Heading

Heading

Heading

Heading

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.

June 10, 2025
June 30, 2025

From Fear to Framework: How API Gateways Can Enable Secure Innovation

“If the U.S. Treasury, Cloudflare, and T-Mobile can’t stop API breaches, how are you supposed to?” At APIsec|CON 2025, Dan Temkin flips the script—arguing that fear-based security isn’t sustainable. Instead, he lays out a roadmap where gateways, governance, and business-aligned security turn APIs into enablers of agility and trust.

From Fear to Framework: How API Gateways Can Enable Secure Innovation

At APIsec|CON 2025, Dan Temkin, now with Kong Inc., delivered a powerful reality check—and an optimistic vision—for the future of API security. With decades of experience from State Farm to IBM, Dan offered a deep dive into the dual nature of APIs: they’re both an attack vector and a massive business enabler.

In a sea of anxiety-inducing breach statistics and horror stories, Dan’s message was refreshingly clear: security should not be a blocker. When implemented wisely, especially through gateway-driven models, API security becomes a foundation for business agility, compliance, and trust.

The Evolution of APIs: From Backend Glue to Brand Identity

Dan walked attendees through the historical shift in API usage:

  • Backend Integration: Originally meant to connect monoliths or cross-language services.
  • Technical Infrastructure: API gateways emerged to manage service sprawl.
  • Business Innovation Layer: Today, APIs represent brand identity and digital capability—often requested directly by business leaders.

This evolution means that security can't remain a developer-only responsibility. It must be a platform concern, governed, monitored, and scaled across environments.

The False Security of Fear

Security presentations often rely on fear, uncertainty, and doubt (FUD)—and Dan acknowledged their emotional power. But he also warned that FUD-driven security leads to:

  • Short-term fixes
  • Disbanded working groups
  • Lack of executive buy-in

Instead of asking “What happens if we’re breached?” Dan reframes the conversation:

“What’s the value of securing the next million API transactions?”

This shift transforms security into a growth strategy, not just risk management.

Why API Gateways Are the Foundation of Secure Scale

Dan strongly advocates for using API gateways as a centralized policy enforcement point. Here's why:

Consistency Across Environments

Whether you're running on mainframes, Kubernetes, or edge clouds—gateways apply security policies uniformly, reducing developer burden.

Declarative Security

Gateways make it possible to define security policies as code—rate limits, token mediation, TLS upgrades—without diving into each microservice repo.

Faster Compliance

Need to enforce TLS 1.3 or update cipher suites? Gateways let you push those changes instantly across thousands of APIs.

AI Gateway Support

Kong’s new AI gateway helps manage LLM-specific security concerns:

  • Semantic prompt guards
  • Provider-agnostic LLM routing
  • Decoupled monetization strategies

This future-proofs your architecture against the fast-moving AI landscape.

Why Developer-Centric Security Isn’t Enough

Despite efforts to “shift left,” Dan emphasizes that developers aren’t a collective:

  • Different languages and frameworks
  • Varied security expertise
  • Rapid turnover

Trying to harden APIs at the code level alone leads to constant firefighting. Gateway-driven, runtime protection allows organizations to “shift right”—without sacrificing speed or security.

Reframing the API Security Narrative

To engage stakeholders and secure funding, Dan recommends changing the language:

  • From: "APIs are an unacceptable risk"
  • To: "APIs unlock business agility"

This subtle shift encourages:

  • Executive buy-in
  • Continuous investment
  • Long-term cultural change

Security becomes a business enabler, not a blocker.

What Should DevSecOps Teams Do Next?

  1. Audit Your API Estate
    Don’t assume visibility—catalog everything.
  2. Implement Declarative Gateways
    Choose tools that support config-based enforcement, like Kong.
  3. Secure Internal APIs Too
    Risk isn’t just at the edge. Legacy services need love too.
  4. Train Continuously
    Developers need practical, code-integrated security education—not just phishing simulations.
  5. Lead with Trust
    Your APIs represent your brand. Secure them like your storefront.

Closing Thoughts: A Blueprint for Scalable Security

Dan Temkin’s APIsec|CON 2025 session wasn't just a call to action—it was a blueprint for a better, more secure, and more scalable future.

Gateways aren't just tech infrastructure—they're your governance layer, trust layer, and AI control plane.

Whether you're a CISO, platform engineer, or DevSecOps lead, the path forward is clear:
Stop relying on fear. Start building security as a product.

Latest Articles

Talk to Hack: The Rise of AI-Native API Vulnerabilities

If your security tools can’t parse natural language, they’re not ready for the age of AI. From jailbreakable chatbots to hallucinated API endpoints, AI-native systems have opened up attack surfaces that traditional AppSec never imagined. Here’s how adversaries are already exploiting them—and how DevSecOps teams can strike back.

June 30, 2025
June 7, 2025

Unauthenticated API Endpoints: The Silent Threat to Your Application’s Security

Unauthenticated API endpoints are the unlocked front doors of your application—how many are you leaving wide open? Learn how seemingly benign login and password reset functions can cascade into full account takeovers, data leakage, and privilege escalation—and exactly what to do about it.

June 30, 2025
June 15, 2025

Hacking Mobile APIs: Real-World Exploits and How to Defend Against Them

Think your mobile APIs are safe? Think again. In this explosive session from APIsec|CON '25, security engineer and APIsec University Ambassador Amir shows how attackers can manipulate API calls, escalate privileges, and transfer funds—without touching the mobile UI. This isn't theory—it's a live demo of just how deep the rabbit hole goes.

June 30, 2025
June 30, 2025

Talk to Hack: The Rise of AI-Native API Vulnerabilities

If your security tools can’t parse natural language, they’re not ready for the age of AI. From jailbreakable chatbots to hallucinated API endpoints, AI-native systems have opened up attack surfaces that traditional AppSec never imagined. Here’s how adversaries are already exploiting them—and how DevSecOps teams can strike back.

June 30, 2025
June 7, 2025

Unauthenticated API Endpoints: The Silent Threat to Your Application’s Security

Unauthenticated API endpoints are the unlocked front doors of your application—how many are you leaving wide open? Learn how seemingly benign login and password reset functions can cascade into full account takeovers, data leakage, and privilege escalation—and exactly what to do about it.

June 30, 2025
June 15, 2025

Earn your APIsec University Certificate

  • Earn an APIsec University certificate and badge for completing any of our courses.

  • Post your badge on LinkedIn and share your accomplishments. You can even receive CPE credits for taking these courses.