\nAccording to the Wallarm Q1 2025 ThreatStats report, 70% of all application attacks target APIs. The industry can no longer treat API security as a sidenote; it\u2019s time to treat it as the main event. NIST seems to be on board with this view, releasing the initial public draft of NIST SP 800-228, a set of recommendations for securing APIs. <\/p>\n
I recently sat down with AJ Debole, Field CISO at Oracle, for a practical, forward-looking discussion about why API security matters now more than ever \u2013 and how NIST SP 800-228 could be an all-important north star. <\/p>\n
## The Context: APIs, Automation, and Attack Velocity<\/p>\n
APIs aren\u2019t just an evolution of application architecture; they\u2019re a fundamental shift in how services are built, consumed, and secured. Unlike web applications, APIs are designed for programmatic access. That means the same traits that make them essential for automation \u2013 statefulness, structure, machine readability \u2013 also make them attractive to attackers. <\/p>\n
AJ raised an important point in our discussion: APIs lower the technical barrier to entry for offensive security work. You don\u2019t need to manipulate browser traffic or master proxy tooling to fuzz an API; a simple curl command or Python script can be enough. That ease of access makes APIs a high-value target for both automated scanners and more sophisticated actors. <\/p>\n
The increasing integration of APIs with AI systems (GenAI agents, in particular) only amplifies this risk. These agents interact with APIs autonomously, making decisions and triggering workflows. As a result, API traffic, complexity, and the risk of exposure have grown exponentially. <\/p>\n
<\/p>\n
## What NIST SP 800-228 Brings to the Table<\/p>\n
As is typical, NIST didn\u2019t exactly hand us a tidy list of grouped best practices. They released 22 recommended controls. While we suggest looking through them yourself, though they can be a bit overwhelming to digest as a whole. So, during the webinar, AJ and I decided to do everyone a favor: we sorted them into seven thematic groups. These are not official categories, but a helpful lens for making sense of what\u2019s there and how to apply it. <\/p>\n
### API Specification and Inventory Management <\/p>\n
We started with the basics: you can\u2019t protect what you don\u2019t know exists. I pointed out that an up-to-date API inventory and well-defined specifications are foundational. AJ agreed, comparing the situation to old-school NACs. If we struggled to track physical devices, she said, tracking fact-moving, ephemeral APIs is going to be even tougher. Still, it\u2019s essential to prevent shadow APIs from becoming low-hanging fruit. <\/p>\n
### Schema Validation and Input Handling<\/p>\n
Once you know what\u2019s there, you need to validate what\u2019s coming through it. I talked about the importance of enforcing request\/response schemas at runtime, and AJ shared a great example of a researcher exploiting a crypto exchange \u2013 not by changing the price, but by swapping out a token type the API didn\u2019t properly validate. It\u2019s a perfect illustration of why schema enforcement matters beyond the obvious inputs. <\/p>\n
### Authentication and Authorization <\/p>\n
We both agreed: while authN has improved thanks to SSO and OAuth, authZ remains a mess. AJ put it bluntly: many APIs still let users \u201cjust say they\u2019re an admin,\u201d with no real checks. I added that these kinds of failures often go undetected; they don\u2019t crash systems or encrypt files, they quietly leak data. That\u2019s precisely why NIST calls for field- and method-level access controls, not just basic endpoint restrictions.<\/p>\n
### Sensitive Data Identification and Protection<\/p>\n
Sensitive data isn\u2019t just PII. AJ told a story about a company that accidentally exposed its cyber insurance policy online \u2013 which included the ransomware payout limit. That was all the attackers needed to ask for just the right amount of ransom. I emphasized that detecting and classifying data flowing through APIs, then enforcing policy around it, needs to go beyond simple patterns or keywords. <\/p>\n
### Access Control Hygiene and Request Flow <\/p>\n
Here, we focused on hardening API behavior, especially in the case of compromised tokens or abnormal usage. I highlighted the recommendation to block specific keys or users on demand, and AJ pointed out that while that sounds straightforward, many organizations don\u2019t yet have the tooling or processes to do it fast enough. NIST is clearly nudging the industry towards more mature, real-time response capabilities. <\/p>\n
### Rate Limiting and Abuse Prevention<\/p>\n
APIs don\u2019t just present availability risks, they can hit your wallet, too. AJ mentioned how attackers in cloud environments rack up massive bills by spinning up compute resource, and I noted it\u2019s the same with LLMs or other metered APIs. NIST recommends granular rate limits, not just per endpoint, but by method, user, or field \u2013 wherever abuse could occur. <\/p>\n
### Logging and Observability<\/p>\n
Finally, we talked about observability. AJ made a strong point: having logs is one thing, but being able to respond is what counts. \u201cDo you know what token was abused? Can you actually shut it down?\u201d she asked. I agreed \u2013 without operational muscle and cross-team coordination, logs are just noise. NIST rightly includes visibility, but the real power comes when you tie that visibility to action. <\/p>\n
