Driving Secure APIs at Scale: Lessons from Ford’s Cybersecurity Frontlines
When your APIs control physical vehicles, failure isn’t just about data loss—it’s about lives. At APIsec|CON ‘25, Ford’s cybersecurity team revealed how they defend billions of API calls per month and why AI has become their frontline ally. From fake dealers reassigning vehicle ownership to real-time alert triage at scale, this session was a masterclass in securing the API-powered future.

Driving Secure APIs at Scale: Lessons from Ford’s Cybersecurity Frontlines
By APIsec University | APIsec|CON 2025 Recap
🚘 Introduction: When APIs Drive the Future, Security Must Steer
Modern vehicles are no longer mechanical machines—they're rolling data centers powered by over 150 million lines of code and APIs connecting every feature, from remote start to self-driving capabilities. At APIsec|CON ‘25, Jason Masker of Upstream Security and Dan from Ford Motor Company unpacked the evolving API security landscape for connected vehicles and how AI is changing both the threat model and the defense strategy.
Whether you manage APIs for mobility, finance, or consumer applications, the lessons here apply at scale. This blog dives deep into their real-world experience managing billions of API transactions, vehicle-specific SOCs, and AI-assisted defense systems.
📡 API Security in Mobility: A Fast-Moving, High-Stakes Arena
The Growing Attack Surface
Connected vehicles today generate billions of data points. From infotainment systems to telematics and over-the-air updates, APIs power the entire mobility experience. But this connectivity also introduces risk:
- Real-time commands (lock, start, locate) flow over APIs
- Attackers exploit exposed endpoints for access and control
- Unique vehicle architectures require adaptive security models
Infotainment, Telematics, and the Danger of Context-Less Security
Jason highlighted that traditional security tools like WAFs often fall short because they lack context. Protecting an API request without understanding the vehicle's current state leads to blind spots. Upstream's approach: build VIN-specific digital twins to analyze behavior in context, not isolation.
🔍 API Visibility and Governance at Scale
Know What You Own
Dan emphasized the foundational truth of AppSec: you can't secure what you can't see. Many teams deploy APIs intended for internal use, only to discover they’re being accessed externally. Without discovery and ownership tracking, governance fails.
Shift Left ≠ Shift Blindly
While “shift left” is essential, it’s only part of the story. Ford’s teams use a shift left + shift right model:
- Left: Secure coding, design reviews, automated gates in CI/CD
- Right: Real-time API monitoring, contextual alerting, incident response
Monitoring is the last line of defense—and the first place to catch what was missed in dev.
🤖 AI: The New Frontier of Both Attack and Defense
AI-Powered Offense: Faster, Smarter, More Accessible
Jason shared chilling examples:
- Tools that automate password resets and MFA bypasses
- AI-generated fuzzers that discover misconfigured vehicle APIs
- Fake dealerships created to reassign vehicle ownership via API abuse
These aren’t theoretical. They're real-world examples of attackers using generative AI and automation to scale complex attacks with little technical knowledge.
AI-Assisted Defense: More Than a Buzzword
Dan’s team at Ford uses AI to:
- Triage alerts and cut false positives
- Correlate API activity with vehicle telemetry
- Spot behavioral anomalies across billions of transactions
- Reduce fatigue among analysts reviewing thousands of logs
The key takeaway: AI isn't a silver bullet. It's a force multiplier—only as good as the prompts, training, and human feedback loops behind it.
🛠️ The Role of a Vehicle SOC (vSOC)
Connected cars introduce a physical dimension to API risk. A compromise could:
- Unlock a car remotely
- Disable critical driving functions
- Breach user privacy at scale
To counter this, Ford established a dedicated Vehicle SOC (vSOC) with:
- Deep understanding of vehicle-specific data formats
- Customized detection logic
- Architecture-aware anomaly detection
- Integration with traditional security teams
It's a model other industries with complex, dynamic ecosystems can learn from.
📊 Key Lessons for AppSec and DevSecOps Professionals
- Inventory is everything: Maintain a live catalog of APIs, owners, access policies, and usage patterns.
- Governance matters: Know which teams lack proper controls and prioritize oversight accordingly.
- AI is a necessity, not a novelty: Use it to supplement alert triage, anomaly detection, and contextual threat correlation.
- Monitoring completes the loop: Real-time visibility ensures that missed issues don't become headline breaches.
- Stay dynamic: APIs and threats both evolve daily. Your security strategy should too.
Latest Articles
Earn your APIsec University Certificate
Earn an APIsec University certificate and badge for completing any of our courses.
Post your badge on LinkedIn and share your accomplishments. You can even receive CPE credits for taking these courses.
