We know that developers are under pressure

rakhirhif8963 · Post by **rakhirhif8963** » Sun Feb 09, 2025 7:18 am

Moving to API-centric security
Despite this reality, organizations focus on protecting infrastructure and attacking end-user web applications, leaving APIs vulnerable, laments Kare. The defense model has traditionally been a castle with a moat, but that metaphor needs to be updated, he says.

“We’re not protecting a castle, we’re protecting a marketplace, which means we have to protect multiple points, not just one entry point, because of course people are going to come from all over, agents are going to come from all over and try to do business in the marketplace using the APIs that we provide,” says Care.

The increased speed of development and the shift to microservices have increased the need to secure APIs, he says. He advises organizations to start an “active, continuous, iterative discovery and inventory process” that maps out applications and keeps an updated list of APIs. After all, unmanaged APIs are the ones that pose the greatest risk.

According to him, the Open Web Application romania mobile database Project ( OWASP ) in its latest version also emphasizes the importance of OAuth authentication security in API services and API security in general.

“ to deliver features and content quickly,” says Kare. “That means there’s a never-ending battle to discover and gain visibility into where APIs are, where APIs are in apps, how they’re being accessed.”

While Kare doesn’t claim that API security is an issue that developers should manage, he does point to development practices that can put companies at risk. He cites the case of a well-known fitness company whose API didn’t have proper authentication because the developer thought the initial version wouldn’t last long and would be refactored in the next development cycle. “Of course, that didn’t happen, and the result was an API that was accessible with little or no authentication, which exposed personal data,” Kare laments.

It’s also important not to use third-party APIs in an unsafe way, he says. And API care should extend to mobile apps, the Internet of Things (including in-car systems), and operational technology apps. “There’s a huge amount of API data in your car right now,” Kare says. “It’s accessible to app developers, service technicians, and can be used by malicious people.”