APIs, Sharks, and Blood in the Water: Why API Security Can’t Be Ignored

If Jaws taught us anything, it’s that what we don’t see can hurt us—just like APIs lurking beneath the surface until attackers strike. Chris St. Amand’s 2025 APISEC|CON presentation drew an unforgettable parallel: APIs are sharks in deep water, and ignoring them means waiting for blood in the water.

Key Findings That Should Wake You Up

• APIs are exploding in scope
  Gartner estimated the API management market at $70M in 2013, ballooning to $660M by 2020—and up to $16B projected in 2029. That’s a tidal wave of attack surface.
• API incidents are skyrocketing
  The API Security Impact Study (2024) reports that 84% of organizations suffered an API-specific security incident in the past year, up from 78% in 2023.
• Visibility is abysmally low
  In 2023 only 40% said they had a full inventory of APIs exposing sensitive data. That dropped further to just 27% in 2024, creating a hacker’s paradise.

Why Are So Many Companies Still Getting Hacked Through APIs?

1. Obscurity is the Enemy

APIs often remain hidden—documentation is sparse, inventory is incomplete, and stakeholders don’t even know what they’re trying to protect. Chris stressed that devs must raise awareness internally: “there’s a shark in the water.”

2. Third‑Party Risk

Chris highlighted vulnerabilities stemming from third-party integrations—from B2B platforms to IoT vendor APIs. Blind trust in vendor security is a minefield.

3. Scale and Automation Challenges

Organizations run hundreds of APIs, and attackers now use automation and AI tools previously reserved for testing. Manual efforts simply can’t keep pace.

What You Can Do: Chris’s Tactical “Bigger Boat” Strategy

You need a bigger boat—meaning automation, awareness, and layered defenses.

Obscurity: Know What You Protect

• Build full API inventories and map what data each endpoint exposes.
• Demand security transparency from vendors and partners.

Automation: Fight Fire with a Bigger Boat

• Automate API scanning and security checks in your CI/CD pipeline.
• Use API gateways to monitor and analyze all API traffic in one place.

The Basics: Harden Your APIs

1. TLS everywhere
2. Strong authentication + authorization—don’t let endpoints allow actions that UIs block.
3. Expose minimal data—no over-fetching or excessive fields.
4. Token obfuscation—mask IDs and other sensitive identifiers.

API Gateway & Monitoring Tools

Gateways can enforce security policies—rate limiting, authentication, logging, threat detection—all in one central layer.

DevOps Integration

• Scan API schemas and headers automatically.
• Run continuous tests for auth, BOLA, resource quotas.
• Let manual penetration testing focus on high-priority logic flaws.

Stay Updated with OWASP API Security Top 10

Chris recommended using the OWASP API Top 10 as a baseline defense toolkit—including BOLA, broken auth, business logic abuse, and improper inventory management.

Cross‑Links: Expand Your Knowledge at APIsec University

• Start with the [API Security Fundamentals course](https://www.apisecuniversity.com/courses/api-security-fundamentals) for free coverage of threats, OWASP Top 10, and the three pillars: governance, testing, and monitoring apisecuniversity.com+14apisecuniversity.com+14apisecuniversity.com+14apisecuniversity.com+2apisecuniversity.com+2arXiv+2apisecuniversity.comapisecuniversity.comapisecuniversity.com+2apisecuniversity.com+2apisecuniversity.com+2.
• For DevSecOps professionals, check out [API Security Meets DevSecOps] course—covers culture, CI/CD integration, and API‑first security design apisecuniversity.com.
• Automated defenses are best learned via the [API Gateway Best Practices] module—enforcing auth, rate limits, and traffic protection in code and infrastructure arXiv+5apisecuniversity.com+5apisecuniversity.com+5.
• Complement your skills with [OWASP API Security Top 10 & Beyond], diving deeper into edge vulnerabilities and updated threat modeling apisecuniversity.com+3apisecuniversity.com+3apisecuniversity.com+3.
• And strengthen your foundation through [Test‑Driven Development for API Security], focusing on shifting left to catch auth, BOLA, and logic issues early with CI/CD automation apisecuniversity.com+10apisecuniversity.com+10apisecuniversity.com+10.

What Should AppSec and DevSecOps Teams Do to Secure APIs?

Focus AreaActions to TakeAwarenessInventory APIs, document endpoints, highlight risks internally.AutomationIntegrate API scanners and auth checks into CI/CD; continuous monitoring.Hardening BasicsEnforce TLS, strong auth/authz, limit sensitive data exposure.Governance & TrainingTrain devs and security staff, vet third-party API use.Security StandardsUse OWASP API Top 10 as baseline; decommission unused versions.

Frequently Asked Questions

What is the biggest threat to API security today?
Unauthorized access through exposed or undocumented endpoints—especially when there’s no visibility.

How can I secure APIs without slowing down development?
Use automated tools in your CI/CD pipeline to enforce authentication, validate input, and scan for common vulnerabilities.

Do I need both manual and automated API testing?
Yes. Automation gives you breadth; manual testing gives you depth—especially for business logic flaws.

What’s the first step to improving API security?
Build a complete inventory of your APIs and identify which ones expose sensitive data.

Final Thoughts

Chris St. Amand’s talk is a powerful call to action—not to wait for “blood in the water,” but to prepare proactively. With 84% of companies hit last year and only 27% fully aware of their API inventory, the risk is real. Yet with layered defenses, automation, secure governance, and strong team alignment, we can stay ahead of the shark.

Want help building that bigger boat? Explore the free API Security Fundamentals course and DevSecOps-specific training—then shift your strategy from reactive to proactive. The water’s full of sharks: get your crew ready.

‍