Driving Secure APIs at Scale: Lessons from Ford’s Cybersecurity Frontlines

By APIsec University | APIsec|CON 2025 Recap

🚘 Introduction: When APIs Drive the Future, Security Must Steer

Modern vehicles are no longer mechanical machines—they're rolling data centers powered by over 150 million lines of code and APIs connecting every feature, from remote start to self-driving capabilities. At APIsec|CON ‘25, Jason Masker of Upstream Security and Dan from Ford Motor Company unpacked the evolving API security landscape for connected vehicles and how AI is changing both the threat model and the defense strategy.

Whether you manage APIs for mobility, finance, or consumer applications, the lessons here apply at scale. This blog dives deep into their real-world experience managing billions of API transactions, vehicle-specific SOCs, and AI-assisted defense systems.

📡 API Security in Mobility: A Fast-Moving, High-Stakes Arena

The Growing Attack Surface

Connected vehicles today generate billions of data points. From infotainment systems to telematics and over-the-air updates, APIs power the entire mobility experience. But this connectivity also introduces risk:

• Real-time commands (lock, start, locate) flow over APIs
• Attackers exploit exposed endpoints for access and control
• Unique vehicle architectures require adaptive security models

Infotainment, Telematics, and the Danger of Context-Less Security

Jason highlighted that traditional security tools like WAFs often fall short because they lack context. Protecting an API request without understanding the vehicle's current state leads to blind spots. Upstream's approach: build VIN-specific digital twins to analyze behavior in context, not isolation.

🔍 API Visibility and Governance at Scale

Know What You Own

Dan emphasized the foundational truth of AppSec: you can't secure what you can't see. Many teams deploy APIs intended for internal use, only to discover they’re being accessed externally. Without discovery and ownership tracking, governance fails.

Shift Left ≠ Shift Blindly

While “shift left” is essential, it’s only part of the story. Ford’s teams use a shift left + shift right model:

• Left: Secure coding, design reviews, automated gates in CI/CD
• Right: Real-time API monitoring, contextual alerting, incident response

Monitoring is the last line of defense—and the first place to catch what was missed in dev.

🤖 AI: The New Frontier of Both Attack and Defense

AI-Powered Offense: Faster, Smarter, More Accessible

Jason shared chilling examples:

• Tools that automate password resets and MFA bypasses
• AI-generated fuzzers that discover misconfigured vehicle APIs
• Fake dealerships created to reassign vehicle ownership via API abuse

These aren’t theoretical. They're real-world examples of attackers using generative AI and automation to scale complex attacks with little technical knowledge.

AI-Assisted Defense: More Than a Buzzword

Dan’s team at Ford uses AI to:

• Triage alerts and cut false positives
• Correlate API activity with vehicle telemetry
• Spot behavioral anomalies across billions of transactions
• Reduce fatigue among analysts reviewing thousands of logs

The key takeaway: AI isn't a silver bullet. It's a force multiplier—only as good as the prompts, training, and human feedback loops behind it.

🛠️ The Role of a Vehicle SOC (vSOC)

Connected cars introduce a physical dimension to API risk. A compromise could:

• Unlock a car remotely
• Disable critical driving functions
• Breach user privacy at scale

To counter this, Ford established a dedicated Vehicle SOC (vSOC) with:

• Deep understanding of vehicle-specific data formats
• Customized detection logic
• Architecture-aware anomaly detection
• Integration with traditional security teams

It's a model other industries with complex, dynamic ecosystems can learn from.

📊 Key Lessons for AppSec and DevSecOps Professionals

1. Inventory is everything: Maintain a live catalog of APIs, owners, access policies, and usage patterns.
2. Governance matters: Know which teams lack proper controls and prioritize oversight accordingly.
3. AI is a necessity, not a novelty: Use it to supplement alert triage, anomaly detection, and contextual threat correlation.
4. Monitoring completes the loop: Real-time visibility ensures that missed issues don't become headline breaches.
5. Stay dynamic: APIs and threats both evolve daily. Your security strategy should too.

‍