{"id":16017,"date":"2026-03-30T10:07:12","date_gmt":"2026-03-30T10:07:12","guid":{"rendered":"https:\/\/newestek.com\/?p=16017"},"modified":"2026-03-30T10:07:12","modified_gmt":"2026-03-30T10:07:12","slug":"apis-are-the-new-perimeter-heres-how-cisos-are-securing-them","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=16017","title":{"rendered":"APIs are the new perimeter: Here\u2019s how CISOs are securing them"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

Recent breaches suggest attackers are shifting beyond traditional endpoints to target application programming interfaces (APIs). But typical perimeter protections can completely miss this vector.<\/p>\n

\u201cWe used to talk about defense-in-depth and endpoint protection,\u201d says Sean Murphy<\/a>, CISO at BECU, a nationwide credit union. \u201cThat morphed into identity, and now the API is the new perimeter.\u201d<\/p>\n

BECU\u2019s backend architecture is heavily based on microservices and APIs, making this an important \u2014 and widening \u2014 surface to secure. \u201cThey\u2019re your front door, and if you don\u2019t know what the inventory of your APIs is, the attackers surely will find them.\u201d<\/p>\n

With API-first development on the rise, API portfolios have quietly ballooned<\/a> throughout large enterprises. Conservative estimates place the average number of APIs within a large company at 250 to 500, but it\u2019s not uncommon for enterprises to run thousands<\/a>.<\/p>\n

These useful interfaces often connect backend systems, partners, and customer data. Yet their access is frequently ungoverned, insecure, or misconfigured. A 2025 report from Salt Security<\/a> found that nearly one in three organizations experienced an API breach in the past 12 months. They also found 95% of attacks<\/a> originate from authenticated sources, often using stolen API keys or credentials.<\/p>\n

Traditional security approaches, such as endpoint detection and response (EDR)<\/a> and web application firewalls (WAFs), often miss these attacks because they lack the context needed to detect business-logic abuse. To these systems, API abuse often looks like normal, valid traffic.<\/p>\n

\u201cEDR and WAFs were built for yesterday\u2019s problems: malware on endpoints and basic web exploits,\u201d says Elliott Franklin<\/a>, CISO at Fortitude Re, a reinsurance company. \u201cWithout a deep understanding of business logic and identity context, traditional tools miss credential stuffing, token theft, or data scraping.\u201d<\/p>\n

CISOs say addressing the problem at scale requires new tooling, practices, and governance frameworks. It\u2019ll also take an identity-aware shift to hedge for tomorrow\u2019s problems, which revolve around the use of APIs in agentic AI<\/a>.<\/p>\n

<\/a>APIs are the new attack surface<\/h2>\n

APIs drive the majority of internet traffic<\/a>, and cybercriminals are taking advantage. In the 2024 Optus breach<\/a>, attackers exposed 9 million customer records due to broken API access control. Over the past two years, API exploits have also hit WhatsApp<\/a>, Trello<\/a>, 23andMe<\/a>, Avelo Airlines<\/a>, and Volkswagen<\/a>.<\/p>\n

These threats have many CISOs viewing APIs as a primary attack surface. \u201cAPIs have become the most critical and rapidly expanding attack surface for the modern enterprise,\u201d says Senthil Subramaniam<\/a>, global CISO and assistant VP at Infinite Computer Solutions, an IT services company. \u201cMany API security incidents arise from flaws like injection attacks and broken authorizations.\u201d<\/p>\n

A key contributor to the rise in exploits is the ubiquity of APIs, which now act as connective tissue across enterprises, linking SaaS platforms, cloud workloads, and internal applications. \u201cThat ubiquity makes them a natural focus for attackers,\u201d says Fortitude Re\u2019s Franklin.<\/p>\n

The openness of APIs and their proximity to sensitive data and critical systems also make them attractive to attackers. \u201cAPIs have absolutely become one of the primary attack surfaces today,\u201d says James Faxon<\/a>, a principal advisor at Risk & Insight Group and previously CISO of NukuDo, a cybersecurity talent development company. \u201cIn many environments, APIs now represent a much more direct path to business systems than endpoints ever did.\u201d<\/p>\n

\u201cAn attacker doesn\u2019t need to compromise a laptop or deploy malware to gain leverage,\u201d adds Faxon. By simply obtaining a token, he explains, an attacker could exploit a misconfiguration or flawed authorization logic to move laterally and extract data without triggering traditional endpoint controls.<\/p>\n

