From Fear to Framework: How API Gateways Can Enable Secure Innovation

At APIsec|CON 2025, Dan Temkin, now with Kong Inc., delivered a powerful reality check—and an optimistic vision—for the future of API security. With decades of experience from State Farm to IBM, Dan offered a deep dive into the dual nature of APIs: they’re both an attack vector and a massive business enabler.

In a sea of anxiety-inducing breach statistics and horror stories, Dan’s message was refreshingly clear: security should not be a blocker. When implemented wisely, especially through gateway-driven models, API security becomes a foundation for business agility, compliance, and trust.

The Evolution of APIs: From Backend Glue to Brand Identity

Dan walked attendees through the historical shift in API usage:

• Backend Integration: Originally meant to connect monoliths or cross-language services.
• Technical Infrastructure: API gateways emerged to manage service sprawl.
• Business Innovation Layer: Today, APIs represent brand identity and digital capability—often requested directly by business leaders.

This evolution means that security can't remain a developer-only responsibility. It must be a platform concern, governed, monitored, and scaled across environments.

The False Security of Fear

Security presentations often rely on fear, uncertainty, and doubt (FUD)—and Dan acknowledged their emotional power. But he also warned that FUD-driven security leads to:

• Short-term fixes
• Disbanded working groups
• Lack of executive buy-in

Instead of asking “What happens if we’re breached?” Dan reframes the conversation:

“What’s the value of securing the next million API transactions?”

This shift transforms security into a growth strategy, not just risk management.

Why API Gateways Are the Foundation of Secure Scale

Dan strongly advocates for using API gateways as a centralized policy enforcement point. Here's why:

✅ Consistency Across Environments

Whether you're running on mainframes, Kubernetes, or edge clouds—gateways apply security policies uniformly, reducing developer burden.

✅ Declarative Security

Gateways make it possible to define security policies as code—rate limits, token mediation, TLS upgrades—without diving into each microservice repo.

✅ Faster Compliance

Need to enforce TLS 1.3 or update cipher suites? Gateways let you push those changes instantly across thousands of APIs.

✅ AI Gateway Support

Kong’s new AI gateway helps manage LLM-specific security concerns:

• Semantic prompt guards
• Provider-agnostic LLM routing
• Decoupled monetization strategies

This future-proofs your architecture against the fast-moving AI landscape.

Why Developer-Centric Security Isn’t Enough

Despite efforts to “shift left,” Dan emphasizes that developers aren’t a collective:

• Different languages and frameworks
• Varied security expertise
• Rapid turnover

Trying to harden APIs at the code level alone leads to constant firefighting. Gateway-driven, runtime protection allows organizations to “shift right”—without sacrificing speed or security.

Reframing the API Security Narrative

To engage stakeholders and secure funding, Dan recommends changing the language:

• From: "APIs are an unacceptable risk"
• To: "APIs unlock business agility"

This subtle shift encourages:

• Executive buy-in
• Continuous investment
• Long-term cultural change

Security becomes a business enabler, not a blocker.

What Should DevSecOps Teams Do Next?

1. Audit Your API Estate
   Don’t assume visibility—catalog everything.
2. Implement Declarative Gateways
   Choose tools that support config-based enforcement, like Kong.
3. Secure Internal APIs Too
   Risk isn’t just at the edge. Legacy services need love too.
4. Train Continuously
   Developers need practical, code-integrated security education—not just phishing simulations.
5. Lead with Trust
   Your APIs represent your brand. Secure them like your storefront.

Closing Thoughts: A Blueprint for Scalable Security

Dan Temkin’s APIsec|CON 2025 session wasn't just a call to action—it was a blueprint for a better, more secure, and more scalable future.

Gateways aren't just tech infrastructure—they're your governance layer, trust layer, and AI control plane.

Whether you're a CISO, platform engineer, or DevSecOps lead, the path forward is clear:
Stop relying on fear. Start building security as a product.

‍