API Security: Why Protecting Your API Layer Is Not Optional

January 14, 2025

Organisations have been securing web applications with firewalls and web application firewalls for long enough that those controls feel established. They are not sufficient for APIs, and the gap between what most organisations have deployed and what their API layer actually needs has become one of the more commonly exploited weaknesses in enterprise environments.

The reason is structural. Web applications are designed to present a limited interface to users. APIs are designed to expose data and functionality programmatically, often without any user interaction at all. That makes them inherently different from a security standpoint, and it means the controls that work for one do not automatically cover the other.

What Makes APIs Architecturally Different

A traditional web application renders pages for a human user navigating a browser. There are visual and interaction constraints that shape what a user can do. An API has no such constraints. A legitimate caller and a malicious caller send the same type of request. The API's job is to serve data or execute functions to anyone who presents a valid credential, and often the definition of "valid" is broader than it should be.

APIs also expose business logic directly. A web application might show you an account balance on a page. An API might expose an endpoint that returns any account balance if you call it with the right account identifier. The difference matters enormously when you consider that API identifiers are often predictable, that authorisation logic in APIs has historically been inconsistently implemented, and that API responses frequently include more data than the calling application actually uses. This last point, known as over-exposure, means that even a correctly authorised API call can return data the caller was not supposed to receive.

What a WAF Does Not Cover

Web application firewalls inspect HTTP traffic for known attack patterns. They block SQL injection, cross-site scripting, and common exploitation signatures. For APIs, this catches a subset of attacks. What it does not catch is broken object-level authorisation, where an authenticated user accesses another user's resources by changing an identifier in the request. It does not catch excessive data exposure from APIs that return full objects when they should return filtered fields. It does not catch business logic abuse, where a legitimate endpoint is called in an unintended sequence or at an unintended volume.

These API-specific weaknesses are consistently at the top of published lists of API security failures. They require API-specific controls: discovery to understand what APIs exist and what they expose, schema validation to ensure requests conform to what the API is supposed to accept, authorisation testing to verify that access controls work at the object level and not just the endpoint level, and behavioural monitoring to detect unusual usage patterns that indicate abuse.

Discovery Is the First Problem

Most organisations do not have an accurate inventory of their APIs. Internal APIs built by development teams, third-party APIs consumed via integrations, legacy APIs that were supposed to be decommissioned, and APIs exposed by SaaS platforms your organisation uses all contribute to an attack surface that is rarely fully mapped. Attackers do map it, using the same discovery techniques that API security tools use.

API discovery should be a continuous process rather than a point-in-time exercise. New APIs appear when new features are deployed. Old APIs persist because decommissioning requires coordination between teams that do not always communicate. An API that is not in the inventory is not in the monitoring scope, and an unmonitored API is an undetected attack path. Getting visibility across the full API estate is a prerequisite for everything else.

Authentication and Authorisation Are Not the Same Thing

The most common authorisation failure in APIs is treating authentication as sufficient. An API that requires a valid token before responding has handled authentication. Whether that token holder is permitted to access the specific resource they requested is an authorisation question, and it is a question that API implementations answer incorrectly with significant frequency.

Broken function-level authorisation and broken object-level authorisation are distinct failure modes. Function-level failures allow authenticated users to call administrative endpoints they should not have access to. Object-level failures allow authenticated users to access another user's data by changing an identifier. Both require authorisation logic that checks not just whether the caller is authenticated, but whether this authenticated caller is permitted to perform this action on this specific resource. Testing for these failures requires more than a WAF. It requires deliberate authorisation testing as part of development and ongoing API monitoring in production.

To discuss API security controls for your organisation, contact Cyberlinx at info@cyberlinx.com.au.

Table of Contents
Resource Type
Blogs
Category
Defensive Security
Written by
Shahbaz Rasheed
Managing Director
Free Risk Assessment
Cyberlinx brand name with linked chain links icon above it in white on a black background.

Ready to secure your
business?