\nI recently sat down with Tejpal Garwhal, Application Security and DevSecOps Leader, for a conversation debunking some of the most common API security myths. From zombie endpoints to the limits of WAFS and gateways, we covered what\u2019s really happening on the ground; and what security teams need to do differently. Here\u2019s a quick rundown of the key takeaways, but for the full picture, watch the full webinar. <\/p>\n
## Myth 1: \u201cWe Know What APIs We Have\u201d<\/p>\n
This was the first and most persistent myth we tackled. Most teams assume that if they\u2019ve deployed APIs, they must know what exists in their environment. But the reality is very different. <\/p>\n
Tejpal pointed out how API sprawl often happens without anyone noticing. Developers build and deploy endpoints on short timelines, documentation lags behind, and different teams might assume someone else is keeping track. In practice, no single group holds a full view of the API inventory. <\/p>\n
<\/p>\n
Worse, many rely on API gateways or management platforms as their source of truth, but those tools only track what\u2019s been routed through them. They won\u2019t catch endpoints deployed ad hoc or legacy APIs left behind in codebases long forgotten. <\/p>\n
We agreed: without complete visibility, securing APIs is guesswork. <\/p>\n
## Myth 2: \u201cOur APIs Don\u2019t Expose Sensitive Data\u201d<\/p>\n
Often, Tejpal and I hear that encryption solves the data exposure problem. As long as you\u2019re using HTTPS, the assumption goes, everything\u2019s safe. However, as we discussed, encryption in transit or at rest doesn\u2019t address who can access the data or how it\u2019s exposed through business logic. <\/p>\n
Tejpal highlighted how developers often over-share by default. Without strict design boundaries, APIs tend to return full data objects rather than minimal fields. Couple that with poor access control or logging that includes sensitive details, and you have a silent liability. <\/p>\n
In one example we discussed, an organization believed they were secure because its web UI had strong controls. Behind the scenes, however, the underlying APIs still allowed unauthenticated access. It\u2019s a common disconnect. APIs don\u2019t need to be visible to be vulnerable. <\/p>\n
## Myth 3: \u201cOur WAF and Gateway Cover API Security\u201d<\/p>\n
We\u2019ve both seen this myth cause problems. It\u2019s based on a misunderstanding of what traditional tools actually do.<\/p>\n
A WAF, for example, can detect basic injection attacks, but it often struggles with API protocols like GraphQL and gRPC, or when requests are deeply nested or batched. Similarly, API gateways can manage authentication and routing, but they aren\u2019t designed to parse and inspect request logic or flag business abuse. <\/p>\n
In short, these tools serve important functions, but weren\u2019t built to detect the kinds of threats we now routinely see in API traffic, like Broken Object Level Authorization (BOLA), zombie endpoints, or agent-triggered scraping. Ultimately, relying on WAFs and gateways alone creates a dangerous false sense of coverage. <\/p>\n
## Myth 4: \u201cDetection is the Same as Prevention\u201d<\/p>\n
This is where our conversation turned toward operations. Detection is essential, but it\u2019s not enough. Simply knowing about an attack doesn\u2019t reduce risk; blocking it does. And alerts without action are just noise. <\/p>\n
Tejpal emphasized how many organizations have tools that generate impressive-looking reports but lack the workflows or coverage to intervene at the moment of attack. By the time a detection is triaged, the damage might already be done. <\/p>\n
We talked about the need for real-time blocking, not just alerting. Especially considering automated bots and AI agents are probing APIs at scale, modern defenders can\u2019t afford to just react; they have to prevent. <\/p>\n
## Myth 5: \u201cSecurity Testing Tools Are Enough\u201d<\/p>\n
While testing plays an important role, it\u2019s only one part of a broader lifecycle. You can\u2019t scan your way to a secure deployment. <\/p>\n
We both agreed that security needs to shift left. Organizations need to incorporate threat modelling into design and validate security contracts before APIs go live. But we also stressed a concept that often gets overlooked: shielding right. Even if you build secure APIs, attackers don\u2019t stop trying. You need runtime protection that adapts to what\u2019s happening now.<\/p>\n
## What Modern API Security Actually Requires<\/p>\n
So, that begs the question: what does API security actually require? We\u2019ve debunked the myths, now it\u2019s time to reveal the truths. Here are six foundational principles that Tejpal and I think every organization should anchor their API security program on: <\/p>\n
* **Full Discovery****:** Know all your APIs, not just the ones in the gateway
* **Data-Centric Risk Modeling:** Understand what each endpoint exposes and who should access it
* **Behavioral Detection:** Spot abuse based on how APIs are used, not just known signatures
* **Real-Time Blocking:** Alerting is too late if attackers are already inside
