The Cat-and-Mouse Cyber War—and How to Win It

    July 18, 2025
    Attackers are increasingly targeting APIs while exploiting vulnerabilities and weak security measures, so what should organizations focus on, and what steps can they take to strengthen API security?
    687a658478160f036ecfb2a8 Closeupcoderunninglaptopscreendatacenter

    The Skinny

    • API usage has spiked dramatically in modern web development, driven by GenAI and a shift toward multi-system integration. This rapidly expanding attack surface has doubled the number of organizations experiencing API security incidents year-on-year.

     

    • APIs are increasingly targeted due to weak access controls, poor authentication, and unmonitored or outdated endpoints. Custom builds, limited testing, and insecure configurations also leave systems vulnerable.

     

    • Protect APIs with strong authentication, secure credential storage, rate limiting, and real-time monitoring. Regular audits, encrypted data handling, and API-specific gateways help prevent breaches and block advanced threats.

    For many use cases, traditional web development methods from 15 years ago, such as purely server-rendered pages, are considered outdated.

    Today's modern web development relies heavily on dynamically generated content, often integrating API-driven approaches, client-side frameworks, and hybrid rendering techniques. 71% of organizations now rely on third-party APIs, including those from GenAI providers such as OpenAI.

    At the same time, API security threats are escalating. Wallarm tracked 439 AI-related CVEs in 2024—a staggering 1,025% increase from the previous year. According to Wallarm’s 2025 API ThreatStats Report, many of these vulnerabilities stem from injection flaws, misconfigurations, and memory corruption exploits.

    With AI-powered endpoints often exposed, attackers have an open field to inject malicious payloads, extract sensitive training data, or manipulate machine learning pipelines. 

    A report from cybersecurity firm Salt Security revealed that last year, 37% of organizations experienced an API security incident, more than double the 17% from the previous year. No one is safe, not even major corporations or government agencies.

    With AI-powered endpoints often exposed, attackers have an open field to inject malicious payloads, extract sensitive training data, or manipulate machine learning pipelines.

    API Security Risks

    OWASP releases a list of the top 10 security risks annually for various types of applications. As part of this effort, they established a dedicated project to highlight the most significant security threats to APIs.

    Many of the most critical security flaws stem from weak access restrictions, improper authentication measures, and the exposure of sensitive information. When APIs fail to enforce permissions properly, attackers can manipulate requests to access or modify data. Inadequate login protections can allow unauthorized users to take over accounts or bypass authentication altogether.

    Another significant risk arises from the failure to manage system resources effectively. APIs that do not set limits on the number of requests they handle can be overwhelmed, leading to service disruptions or outright crashes.

    Attackers frequently exploit these weaknesses to flood systems with excessive traffic, rendering applications unusable. Poorly configured security settings further increase exposure, as default settings, unnecessary permissions, and overlooked updates create easy entry points for cyber threats.

    Many of the most critical security flaws stem from weak access restrictions, improper authentication measures, and the exposure of sensitive information.

    Many dangerous problems arise when organizations fail to track and secure all their API endpoints. Unmonitored or outdated interfaces—sometimes forgotten after software updates or system migrations—can also create entry points for attackers.

    Additionally, reliance on external APIs without thorough security assessments can introduce vulnerabilities from third-party services, making internal systems vulnerable to breaches originating outside the organization’s direct control.

    The widespread adoption of AI-powered APIs only adds complexity. Poor security measures around AI-driven endpoints can expose valuable training data, leak proprietary models, or allow attackers to manipulate system behavior.

    Why Proper API Implementations Fail

    Many APIs are custom-built, and their development quality is often lacking. During creation, numerous errors can arise, and the interaction model may not be thoroughly tested. As a result, unexpected data can sometimes cause unpredictable issues.

    Developers often do not test every possible scenario when building an API. They focus on standard use cases and API platforms, sometimes including unnecessary functionality that attackers exploit.

    Public API documentation can be a goldmine for hackers, revealing system architecture, weaknesses, and misconfigurations. Risks arise when it is not properly secured or archived in formats like XML or PDF/A for compliance and audit purposes.

