API Security
Articles and resources about API Security
19 posts in this category
Security Best Practices for API Governance
API governance refers to the policies, standards, and processes that guide how APIs are built, managed, and secured.
Top API Security Solutions (and how to choose the right one)
In this article, we'll break down what capabilities a strong API security tool needs to have and look at different categories of API security solutions, plus examples.
What is API Security?
API security encompasses the strategies, procedures, and solutions employed to defend APIs against threats, vulnerabilities, and unauthorized intrusion.
API discovery: How it works + best practices
API discovery is the process of finding, mapping, and cataloging every single API across your entire digital estate, including your public-facing cloud accounts and your on-premises data centers.
What is API attack surface management?
API attack surface management is focused on discovering, inventorying, analyzing, and continuously monitoring all APIs within an organization's cloud environment. This enables identification and mitigation of points of exposure that could lead to a breach.
API Security Checklist 2025: OWASP-Aligned, Code-to-Cloud Best Practices
An API checklist serves as a framework to help your security team systematically detect and tackle threats and vulnerabilities throughout the API lifecycle. Its end goal? To strengthen your overall security posture by standardizing API security efforts.
How to mitigate API security risks & vulnerabilities in 2025 (and beyond)
API security risks are the complete spectrum of threats targeting application programming interfaces (APIs), including technical vulnerabilities, misconfigurations, and business logic flaws.
What are API attacks?
API attacks are attempts to exploit weaknesses in application programming interfaces – the connectors that let software systems communicate and exchange data.
What is API drift and how do you prevent it?
API drift occurs when APIs in production diverge from their documented specifications.
REST API security: Best practices, risks, and tools
REST API security is the combination of technologies and practices used to safeguard RESTful endpoints from attacks, such as unauthorized access, exploitation, and abuse.
What is an API Catalog?
An API catalog is the best way to protect your organization from API risks: It surfaces hidden routes, weak auth, and sensitive data, anchoring effective security.
API Abuse: How to Defend & Prevent Risk
API abuse is the intentional misuse of API functionality in order to bypass security controls, extract unauthorized data, or disrupt services.
Zombie APIs: A hidden security risk
Zombie APIs are API endpoints that remain operational despite lacking ongoing maintenance or official support.
Top API Vulnerabilities: How to Detect, Prioritize, and Prevent Real-World Risk
Application programming interfaces (APIs) enable communication between services, applications, and data systems—powering everything from mobile apps to large-scale enterprise platforms.
Top 9 OSS API Security Tools
A guide on the 9 best OSS API security tools that protect sensitive data, infrastructure, and business logic from unauthorized access, data theft, and other attacks.
OWASP API Security Top 10 Risks
The OWASP API Security Project offers software developers and cloud security practitioners guidance on preventing, identifying, and remediating the most critical security risks facing application programming interfaces (APIs).
API Security: Best Practices for Safer Cloud Security
11 essential API security best practices that every organization should start with
What is a shadow API? Security risks, detection, and prevention explained
Effective shadow API security requires continuous discovery, runtime context, and code-to-cloud visibility to identify unsanctioned APIs before they're exploited by attackers.
Broken API authentication: Cloud security risks explained
Broken API authentication is an API security risk that occurs when an API doesn't properly check and confirm who's making a certain request.