To make matters worse, many organizations lack proper API inventories, making it easy for APIs to fall outside normal oversight. A 2023 study<\/a> from Enterprise Management Associates found that roughly 70% of enterprises have just 30% of their APIs documented. That figure does not include shadow APIs<\/a> outside normal security governance.<\/p>\n

\u201cMost teams don\u2019t have clear visibility into how their APIs are working behind the scenes,\u201d says Chaim Mazal<\/a>, chief AI and security officer at cloud security company Gigamon. Without a clear understanding of how APIs communicate and the data they expose, developers can inadvertently create exploitable attack paths.<\/p>\n

Others see growing urgency amid AI-driven shifts. \u201cAPIs may not yet be the primary attack surface, but it\u2019s becoming more urgent in recent years,\u201d says Andreas Gaetje<\/a>, CISO at K\u00f6rber, a provider of intelligent manufacturing and supply chain solutions, who notes hyperautomation and agentic AI make API security more pressing.<\/p>\n

Still, the number of reported API security incidents doesn\u2019t outweigh credential theft, phishing, and endpoint compromise, notes Mark Dorsi<\/a>, CISO at Netlify, a cloud computing company. But the threat level is changing as autonomous systems gain higher-value capabilities<\/a>.<\/p>\n

\u201cAs agentic systems increasingly interact with services through APIs, including Model Context Protocol, agent-to-agent workflows, and automated integrations, APIs will see a material uplift in both usage and exposure,\u201d says Dorsi.<\/p>\n

<\/a>Legacy defenses can\u2019t keep up<\/h2>\n

Traditional perimeter-based defenses are often insufficient against API-layer attacks. Traditional security defenses, such as EDR, XDR, and WAF, \u201cprimarily focus on clients, hardware, and software endpoints, looking at IP-based attack vectors,\u201d explains BECU\u2019s Murphy. \u201cAPIs bring us into the world of business logic and runtime types of issues.\u201d<\/p>\n

Others agree that legacy defenses leave a gap for API-first architectures. For example, EDR misses east-west traffic, content within API flows, and gateway-level attacks, while WAFs mainly detect malicious payload patterns and miss important context around authorization, identity, and caller intent, says Infinite Computer Solutions\u2019 Subramaniam.<\/p>\n

\u201cAPI attacks often exploit business logic, not payload patterns,\u201d he adds. \u201cThey exploit broken authentication or authorization, abuse of legitimate endpoints, excessive data exposure, and mass enumeration.\u201d These requests often appear valid individually, but together form a malicious sequence.<\/p>\n

\u201cAPI attacks are typically logical, valid requests made with stolen or over-permissioned credentials that abuse business logic rather than breaking HTTP rules,\u201d Risk & Insight Group\u2019s Faxon says. For example, an attacker might abuse a long-lived, over-permissioned token for a financial API. \u201cAPI abuse can often blend into normal traffic until the damage is already done,\u201d he adds.<\/p>\n

Netlify\u2019s Dorsi agrees. \u201cTraditional controls lack the context to understand intent, misuse, or abuse across API calls,\u201d he says.<\/p>\n

<\/a>How CISOs are responding<\/h2>\n

CISOs are deploying a range of strategies to mitigate API threats. This goes beyond buying new-fangled cloud-native tools \u2014 it requires an API governance strategy<\/a> involving organization-wide policies, API inventories, automated checks, and strong identity and access control.<\/p>\n

For example, BECU has implemented an API governance structure, adopting a single policy for all developers. \u201cWe started building in governance before the technology was leveraged,\u201d explains Murphy. This is critical to reduce the possibility for misconfigurations, he says, which remains a leading risk in the OWASP Top 10 API Security Risks<\/a>.<\/p>\n

In large enterprises, shared security guidance helps maintain least-privilege access and avoid exposing internal secrets. While all engineers and API builders are subject to BECU\u2019s internal policy, it\u2019s continually evolving, Murphy adds.<\/p>\n

\u201cStrong API governance is key,\u201d agrees Franklin. \u201cAt Fortitude Re, we\u2019re building API security into our broader identity and access management strategy.\u201d A key area of focus is tracing non-human identities<\/a>, which helps inventory and classify APIs in use. \u201cThe biggest gap I see is shadow APIs,\u201d he adds.<\/p>\n

