W H I T E PA P E R

API Security
Fundamentals
Table of Contents

Introduction How do you protect internal APIs and

business-to-business APIs? 16
API security fundamentals 3
Do API gateways have built-in security? 17
API Basics
What is a web API? 4 What are the most common API
misconfiguration errors? 17
What are the most common types of
APIs and API terms? 4 What are API attacks? 19

What is the difference between APIs What is credential stuffing for APIs? 19
and endpoints? 4 What is data exfiltration through APIs? 19
What is a north-south API? 7 API Security Solutions and Trends
What is an east-west API? 7 What are the latest trends in API security? 20

What are the differences between B2C What is signature-based API security? 20
APIs and B2B APIs? 8
What is API detection and response? 21
What are the differences between private
What is advanced API threat protection? 21
APIs and public APIs? 9
What is an API security platform? 22
API Security Explained
What is an API company? 22
What is API security? 10
What is threat hunting in APIs? 23
How big is the API security problem? 12
What is WAAP? 23
How is API security different from
application security? 12 API Security Best Practices
What are the best practices for What is an API documentation example? 24
protecting APIs? 13
Is there an API security checklist
API Security Risks and Abuse businesses should follow? 24

What is an API vulnerability? 14 Is there an API taxonomy that security

teams should understand? 25
How can APIs be abused? 15

What is a zombie API? 15

How can I find the various types of

shadow APIs? 16

akamai.com | 2
Introduction

API security fundamentals

API security is one of the fastest-growing priorities for security executives. But it’s also
arguably one of the least understood. The evolution of application programming interfaces
(APIs) from implementation detail to strategic enabler of innovation has been a rapid one.
As a result, many security teams are scrambling to increase the sophistication of their API
security strategies and practices.

APIs are enabling business operations, but they also carry the crown jewels of an
organization’s data. Even perfect APIs can be abused by hackers, so it’s essential to know
the fundamentals of API security to protect your business from evolving threats. As more
customer interactions and business processes use APIs, enterprise security teams are
reworking their security strategies to put API risks at the forefront.

Whether you’re looking to touch up on your basics or unsure of what questions to ask,
read our guide for everything you need to know about API security threats, trends, and
best practices. You’ll get an in-depth look at:

• The different types of APIs

• What API security means for businesses today

• Best practices for mitigating API security risks

• Common API attacks and abuse methods

akamai.com | 3
API Basics

What is a web API?

A web API is a programmatic interface consisting of one or more endpoints to a defined
request–response message system, typically expressed in JSON or XML, which are
publicly exposed via the web — most commonly by means of an HTTP-based web server.

In other words, a web API is what most people think of when they hear “API.” It’s a
collection of endpoints. Endpoints consist of resource paths, the operations that can be
performed on these resources, and the definition of the resource data (in JSON, XML,
protobuf, or another format).

The term is useful to differentiate web APIs from other APIs, such as those exposed by
the operating system or by libraries to applications running on the same machine. But we
all understand “APIs” to mean HTTP-based (web) APIs when we talk about the enterprise
digital transformation and API security.

What are the most common types of APIs and API terms?
It is helpful for security teams to be familiar with the following terms that refer to
different usage models and technology approaches for API implementations. Web APIs
are defined as being based on HTTP, and the four main types of web APIs seen today are
RESTful, SOAP, GraphQL, and gRPC. The following table defines these four common
types, among others.

akamai.com | 4