Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

I recently sat down with Tejpal Garwhal, Application Security and DevSecOps Leader, for a conversation debunking some of the most common API security myths. From zombie endpoints to the limits of WAFS and gateways, we covered what’s really happening on the ground; and what security teams need to do differently. Here’s a quick rundown of the key takeaways, but for the full picture, watch the full webinar.

I’ve seen this story before, and I’m seeing it again. When we founded Salt Security in 2016, APIs already powered the digital economy, Kubernetes started to accelerate the growth of APIs, yet almost nobody was monitoring them. Visibility was near zero, context was missing, and protection was an afterthought. Fast-forward to 2025, and the same blind spot is forming, only bigger. AI agents are no longer just generating content; they are also creating it.

Legislative, regulatory, and advisory bodies the world over are waking up to the importance of API security. Most recently, the UK’s National Cyber Security Centre (NCSC) has published detailed guidance on best practices for building and maintaining secure APIs. In this blog, we’ll break down that guidance and explore how Wallarm’s platform can help you align with each one.

In today’s digital-first world, APIs serve as the core infrastructure of modern business. They power mobile applications, facilitate critical cloud integrations, and support digital transformation initiatives. It's therefore understandable that 73% of CISOs consider API security a top or critical concern. However, a recent survey of 300 security leaders uncovers a troubling paradox: a large gap between awareness and action.

AI has officially moved out of the novelty phase. What began with people messing around with LLM-powered GenAI tools for content creation has rapidly evolved into a complex web of agentic AI systems that form a critical part of the modern corporate landscape. However, this transformation has given new life to old threats, transforming the API security landscape all over again.

The US government has taken another significant step towards strengthening cloud security with the release of CISA’s Binding Operational Directive (BOD) 25-01. Aimed at improving the security posture of federal cloud environments, BOD 25-01 mandates robust configuration, visibility, and control across cloud-based services. While the directive doesn’t explicitly name API security, securing modern cloud systems relies on securing APIs - including the ones security teams don’t know about.

APIs are the backbone of modern applications, facilitating seamless communication and data exchange. However, this ubiquity makes them prime targets for cyberattacks. As developers, building robust and secure APIs isn't just a best practice; it's a critical responsibility. This blog post provides a comprehensive API security testing checklist to help you identify and mitigate API vulnerabilities, ensuring your APIs are fortified against evolving threats.