    Security in many systems is often left to WAFs, which are typically set up in basic mode. This limited configuration makes them ineffective against more advanced threats. The challenge is further compounded by the lack of consensus among security experts on the best way to protect APIs, much like the varied interpretations of DevSecOps.

    How to Stay Safe

    To defend against API attacks effectively, organizations must conduct thorough security assessments of both public and internal APIs. Implementing strong security measures helps ensure GDPR and HIPAA compliance while reducing the risk of data breaches.

    To defend against API attacks effectively, organizations must conduct thorough security assessments of both public and internal APIs.

    A proactive approach to API security should include the following best practices:

    1. Secure Authentication and Access Control

    • Implement strong authentication protocols such as OAuth 2.0 to prevent unauthorized access.
    • Enforce multi-factor authentication (MFA) for all API users, particularly administrators and privileged accounts, using methods such as time-based one-time passwords (TOTP), hardware tokens, QR code scanning, or push notifications for a convenient second factor.
    • Restrict API access based on user roles, ensuring that only authorized applications and individuals can interact with critical endpoints.

    2. Secure API Key and Credential Management

    • Store API keys, secrets, and access tokens securely using a dedicated keystore or vault solution.
    • Rotate credentials regularly and prevent hardcoded secrets in code repositories.
    • Ensure certificate-based authentication for secure HTTPS communication by adding necessary certificates to keystores, such as the Java Keystore, for encrypted connections.

    3. Implement Robust Monitoring and Anomaly Detection

    • Deploy API security solutions that can identify and automatically block unusual requests indicative of attacks.
    • Use real-time logging and monitoring to track API calls, detect anomalies, and respond to threats proactively.
    • Leverage threat intelligence and machine learning-based anomaly detection to prevent zero-day attacks.

    4. Apply Proper Rate Limiting and Resource Management

    • Configure rate limiting and throttling policies to prevent abuse, ensuring APIs are not overwhelmed by excessive requests.
    • Implement automated testing with fuzzing tools like JBroFuzz to identify weaknesses in rate-limiting mechanisms and prevent denial-of-service (DoS) attacks.

    5. Secure Data Handling and API Responses

    • Enforce strict backend filtering to prevent excessive data exposure through API responses.
    • Validate user input and sanitize requests to mitigate injection risks, including SQL, XSS, and JSON injection attacks.
    • Use encryption for data in transit and at rest to ensure sensitive information is protected.

    6. Deploy API Security Gateways, Firewalls, and Cloud NAC

    • Utilize application-layer firewalls with API-specific security controls.
    • Implement Layer 7 DDoS protection to defend against volumetric attacks targeting APIs.
    • Use API gateways to enforce strict security policies, rate limiting, and authentication checks.
    • For cloud deployments, use Cloud NAC solutions to enhance security by controlling network access to API endpoints, a critical capability for both IoT security and Zero Trust implementations.

    7. Regular Security Audits and Manual Testing

    • Conduct regular penetration testing to simulate real-world attacks and uncover vulnerabilities.
    • Perform manual security testing in addition to automated scanning to identify business logic flaws and permission misconfigurations.
    • Keep APIs up to date, patch vulnerabilities promptly, and enforce a secure Software Development Lifecycle (SDLC).

    Conclusion

    API security is no longer optional—it is a necessity. As API threats continue to evolve, organizations must adopt a multi-layered security approach that combines strong authentication, monitoring, and proactive vulnerability management.

    About the Author

    Alex Vakulov | cybersecurity researcher

    Alex Vakulov is a cybersecurity researcher with over 20 years of experience in malware analysis. Alex has strong malware removal skills. He writes for numerous tech-related publications, sharing his security expertise.

    Sven Loeffler / iStock / Getty Images Plus via Getty Images
    The alleged breach by Salt Typhoon highlights how sophisticated cyber actors are increasingly targeting the intersection of military and state-level networks to quietly gain strategic footholds.
    Credit: imaginima
    Synthetic identity fraud occurs when fraudsters create fictitious identities that can bypass traditional verification systems, such as knowledge-based authentication questions or passwords, by combining real and fabricated personal information.