Safeguard
Application Security

What is API Security

API security explained: what it is, why APIs are the top breach vector, the OWASP API Top 10, real breaches, and how to test and monitor endpoints.

James
Principal Security Architect
Updated 7 min read

APIs now carry most of the traffic on the internet — Cloudflare's 2023 traffic analysis put API calls at roughly 57% of dynamic web traffic, ahead of traditional browser-driven requests. Teams evaluating API security software are usually trying to answer one question first: does anything stand between an attacker and our data if they simply call an endpoint directly? API security is the practice of protecting those application programming interfaces — the authentication logic, data payloads, rate limits, and business logic behind each endpoint — from abuse, data exfiltration, and unauthorized access. It differs from general web application security because APIs expose structured, machine-readable access directly to backend data and functions, often with fewer of the visual and behavioral cues that flag suspicious activity in a browser session. The stakes are well documented: T-Mobile disclosed in January 2023 that an attacker had pulled data on 37 million customer accounts through a single unauthenticated API, and Optus lost records on 9.8 million customers in September 2022 the same way. Both incidents trace back to the same root cause — an API that did what it was built to do, for someone it should never have trusted.

What Is API Security?

API security is the set of practices, tools, and controls used to protect the interfaces that let applications, services, and partners exchange data programmatically. Every REST, GraphQL, gRPC, or webhook endpoint is a potential entry point into backend systems, and securing it means verifying who is calling it (authentication), what they're allowed to do (authorization), how much they can do (rate limiting and abuse prevention), and what data they can see (object- and field-level access control). Unlike a web page, an API has no rendered UI to obscure its structure — an attacker who finds one endpoint can often enumerate the entire schema and probe every parameter systematically. That's why web API security programs typically combine design-time controls (schema validation, authentication standards like OAuth 2.0 and OpenID Connect), runtime controls (API gateways, WAFs tuned for API traffic, anomaly detection), and code-level controls (dependency and configuration scanning, business-logic testing) rather than relying on any single layer.

Why Do APIs Get Targeted So Often?

APIs get targeted because they are both numerous and directly connected to sensitive data, and attackers have industrialized scanning for them. Salt Security's State of API Security Report (Q1 2022) found that API attack traffic grew 681% year-over-year while overall API traffic grew only 321% — attackers were scaling faster than adoption itself. Gartner's 2021 API security predictions similarly flagged API abuse as poised to become the most frequent attack vector for enterprise web application breaches. The practical reason is sprawl: a mid-size SaaS company can easily run several hundred internal and external API endpoints across microservices, and each new endpoint shipped without a corresponding security review is a new unauthenticated or under-authorized path into production data. Shadow APIs — ones that exist in production but were never inventoried, documented, or added to a gateway policy — compound the problem because you cannot defend an asset that isn't on your list.

What Are the Most Common API Vulnerabilities?

The most common API vulnerabilities are cataloged in the OWASP API Security Top 10, last updated in 2023, and the top entry — Broken Object Level Authorization (BOLA) — shows up in the majority of real-world API breaches. BOLA occurs when an API takes an object ID (like an order number or account ID) from a request and returns data for it without checking whether the caller actually owns that object; changing /api/orders/1001 to /api/orders/1002 and getting someone else's order is a textbook example. Other frequent categories from the 2023 list include Broken Authentication (API2), Broken Object Property Level Authorization (API3, covering excessive data exposure and mass assignment), Unrestricted Resource Consumption (API4, replacing the old "lack of rate limiting" entry), and Server Side Request Forgery (API7). These aren't exotic bugs — they're logic errors that traditional signature-based scanners miss because the request itself looks syntactically valid; catching them requires understanding what the API is supposed to enforce, not just what traffic it accepts.

What Do Real-World API Breaches Look Like?

Real-world API breaches typically involve an authentication or authorization gap rather than a novel exploit technique. In the T-Mobile case disclosed January 19, 2023, the company said the activity had been occurring since around November 25, 2022, through an API that lacked rate limiting and effective authorization checks, exposing names, billing addresses, emails, phone numbers, and account details for 37 million customers before it was caught. Optus's September 2022 breach came from a test API left internet-facing without authentication, exposing government ID numbers, addresses, and dates of birth for 9.8 million current and former customers. Peloton's leaky API, reported by Pen Test Partners in January 2021, let unauthenticated users query any other user's age, gender, weight, and location data by ID, even for profiles marked private. Experian's 2020 incident, discovered by independent researcher Bill Demirkapi, involved a partner's API returning full credit scores for any US consumer given just a name and address, with no rate limiting to stop bulk querying. In every case, the API was functioning exactly as coded — the failure was in what it allowed, not in a crash or memory corruption.

How Do You Test and Monitor API Security?

You test and monitor API security by combining static analysis of the code that implements the API, dynamic testing of the running endpoints, and continuous runtime monitoring of production traffic, because each layer catches different failure modes. Static analysis and software composition analysis catch known-vulnerable dependencies and insecure code patterns before deployment — relevant given that Sonatype's 2023 State of the Software Supply Chain report logged a 200% year-over-year increase in malicious open-source packages, many targeting the same dependency trees that back API services. Dynamic testing (DAST) and dedicated API security scanners — including specialized API fuzzers and commercial tools like Checkmarx's API security module — exercise live endpoints with malformed, boundary, and adversarial inputs to catch authorization logic errors like BOLA that static tools can't see. Runtime API monitoring — through a gateway, service mesh, or dedicated API security platform — is what actually catches an active breach in progress, by flagging abnormal query volume, sequential ID enumeration, or access to endpoints outside a client's normal pattern, the exact signal that would have shortened the multi-week attacker dwell time seen in the T-Mobile and Optus incidents.

How Safeguard Helps

Safeguard maps API security findings to actual exploitability instead of raw counts, using reachability analysis to determine whether a vulnerable dependency or misconfigured endpoint sits on a code path attackers can actually reach from the internet-facing surface of your application. Griffin AI, Safeguard's detection engine, correlates that reachability data with real-world exploit patterns — including known BOLA and broken-authentication signatures — to prioritize the small subset of API findings that represent genuine risk rather than theoretical CVEs. Safeguard generates and ingests SBOMs across your API services so every dependency backing every endpoint is inventoried, closing the shadow-API and shadow-dependency gap that let the Optus and T-Mobile incidents go undetected for weeks. When a fixable issue is confirmed reachable, Safeguard opens an auto-fix pull request with the patched dependency version or configuration change already applied, so engineering teams can ship the fix in the same workflow they already use instead of triaging a spreadsheet of alerts.

FAQ

What's a simple API security definition?

The short API security definition: verifying who can call an endpoint, what they're allowed to do once they're in, and how much of it they can do — authentication, authorization, and rate limiting applied to every API surface, not just the login flow. The API security meaning shifts slightly by context (a bank's API threat model isn't a public weather API's), but that three-part core stays constant.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.