To reduce that risk, visibility is critical. K\u00f6rber\u2019s Gaetje recommends taking proactive steps to enhance visibility by cataloging your surface area. \u201cThe most important activity is to gain visibility into exposed APIs,\u201d he says. \u201cWhat you cannot see, you cannot control.\u201d<\/p>\n

For Faxon, security begins with a full inventory of what APIs exist, who owns them, and what data they expose. \u201cThe most effective organizations treat APIs as first-class security assets,\u201d he says.<\/p>\n

In practice, implementing holistic API governance involves multiple tools and developer touchpoints. Infinite Computer Solutions uses specialized API gateways<\/a> for processing traffic and adopts advanced security features to run risk assessments, Subramaniam says.<\/p>\n

\u201cOur security tools are also embedded into the CI\/CD pipeline,\u201d he adds, noting that API specifications must pass automated security validation checks, which helps ensure compliance with security standards.<\/p>\n

Dorsi says Netlify takes a disciplined approach to understanding how APIs are used, emphasizing strong authorization maturity through practices like limiting scopes, rotating credentials, and continually reassessing trust.<\/p>\n

\u201cWe treat APIs as critical infrastructure, not just plumbing,\u201d he says. \u201cStrong identity and authorization design is foundational. That means explicit ownership models, least privilege scopes, and consistent auth patterns across APIs.\u201d<\/p>\n

All in all, CISOs indicate that API security requires deep forethought. \u201cWe treat APIs as part of our operational surface, not just our software stack,\u201d says Faxon. \u201cEvery API we build is documented, threat-modeled, and owned, with least-privilege access as the default and permissions continuously re-evaluated as systems evolve.\u201d<\/p>\n

<\/a>AI exacerbates preexisting risks<\/h2>\n

Another driver of today\u2019s API vulnerabilities is the rise of AI. While large language models (LLMs) and coding assistants empower software engineers, they also empower adversaries, complicating the API security landscape and requiring new approaches beyond traditional endpoint defenses.<\/p>\n

\u201cAI is fundamentally reshaping the threat landscape,\u201d says Gigamon\u2019s Mazal. \u201cAI has enabled the democratization of offensive tooling, meaning that anyone, regardless of skill level, can now exploit API weaknesses without writing a single line of code.\u201d With a growing API attack surface and lower barriers, organizations should assume a breach posture, he adds.<\/p>\n

For instance, AI can amplify an attacker\u2019s ability to discover and exploit API vulnerabilities like misconfigurations or over-permissioning, says Murphy. This reality has influenced BECU to take a deliberate approach to API visibility, deploying monitoring tools to discover and track its entire API catalog.<\/p>\n

Another element of BECU\u2019s policy requires developers to use a sanctioned API gateway with enforced security controls. \u201cWe make it as difficult as possible for an adversary to exploit us in any shape or form,\u201d says Murphy, adding they apply identity and access control, monitoring, and alerting, regardless of API type.<\/p>\n

\u201cInternal doesn\u2019t mean an external adversary can\u2019t access it,\u201d adds Murphy. As such, BECU is vigilant with all APIs, regardless of whether they\u2019re internal APIs used for backend system-to-system communication or external-facing APIs that power customer interactions on mobile banking apps.<\/p>\n

Beyond amplifying external threats, AI is increasingly embedded within enterprise software stacks, introducing a new vector to cover. A 2025 study from Software Finder<\/a> found that 56% of IT leaders expect their software stack to be AI-powered by 2030. As agentic AI begins to consume APIs, the risks around unauthorized access<\/a> and unintended sensitive data exposure rise as well.<\/p>\n

As Subramaniam explains, \u201cAI agentic systems, which autonomously access APIs to perform tasks, complicate API security by expanding the attack surface, enabling dynamic and unpredictable interactions, and amplifying existing vulnerabilities through high-speed, automated actions.\u201d Preventing unauthorized access by agents will require more granular control and more time-bound role-based access control (RBAC)<\/a>.<\/p>\n

<\/a>Securing third-party tool usage<\/h1>\n

Other API risks stem from the broader software supply chain. In 2025, JPMorganChase CISO Patrick Opet published an open letter<\/a> about diminishing standards for SaaS providers, writing that the SaaS delivery model is \u201cquietly enabling cyber attackers\u201d and creating a \u201csubstantial vulnerability that is weakening the global economic system.\u201d<\/p>\n

