Page 155 - Cyber Defense eMagazine September 2025
P. 155
A Checklist for API Security for Developers
When releasing an API, consider the following:
• Is there a published OpenAPI specification for it?
• Does it have an API gateway integrated?
• Are rate limits and auth enforced?
• Is it observed during production?
• Do we have a plan in place to retire deprecated APIs?
You might have just created tomorrow's shadow API if any of these questions have a "no" response.
New Instruments and Methods
The industry is catching up, which is good news:
• Service Meshes (Istio, Linkerd): Provide telemetry and authentication at the API level without
requiring code modifications.
• AI-Driven Discovery: Machine learning is now used by tools to map API traffic patterns and
identify irregularities.
• Continuous Validation: API security checks are now natively integrated into Jenkins pipelines,
GitLab CI, and GitHub Actions.
• SBOM for APIs: Similar to software bill of materials (SBOM), some businesses are requesting
an API BOM in order to monitor deployments.
The Business Case: The Importance of CISOs and CTOs
Shadow APIs pose a risk at the board level in addition to being a pain for developers:
• Regulatory Impact: PII leaks from exposed APIs are against the CCPA, GDPR, and HIPAA.
• Reputation Damage: Overnight, consumer trust is undermined by a single shadow API breach.
• Operational Cost: Proactive governance is far less expensive than post-breach forensic
investigations.
The takeaway for CISOs is unmistakable: API security is now a strategic business risk rather than a
subdomain of app security.
Cyber Defense eMagazine – September 2025 Edition 155
Copyright © 2025, Cyber Defense Magazine. All rights reserved worldwide.