* **Scalability and Context:** Defenses must operate at the speed of DevOps and understand semantic context, especially in AI-driven environments
* **Business Alignment:** Secure the APIs that tie directly to revenue or critical operations first. <\/p>\n
One point that stuck with us was the idea that many API security strategies still operate as technical exercises, isolated from the business. But if an API powers payment, inventory, or customer data, it _is_ the business. Security decisions must reflect that fact. <\/p>\n
# Ready to Go Deeper? <\/p>\n
However, this blog just scratches the surface of our conversation. If any of this resonates, I encourage you to watch the full conversation. We cover real-world breaches, demo examples of overlooked risk, and walk through a modern strategy that aligns Dev, Sec, and Ops around a shared threat model. Watch the webinar here.<\/p>\n
The post Debunking API Security Myths appeared first on Wallarm.\n<\/p><\/div>\n
View Advisory Details<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"Security Update News Update Information Title Debunking API Security Myths Update ID WALLARMLAB:F55BF056C466A4450CE8477558E41E03 Type wallarmlab Published 2025-07-31T11:00:51 Last Updated 2025-07-31T11:00:51 Security Impact Severity NONE Update…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,13,33,7,11,5,105],"class_list":["post-9405","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability","tag-wallarmlab"],"yoast_head":"\n
Debunking API Security Myths - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=9405\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Debunking API Security Myths - zero redgem\" \/>\n<meta property=\"og:description\" content=\"Security Update News Update Information Title Debunking API Security Myths Update ID WALLARMLAB:F55BF056C466A4450CE8477558E41E03 Type wallarmlab Published 2025-07-31T11:00:51 Last Updated 2025-07-31T11:00:51 Security Impact Severity NONE Update...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=9405\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2025-07-31T07:53:06+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=9405#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=9405\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"Debunking API Security Myths\",\"datePublished\":\"2025-07-31T07:53:06+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=9405\"},\"wordCount\":982,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"exploit\",\"news\",\"NONE\",\"Security\",\"tapic\",\"Vulnerability\",\"wallarmlab\"],\"articleSection\":[\"category_news\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=9405#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=9405\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=9405\",\"name\":\"Debunking API Security Myths - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2025-07-31T07:53:06+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=9405#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=9405\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=9405#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Debunking API Security Myths\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Debunking API Security Myths - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=9405","og_locale":"en_US","og_type":"article","og_title":"Debunking API Security Myths - zero redgem","og_description":"Security Update News Update Information Title Debunking API Security Myths Update ID WALLARMLAB:F55BF056C466A4450CE8477558E41E03 Type wallarmlab Published 2025-07-31T11:00:51 Last Updated 2025-07-31T11:00:51 Security Impact Severity NONE Update...","og_url":"https:\/\/zero.redgem.net\/?p=9405","og_site_name":"zero redgem","article_published_time":"2025-07-31T07:53:06+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=9405#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=9405"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"Debunking API Security Myths","datePublished":"2025-07-31T07:53:06+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=9405"},"wordCount":982,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","exploit","news","NONE","Security","tapic","Vulnerability","wallarmlab"],"articleSection":["category_news"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=9405#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=9405","url":"https:\/\/zero.redgem.net\/?p=9405","name":"Debunking API Security Myths - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2025-07-31T07:53:06+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=9405#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=9405"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=9405#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"Debunking API Security Myths"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/9405","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=9405"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/9405\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=9405"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=9405"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=9405"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}