Third-party API consumption can open an organization to sensitive data exposure. According to Gartner, 71% of organizations use APIs provided by third parties such as SaaS vendors, making third-party APIs another major risk vector.<\/p>\n

\u201cFor third-party APIs, we already require vendor security reviews and contractual security assurances,\u201d says Fortitude Re\u2019s Franklin, noting that this is part of a broader SaaS security program that provides visibility into the SaaS systems employees use.<\/p>\n

The onus, however, is also on the consuming organization to implement better token-handling processes to secure API connections to SaaS platforms. This is especially important, as developers are often reckless with API keys and secrets. In 2024, Escape discovered 18,000 API secrets and tokens<\/a> floating around on the open web.<\/p>\n

Some CISOs are actively addressing this. \u201cOur team centralizes and encrypts all third-party credentials \u2014 API keys, tokens \u2014 within the API management layer,\u201d says Subramaniam. \u201cWe never distribute raw credentials to our internal development teams.\u201d<\/p>\n

Maintaining safe integrations requires ongoing discipline, too. \u201cWe apply the same rigor to third-party APIs: Credentials are tightly scoped, regularly rotated, and monitored for behavioral drift,\u201d adds Faxon. \u201cIf an integration begins acting outside its expected pattern, it\u2019s treated as a security event, not a technical anomaly.\u201d<\/p>\n

For Murphy, avoiding third-party API gaps requires careful vendor evaluation and tooling decisions. \u201cYou trust but verify.\u201d The same intentions must be applied to assessing API management tools, too \u2014 maintaining too many niche products increases complexity and brings scalability challenges, and requires stitching them together to obtain a cohesive API security view.<\/p>\n

\u201cThe more complexity, and the more differentiated monitoring, the higher risk you\u2019re going to mess up,\u201d says Murphy. \u201cBut, diversity in the platform is good, too, since compartmentalizing can help with a tiered aspect to security oversight.\u201d One top item in BECU\u2019s roadmap for 2026 is automating between their exposure management platform, vulnerability management platform, and security operations center, he adds.<\/p>\n

<\/a>API standards must evolve<\/h1>\n

As APIs become a core aspect of modern business operations, their security risks are becoming more pronounced. \u201cEvery API misconfiguration is not just a security gap,\u201d says Faxon. \u201cIt\u2019s a business decision being executed at machine speed, without human oversight.\u201d<\/p>\n

Responding to this new era of threats requires moving beyond traditional perimeter defenses. Organizations will need new approaches to secure non-human identities \u2014 machines, bots, and agents that increasingly interact with systems and data at a business application level.<\/p>\n

\u201cThe real shift isn\u2019t just from endpoints to APIs,\u201d says Franklin. \u201cIt\u2019s from human-driven access to non-human identities like APIs, service accounts, and machine-to-machine connections.\u201d Although these identities now outnumber humans in most enterprises, he adds, they lack rigorous governance, requiring rethinking to secure this new attack surface<\/a>.<\/p>\n

The challenge is further complicated by the diversity of API environments. APIs may be distributed across multiple clouds, platforms, and locations, each with different security controls. As Mazal explains, \u201cThe challenge is that as development accelerates and the pace of innovation increases, not all APIs follow the same set of controls.\u201d<\/p>\n

Edge-based IoT APIs, for instance, may not allow the same types of traffic enforcement found in centralized environments. \u201cThe resulting gaps in interconnectivity make it difficult to manage APIs holistically and consistently across the ecosystem.\u201d For him, real-time threat monitoring and visibility of network telemetry are still essential to correct visibility gaps.<\/p>\n

Ultimately, CISOs shouldn\u2019t abandon traditional security tools. But they do need to extend security deeper into the development and design process, embedding checks early, strengthening identity-based authorization, and improving real-time visibility into business-layer interactions.<\/p>\n

By combining governance, identity controls, and visibility, CISOs can adequately prepare for the security realities of an API-driven world.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

Recent breaches suggest attackers are shifting beyond traditional endpoints to target application programming interfaces (APIs). But typical perimeter protections can completely miss this vector. \u201cWe used to talk about defense-in-depth and endpoint protection,\u201d says Sean Murphy, CISO at BECU, a nationwide credit union. \u201cThat morphed into identity, and now the API is the new perimeter.\u201d BECU\u2019s backend architecture is heavily based on microservices and APIs,… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-16017","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/16017","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=16017"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/16017\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=16017"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=16017"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=16017"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}