W H I T E PA P E R

13 Questions to Ask
Your API Security Vendor
 Introduction

The network of business-to-business APIs is growing exponentially. And an expanding

universe of Internet of Things devices is providing new opportunities for developers to
bring real-world data into applications through APIs.

But while APIs unlock many new opportunities for innovation and growth, they also
introduce a new set of security challenges, including:

• Stolen API credentials

• Undetected API reconnaissance

• Misconfigured authentication and authorization

• Unprotected shadow and zombie APIs

• Remote code execution, injection, local file inclusion, and other attack techniques

• Data leakage or exfiltration

• API scraping

• Business logic abuse

Security vendors offer many options for detecting and mitigating these and other API
threats, but those options are not all equally effective or easy to use.

The following 13 questions will help you frame your discussions with API security
vendors and assess how effectively their products will address your organization’s API
security needs.

Is your API security product capable of performing

1
enterprise-wide API discovery?
One of the biggest problems that security teams face is that they don’t have a complete
and accurate inventory of all the APIs that their organization exposes. Many of the
undocumented shadow APIs that security teams miss are not part of the formal API
management and security framework. It’s also common that zombie APIs — those that
the organization thought were retired — are still accessible. And even among sanctioned
and documented APIs, there may be undocumented API parameters that can be
exploited. Discovery of all north-south, east-west, and outbound APIs is imperative.
The only way to ensure complete, enterprise-wide API visibility is by examining existing
API activity data from a wide array of technologies and cloud platforms.

akamai.com | 2