Subscribe to the Salt blog to learn about the latest developments in API Security

Blog Post

The Top 5 Myths in API Security

Jennifer Dignum
Apr 12, 2022

CISOs know technology change is constant and never-ending – just like taxes. In Benjamin Franklin’s famous saying, “Nothing is certain but death and taxes,” he overlooked this third truth. In fact, if you look back in history, technology began its evolution well before taxes. The wheel was invented around 4th millennium BC, whereas organized taxes didn’t show up until about a thousand years later.

Like taxes, technology change can cause FUD – fear, uncertainty, and doubt. CISOs realize that if they don’t keep up with technology advancements, they place the organization at risk. With the growth of APIs, the attack surface has expanded – and so has  API attack traffic.

According to the latest Salt Labs State of API Security report, 95% of organizations have experienced an API security incident in the past 12 months. In addition, numerous companies have suffered public API incidents over the past year, including Facebook, Experian, Starbucks, and Peloton. Clearly, the current crop of application security techniques are not sufficient when it comes to protecting APIs from breaches.

To correct this situation, security leaders must take a close look at how they are currently thinking about API security. In our new and complimentary White Paper, Salt Security describes and analyzes the top misconceptions that we’ve found people often have about their API security. The paper answers questions, such as:

  • Why can’t zero trust architecture protect my APIs?
  • Do my cloud service provider’s security offerings protect my APIs?
  • What are the API security pitfalls to be aware of with WAFs and API gateways?
  • Can workload protection secure APIs?
  • How much security do developers build into APIs?

Learn top API security misconceptions that might be putting your critical data and services at risk.

Why can’t zero trust architecture protect my APIs?

APIs need access to function, but the goal of zero trust is to restrict access. Zero trust breaks down when applied to APIs because they are designed to be consumed by the broader internet and a large customer base. Moreover, while many zero trust network access (ZTNA) offerings use 2FA to authenticate before allowing access, that technique doesn’t work for controlling direct API communication.

Do my cloud service provider’s security offerings protect my APIs?

Even though some cloud providers offer tools like API management and API gateways, these point products don’t deliver the level of protection that enterprises need for APIs. With limited API security capabilities at the application and API layer, your APIs are underprotected if you only rely on cloud provider tools. Also, did you know? Because APIs are application logic, cloud customers hold the ultimate responsibility for protecting them within the shared responsibility model for security.

What are the API security pitfalls to be aware of with WAFs and API gateways?

WAFs and API gateways were not designed to provide the visibility and gateway security controls that are needed to protect APIs. WAFs and API gateways are simply unable to detect certain malicious behaviors, for example, when attackers bypass access controls or harvest keys and tokens. They also can’t detect many API-specific problems such as business logic abuse and authorization exploits.

Can workload protection secure APIs?

Workload security solutions help provide infrastructure security to ensure you aren’t running workloads on a vulnerable software version. They can also block access to a workload from external users. However, they don’t provide API or application-level context, so cannot provide visibility into your APIs.

How much security do developers build into APIs?

Be aware that shift-left support doesn’t mean that security will be baked into every API by your development groups. Developer testing tools, while valuable, can’t identify all vulnerabilities. There are many security issues that can’t be spotted as part of automated design, development, and build scans with common security analysis and testing tools – the APIs need to be exercised to spot business logic flaws.

Internal digitalization initiatives, mobile applications, and web-based services all contribute to the increased usage of APIs. The way companies could protect a handful of APIs in the past doesn’t work when you are rapidly building dozens or hundreds of APIs.

You never know. Maybe someday, taxes won’t be a certainty, but technology will certainly continue to evolve and progress.

Salt Security pioneered the industry’s first patented solution to prevent the next generation of API attacks, using machine learning and AI to automatically and continuously identify and protect APIs. If you’d like to learn how we can help you to secure your organization’s critical APIs, we invite you to a personalized demo of the award-winning Salt Security API Protection Platform.


Salt Security Blog

Sign up for the Salt Newsletter for the latest resources and blog posts.

June 18, 2024

Salt Labs
Research Team

Salt Labs

Increasing API Traffic, Proliferating Attack Activity and Lack of Maturity: Key Findings from Salt Security’s 2024 State of API Security Report

The latest Salt Security State of API Security Report is out now, and we’re thrilled to give a little sneak peek of its contents.

Read more

June 12, 2024

Elad Hoffer
Head of Product R/T Protection


Salt Security Leading the Way in AI-Driven API Security for Next-Generation Threat Protection and Attacker Insights

Learn how the recent introduction of advanced LLM-driven attacker insights further solidifies Salt's position as a leader in API security solutions.

Read more

June 7, 2024

Eric Schwake
Head of Product Marketing

A Salt Security Perspective on the 2024 Gartner® Market Guide for API Protection

Salt Security's API Protection Platform is AI-infused and designed to address the challenges outlined in the Gartner report.

Read more

Download this guide for advice on evaluating key capabilities in API Security

Learn everything you need to know to keep your APIs secure

Get the guide