## Where Wallarm Fits In<\/p>\n
Wallarm aligns with NIST SP 800-228, but provides direct API security controls (discovery, schema enforcement), validates API conformance (detecting non-compliant requests), and supports other security controls (identifying broken authentication, classifying sensitive data). <\/p>\n
Our platform auto-discovers and inventories APIs, generates OpenAPI specs from live traffic to identify drift and shadow endpoints, and enforces schema validation. We also detect critical risks like broken authentication, exposed secrets, and BOLA, while surfacing sensitive data for policy enforcement and redaction. Additionally, Wallarm offers granular rate limiting and provides full traffic context for a complete attack narrative. <\/p>\n
Want to find out more about NIST SP 800-228 and how Wallarm can help you comply? Check out the full webinar with me and AJ.<\/p>\n
The post Addressing API Security with NIST SP 800-228 appeared first on Wallarm.\n<\/p><\/div>\n
View Advisory Details<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"Security Update News Update Information Title Addressing API Security with NIST SP 800-228 Update ID WALLARMLAB:53BCC4A3F87237142FB27E77B0B61BC4 Type wallarmlab Published 2025-06-05T06:13:30 Last Updated 2025-06-05T06:13:30 Security Impact…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,34,12,13,33,7,11,5,105],"class_list":["post-6416","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-cvss-00","tag-exploit","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability","tag-wallarmlab"],"yoast_head":"\n
Addressing API Security with NIST SP 800-228 - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=6416\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Addressing API Security with NIST SP 800-228 - zero redgem\" \/>\n<meta property=\"og:description\" content=\"Security Update News Update Information Title Addressing API Security with NIST SP 800-228 Update ID WALLARMLAB:53BCC4A3F87237142FB27E77B0B61BC4 Type wallarmlab Published 2025-06-05T06:13:30 Last Updated 2025-06-05T06:13:30 Security Impact...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=6416\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2025-06-05T03:35:28+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=6416#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=6416\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"Addressing API Security with NIST SP 800-228\",\"datePublished\":\"2025-06-05T03:35:28+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=6416\"},\"wordCount\":1074,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"CVSS-0.0\",\"exploit\",\"news\",\"NONE\",\"Security\",\"tapic\",\"Vulnerability\",\"wallarmlab\"],\"articleSection\":[\"category_news\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=6416#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=6416\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=6416\",\"name\":\"Addressing API Security with NIST SP 800-228 - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2025-06-05T03:35:28+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=6416#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=6416\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=6416#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Addressing API Security with NIST SP 800-228\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Addressing API Security with NIST SP 800-228 - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=6416","og_locale":"en_US","og_type":"article","og_title":"Addressing API Security with NIST SP 800-228 - zero redgem","og_description":"Security Update News Update Information Title Addressing API Security with NIST SP 800-228 Update ID WALLARMLAB:53BCC4A3F87237142FB27E77B0B61BC4 Type wallarmlab Published 2025-06-05T06:13:30 Last Updated 2025-06-05T06:13:30 Security Impact...","og_url":"https:\/\/zero.redgem.net\/?p=6416","og_site_name":"zero redgem","article_published_time":"2025-06-05T03:35:28+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=6416#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=6416"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"Addressing API Security with NIST SP 800-228","datePublished":"2025-06-05T03:35:28+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=6416"},"wordCount":1074,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","CVSS-0.0","exploit","news","NONE","Security","tapic","Vulnerability","wallarmlab"],"articleSection":["category_news"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=6416#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=6416","url":"https:\/\/zero.redgem.net\/?p=6416","name":"Addressing API Security with NIST SP 800-228 - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2025-06-05T03:35:28+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=6416#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=6416"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=6416#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"Addressing API Security with NIST SP 800-228"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/6416","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6416"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/6416\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6416"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6416"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6416"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}