Heading

Heading

Heading

Heading

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.

June 21, 2025
July 8, 2025

Driving Secure APIs at Scale: Lessons from Ford’s Cybersecurity Frontlines

When your APIs control physical vehicles, failure isn’t just about data loss—it’s about lives. At APIsec|CON ‘25, Ford’s cybersecurity team revealed how they defend billions of API calls per month and why AI has become their frontline ally. From fake dealers reassigning vehicle ownership to real-time alert triage at scale, this session was a masterclass in securing the API-powered future.

Driving Secure APIs at Scale: Lessons from Ford’s Cybersecurity Frontlines

By APIsec University | APIsec|CON 2025 Recap

🚘 Introduction: When APIs Drive the Future, Security Must Steer

Modern vehicles are no longer mechanical machines—they're rolling data centers powered by over 150 million lines of code and APIs connecting every feature, from remote start to self-driving capabilities. At APIsec|CON ‘25, Jason Masker of Upstream Security and Dan from Ford Motor Company unpacked the evolving API security landscape for connected vehicles and how AI is changing both the threat model and the defense strategy.

Whether you manage APIs for mobility, finance, or consumer applications, the lessons here apply at scale. This blog dives deep into their real-world experience managing billions of API transactions, vehicle-specific SOCs, and AI-assisted defense systems.

📡 API Security in Mobility: A Fast-Moving, High-Stakes Arena

The Growing Attack Surface

Connected vehicles today generate billions of data points. From infotainment systems to telematics and over-the-air updates, APIs power the entire mobility experience. But this connectivity also introduces risk:

  • Real-time commands (lock, start, locate) flow over APIs
  • Attackers exploit exposed endpoints for access and control
  • Unique vehicle architectures require adaptive security models

Infotainment, Telematics, and the Danger of Context-Less Security

Jason highlighted that traditional security tools like WAFs often fall short because they lack context. Protecting an API request without understanding the vehicle's current state leads to blind spots. Upstream's approach: build VIN-specific digital twins to analyze behavior in context, not isolation.

🔍 API Visibility and Governance at Scale

Know What You Own

Dan emphasized the foundational truth of AppSec: you can't secure what you can't see. Many teams deploy APIs intended for internal use, only to discover they’re being accessed externally. Without discovery and ownership tracking, governance fails.

Shift Left ≠ Shift Blindly

While “shift left” is essential, it’s only part of the story. Ford’s teams use a shift left + shift right model:

  • Left: Secure coding, design reviews, automated gates in CI/CD
  • Right: Real-time API monitoring, contextual alerting, incident response

Monitoring is the last line of defense—and the first place to catch what was missed in dev.

🤖 AI: The New Frontier of Both Attack and Defense

AI-Powered Offense: Faster, Smarter, More Accessible

Jason shared chilling examples:

  • Tools that automate password resets and MFA bypasses
  • AI-generated fuzzers that discover misconfigured vehicle APIs
  • Fake dealerships created to reassign vehicle ownership via API abuse

These aren’t theoretical. They're real-world examples of attackers using generative AI and automation to scale complex attacks with little technical knowledge.

AI-Assisted Defense: More Than a Buzzword

Dan’s team at Ford uses AI to:

  • Triage alerts and cut false positives
  • Correlate API activity with vehicle telemetry
  • Spot behavioral anomalies across billions of transactions
  • Reduce fatigue among analysts reviewing thousands of logs

The key takeaway: AI isn't a silver bullet. It's a force multiplier—only as good as the prompts, training, and human feedback loops behind it.

🛠️ The Role of a Vehicle SOC (vSOC)

Connected cars introduce a physical dimension to API risk. A compromise could:

  • Unlock a car remotely
  • Disable critical driving functions
  • Breach user privacy at scale

To counter this, Ford established a dedicated Vehicle SOC (vSOC) with:

  • Deep understanding of vehicle-specific data formats
  • Customized detection logic
  • Architecture-aware anomaly detection
  • Integration with traditional security teams

It's a model other industries with complex, dynamic ecosystems can learn from.

📊 Key Lessons for AppSec and DevSecOps Professionals

  1. Inventory is everything: Maintain a live catalog of APIs, owners, access policies, and usage patterns.
  2. Governance matters: Know which teams lack proper controls and prioritize oversight accordingly.
  3. AI is a necessity, not a novelty: Use it to supplement alert triage, anomaly detection, and contextual threat correlation.
  4. Monitoring completes the loop: Real-time visibility ensures that missed issues don't become headline breaches.
  5. Stay dynamic: APIs and threats both evolve daily. Your security strategy should too.

Latest Articles

Earn your APIsec University Certificate

  • Earn an APIsec University certificate and badge for completing any of our courses.

  • Post your badge on LinkedIn and share your accomplishments. You can even receive CPE credits for taking these courses.