API Security - Strategies for CISOs Amidst New Threats
Basically, APIs are now a major target for cyberattacks, and companies need to secure them.
APIs are becoming the new target for cyberattacks, prompting CISOs to rethink security strategies. With many organizations vulnerable, understanding API security is crucial. Effective governance and visibility are key to mitigating risks.
What Happened
Recent breaches indicate a significant shift in cyber threats, moving from traditional endpoints to application programming interfaces (APIs). This change is largely due to the growing use of APIs in modern software architectures. Sean Murphy, CISO at BECU, emphasizes that APIs have become the new perimeter of security. With many organizations relying on microservices, the number of APIs can range from hundreds to thousands, creating a larger attack surface for cybercriminals.
A 2025 report from Salt Security revealed that nearly one in three organizations experienced an API breach in the past year. These breaches often stem from misconfigured APIs, which attackers exploit using stolen credentials. Traditional security measures, such as endpoint detection and response (EDR) and web application firewalls (WAFs), frequently fail to detect these types of attacks, as they lack the necessary context to identify business-logic abuse.
Who's Being Targeted
Cybercriminals are increasingly targeting APIs because they connect critical systems and sensitive data. High-profile incidents, like the 2024 Optus breach, exposed millions of records due to broken API access controls. APIs are now viewed as a primary attack surface by many CISOs, as they often allow attackers to bypass traditional security measures. This trend is further exacerbated by the rise of agentic AI, which interacts with APIs, making them even more appealing to attackers.
Organizations that fail to maintain a proper inventory of their APIs are particularly vulnerable. A study found that 70% of enterprises only document 30% of their APIs, leaving many unmonitored and exposed. This lack of visibility can lead to significant security gaps, as developers may inadvertently create exploitable paths without realizing it.
Tactics & Techniques
The tactics employed in API attacks often involve exploiting business logic rather than traditional payload patterns. Attackers can use stolen tokens or credentials to perform legitimate-looking requests that manipulate API behavior. For instance, they might abuse long-lived tokens for financial APIs, blending their actions into normal traffic until damage occurs.
CISOs are recognizing that legacy defenses are insufficient against these new threats. Traditional security tools primarily focus on IP-based attack vectors and do not account for the complexities of API interactions. As a result, many organizations are adopting new strategies to enhance their API security, including governance frameworks and identity-aware security measures.
Defensive Measures
To combat API threats, CISOs are implementing comprehensive strategies that go beyond merely acquiring new tools. Organizations like BECU have established API governance structures that enforce policies across development teams. This proactive approach helps reduce misconfigurations, which are a leading risk in API security.
CISOs recommend cataloging all APIs, ensuring visibility into their usage, and applying strong identity and access controls. By treating APIs as critical infrastructure, organizations can better protect their digital assets. This includes practices such as limiting scopes, rotating credentials, and continuously reassessing trust levels. As the landscape of API security evolves, organizations must prioritize these measures to stay ahead of potential threats.