API Security Best Practices

Read the guide

Context-based security for all your APIs

Only Salt delivers the context you need to protect your APIs across build, deploy, and runtime phases. We combine complete coverage and an ML/AI-driven big data engine to provide that context to show you all your APIs, stop attackers during the early stages of an attempted attack, and share insights to improve API security posture.

The Salt approach

Salt deploys in minutes and automatically discovers all your APIs and where they expose data, pinpoints and blocks attackers, and provides remediation insights for dev teams.

Our advantages derive from our C-3A Context-based API Analysis Architecture – with coverage across all your app environments and our big data engine powered by our time-tested ML and AI algorithms.

After evaluating multiple API security platforms, we found that only Salt Security had an architecture that could deploy in any of our environments, identify all our APIs, and recognize and block attackers before they could do any damage.

Nir Valtman, head of product and data security

The Salt architectural advantage

Complete coverage

We collect all your API traffic – across load balancers, API gateways, WAFs, Kubernetes clusters, cloud VPCs, and app servers - to dynamically provide a full inventory. We deploy with no app or network changes and require no configuration or tuning.


AI-powered big data engine

Every one of your APIs is unique. Salt applies ML and AI in our big data engine to baseline your APIs and isolate anomalous behavior, differentiating between changes to APIs and malicious activity. By applying the context we learn, we can avoid false positives.


Context-based analysis

Salt combines our complete coverage and big data engine to discover all your APIs, see the sensitive data they expose, find and stop attackers, and capture insights for development teams to improve your API security posture.

Why WAFs and API Gateways can't protect you

WAFs and API Gateways detect attacks that leverage known vulnerabilities (think SQL injection, cross-site scripting). They see traffic one transaction at a time, in isolation. API attacks are different – they target vulnerabilities in your business logic, and hackers must probe your APIs to discover these zero-day vulnerabilities. To find and stop API attacks requires context, over time – WAFs and API gateways simply don’t have this context (think a single frame vs. a movie).

The OWASP API Top 10 catalogs the most common API attacks. Salt knows what every user did an hour ago, a day ago, a week ago – and we have a baseline of what’s normal for your APIs. We use this context to find and stop API attacks. Check out our API attack video to see the difference in action.

API Security Top 10 Threats


API Gateways

A1:2019 - Broken Object Level Authorization

A2:2019 - Broken Authentication

A3:2019 - Excessive Data Exposure

A4:2019 - Lack of Resources & RateLimiting

A5:2019 - Broken Function Level Authorization

A6:2019 - Mass Assignment

A7:2019 - Security Misconfiguration

A8:2019 - Injection

A9:2019 - Improper Assets Management

A10:2019 - Insufficient Logging &Monitoring

How the Salt Security platform works

Learn More