Subscribe to the Salt blog to learn about the latest developments in API Security

Blog Post

API Security for Dummies — and Smart People Too!

Michelle McLean
Oct 29, 2021

APIs have dramatically altered the application attack surface, so lots of organizations and security teams are now focused on API security. As part of our continuing mission here at Salt to educate the broader industry, our technical evangelist, Michael Isbitski, put pen to paper (well, OK, fingers to keyboard) to provide a comprehensive overview of the challenges and best practices in API security.

In this “API Security for Dummies” eBook, Michael takes care to bring everyone — from novices to very technical app sec professionals — along on the journey of understanding APIs themselves, how attacks are different from application attacks, why APIs make such attractive targets, and how organizations can better protect themselves from the sophisticated bad actors focused on hacking or abusing APIs. To craft this educational tome, Michael draws on his five years of helping 1000s of Gartner clients implement application security as well as his decades of hands-on experience running application security teams.

With Gartner having recently updated its security reference architecture to create a separate pillar for API security — distinct from WAFs, Web Application and API Protection, and API gateways — the industry is increasing its understanding that APIs spawn unique attacks and need unique protections. Companies are using more APIs than ever, those APIs are more functional than ever, and teams are updating them more frequently than ever — so the attack surface is much bigger and always changing. The old tools simply cannot protect you, because they can’t detect the probing and reconnaissance activities of bad actors who have to learn your APIs so they can understand how to attack them.

Get the comprehensive list of best practices to guide your API security journey.

It’s important to understand this limitation isn’t temporary. WAFs and APIs gateways are architecturally constrained — they can see transactions only one at a time and apply pre-set rules and signatures to determine whether to allow or block a given transaction. They’ll never be able to gather and correlate the activity across all APIs and users, over time, to detect an API attack.

Michael’s guide provides the critical insights you need to educate yourself and your organization as to how and why the world has changed, and why additional protections are needed. Everyone — dummy and smarty alike — will benefit from the explanations he provides on:

  • what APIs are — including common types, protocols, and their role in modern app design
  • laying the foundation for securing APIs — including documentation, schema definitions and validation, API testing and mediation, the use of proxies, and API management
  • understanding API attacks — including tapping front-end applications; the connection to digital supply chains; the OWASP API Top 10; and a profile of the most common attacks such as credential stuffing, brute force, account take over, and scraping
  • API security best practices — including the critical role that architecture plays; what to look for in an API security platform; and the need for automatic discovery, data classification, runtime protection, pre-prod scanning and testing, and remediation to protect APIs across their full lifecycle

Michael’s “API Security for Dummies” book wraps with 10 steps you can follow to improve your API security — the kind of practical advice you can put to use today.

The whole point of using APIs is to share valuable data and interconnect services — it’s what they’re built to do. So it’s no surprise that APIs are now the top application attack vector. If your organization is applying yesterday’s protections and hoping they’ll protect against today’s attacks, they’re just waiting to be the next headline. Use this Dummies guide to bring intelligence to your API security strategy.

If you’re interested in seeing the Salt Security API Protection Platform in action, contact us for a customized demo today!


Salt Security Blog

Sign up for the Salt Newsletter for the latest resources and blog posts.

June 18, 2024

Salt Labs
Research Team

Salt Labs

Increasing API Traffic, Proliferating Attack Activity and Lack of Maturity: Key Findings from Salt Security’s 2024 State of API Security Report

The latest Salt Security State of API Security Report is out now, and we’re thrilled to give a little sneak peek of its contents.

Read more

June 12, 2024

Elad Hoffer
Head of Product R/T Protection


Salt Security Leading the Way in AI-Driven API Security for Next-Generation Threat Protection and Attacker Insights

Learn how the recent introduction of advanced LLM-driven attacker insights further solidifies Salt's position as a leader in API security solutions.

Read more

June 7, 2024

Eric Schwake
Head of Product Marketing

A Salt Security Perspective on the 2024 Gartner® Market Guide for API Protection

Salt Security's API Protection Platform is AI-infused and designed to address the challenges outlined in the Gartner report.

Read more

Download this guide for advice on evaluating key capabilities in API Security

Learn everything you need to know to keep your APIs secure

Get the guide