and Exposures (CVE) database. This helps protect against common web application attacks while meeting basic security requirement compliance. However, WAF security controls and policies can quickly become outdated. This can create a flood of alerts that overwhelm security teams and make it impossible to differentiate false positives from actual attacks.

Web application and API protection (WAAP) takes WAF protection further, covering both front-end applications and the back-end APIs they rely on. The most effective WAAP solutions are self-tuning, automatically analyzing security triggers—both actual attacks and false positives—to develop policy-specific tuning recommendations, addressing a key weakness of WAFs.

The next level of defense is an API gateway. In addition to handling traffic routing duties, an API gateway enforces security policies around access control. Because it acts as a central point of entry to APIs, it’s critical that the gateway is configured to enforce robust security policies for authentication, encryption, rate limiting and other factors that help prevent API abuse and common attack techniques, such as denial-of-service (DOS) attacks.

Finally, there’s a comprehensive API security layer. This is focused on providing full visibility into your entire API estate with continuous discovery and analysis. It includes looking for APIs that might not be behind a WAAP or gateway. This is critical because new APIs are continuously being deployed. A complete, up-to-date inventory of APIs—including “rogue” APIs deployed without proper security controls—is essential to identify and rectify vulnerabilities before they’re exploited.

API security analysis also provides important contextual insights. With a comprehensive view of API activity, you can spot suspicious behaviors, malicious bots, data leakage and other threats associated with business logic abuse. Working with a partner with access to API activity data and analysis across the internet can enhance this ability, highlighting trends that inform proactive decisions to strengthen your security posture.

Security Synergy

The true power of a multilayered API security strategy is when all the elements work together harmoniously to create a defensive shield from the full variety of threats. For many organizations, this will mean partnering with technology providers to cover some of the layers. In fact, I view API security as a shared responsibility. Corporate security professionals have the responsibility to be aware of the threat to APIs and invest in the tools required to identify and mitigate potential vulnerabilities. By investing in the right tools and strategies, security teams can build trust, avoid breaches and safeguard their brand reputation.

APIs will continue to serve as the connective tissue that makes online services possible—and bad actors will continue to devise tactics to exploit them. Implementing a multilayered, defense-in-depth API security strategy is crucial to avoid finding your organization in deep trouble.

Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?