Skip to content
Contact us

APIs: The Backdoor Hackers Love

Picture of Jeremy Kelley
APIs: The Backdoor Hackers Love
9:38

In today’s cloud-first world, your APIs aren’t just powering innovation, they’re exposing your organization to attacks. 

Not long ago, enterprise security was defined by the strength of its perimeter: hardened networks, firewalls, intrusion prevention systems, and locked-down endpoints. The model was simple—keep threats outside and allow trusted internal operations to flow without interruption. That “castle-and-moat” philosophy worked when operations were centralized. But in today’s cloud-first, mobile, hyperconnected world, the perimeter has shifted. Your Application Programming Interfaces (APIs) are now the new enterprise boundary—and one of the fastest-growing attack surfaces.

Why APIs are the biggest cybersecurity risk today

As traditional defenses matured, adversaries adapted. Instead of battering firewalls, they target the seams of digital ecosystems: stolen credentials, misconfigured cloud services, mobile endpoints, and especially the APIs silently binding everything together. Too often, APIs are deployed rapidly, inconsistently governed, and insufficiently monitored, making them a prime entry point for attackers .

The Expanding API Attack Surface

API security defense against AI-driven cyberattacksndscapeGrowing API Landscape

APIs are the circulatory system of modern business and government. They power mobile applications, enable partner integrations, move sensitive data across cloud and on-prem environments, and drive citizen services. But ubiquity brings risk:

  • Shadow APIs — overlooked, undocumented, or forgotten services and endpoints invisible to security teams.
  • Weak or missing authentication — leaving services exposed.
  • Excessive data exposure — APIs returning more information than necessary.
  • Lack of runtime monitoring — allowing abuse, injection attacks, and credential stuffing to slip through.

In the era of Zero Trust, unsecured APIs are equivalent to leaving sensitive applications open to the public internet without controls. The question is no longer whether attackers will test your APIs: it’s whether your organization has the visibility and protection in place to stop them WHEN the attacks begin.

The Surge in API-Based Attacks

The data is clear: API exploitation is accelerating at an unprecedented pace. Akamai’s 2025 API Security Report found that 84% of organizations experienced an API-related incident, up from 78% in 2023.

Research from Salt Labs found that 99% of enterprises faced API security issues, with more than half suffering a breach. Even more concerning, Salt Labs research shows that 95% of these attacks used authenticated sessions—attackers weren’t brute-forcing from the outside; they were using stolen or misused credentials to impersonate trusted users.

Meanwhile, the Traceable AI 2025 Global API Security Report found that only 21% believe they can detect API attacks, and just 13% say they can prevent more than half of them.

Top cyber threats to API SecurityOWASP Top 10 API Threats

These numbers are staggering, given the diverse attack vectors and repeatable nature of these attacks:

  • Broken Object-Level Authorization (BOLA) and injection flaws continue to dominate, accounting for over a third of incidents.
  • Shadow APIs and misconfigured endpoints expose sensitive data unintentionally.
  • Credential stuffing and API key leakage—as seen in the Postman breach (Dec 2024), where thousands of real keys and tokens were exposed—create pathways into core systems.
  • High-profile compromises such as the Dell API partner portal breach in 2024 (49 million customer records) and recurring telecom and SaaS leaks demonstrate the scale of the problem.

Industry experts warn: API-based attacks are on track to surpass traditional web exploits as the #1 cause of enterprise breaches. With adversaries increasingly automating reconnaissance and exploitation, APIs are both the backbone of digital innovation and the most attractive modern attack surface.

How AI is Accelerating the Threat

Generative AI and automation are amplifying these risks. Attackers now use AI to:

  • Automate reconnaissance across entire API ecosystems.
  • Optimize credential stuffing and bypass authentication.
  • Craft injection payloads at scale.
  • Exploit stolen data more effectively.

What once took weeks of manual effort can now be executed in hours. Without robust API security, organizations are ceding speed and scale advantages to adversaries.

API Security in Government and Defense

Private enterprises risk financial loss, reputational harm, and regulatory penalties. For U.S. federal government agencies and the Department of Defense (DoD), the stakes are higher. APIs drive tax systems, healthcare portals, defense logistics, and mission data flows. A compromise here risks more than data—it can erode public trust, disrupt essential services, or even jeopardize national security.

Federal agencies and the DoD are particularly reliant on APIs to support mission-critical operations. These APIs enable inter-agency collaboration, contractor integrations, and cloud-first initiatives, but they also create significant exposure:

  • Inter-agency APIs expand attack paths if trust boundaries aren’t enforced.
  • Defense supply chain integrations risk cascading compromise.
  • Operational technology APIs may expose logistics or weapons platforms.
  • Cloud-first mandates elevate APIs as mission-critical connective tissue.

Nation-state actors and criminal groups alike recognize the immense payoff of breaching a federal or DoD API: unauthorized access to mission data, classified communications, or sensitive citizen records.

Close the API Gaps: OpenText Application Security Testing and Secure API Manager

Effective API defense requires layered protection across the entire lifecycle—from development to production. This is where OpenText Application Security Testing and OpenText Secure API Manager deliver end-to-end resilience by working together to identify and shut down vulnerabilities that attackers, increasingly aided by AI, are exploiting.

"This closed-loop defense approach ensures APIs are not only secure by design, but resilient in the face of evolving AI-powered attack strategies."
OpenText Application Security Testing: Secure APIs at the Source

OpenText Application Security Testing integrates into the software development lifecycle (SDLC) to uncover API vulnerabilities like BOLA, injection flaws, and weak authentication before deployment. With static application security testing (SAST) and dynamic application security testing (DAST), the system analyzes both source code and runtime behavior to pinpoint weaknesses in authentication logic, data exposure, and access controls. This “shift-left” approach dramatically reduces exploitable attack surfaces—especially against AI-driven scanning.

OpenText Secure API Manager: Apply Real-Time Defenses

Once APIs are deployed, runtime protection becomes critical. OpenText Secure API Manager protects live environments with:

  • Fine-grained access controls and policy enforcement—even against compromised accounts.
  • Payload validation to stop AI-generated injection and manipulation attempts.
  • Continuous monitoring and anomaly detection that flags bot-driven reconnaissance or credential-stuffing campaigns in real time.
  • Visibility into shadow APIs to eliminate blind spots.

Aligned with Zero Trust mandates and identity standards (OAuth 2.0, OpenID Connect), Secure API Manager ensures every API call is authenticated, authorized, and inspected. This not only ensures compliance, but delivers the desired protection, visibility, governance, and outcomes for department applications and workloads.

Together: Closed-Loop API Protection Against AI-Driven Threats

Where OpenText Application Security Testing removes vulnerabilities during development, Secure API Manager continuously monitors and blocks threats in production. This closed-loop defense approach ensures APIs are not only secure by design, but resilient in the face of evolving AI-powered attack strategies.

Closing API security gaps with application security testing to safeguard data and operations

Why This Matters Now

Cybersecurity Awareness Month is a reminder that protecting our organizations requires more than patching endpoints or training against phishing. APIs are now the unseen perimeter—spanning enterprises, powering citizen services, and underpinning defense operations. Left unchecked, they are the back doors attackers are counting on.

By combining an agile, secure-by-design SDLC with continuous monitoring and policy enforcement, organizations can shut down these API security gaps before they are exploited and achieve desired Zero Trust outcomes in the process. For the federal government and DoD, it means safeguarding missions, citizens, and national security.

API security defense against AI-driven cyberattacks

 

Learn more about protecting APIs with OpenText Application Security Testing (formerly OpenText Fortify) and OpenText Secure API Manager (formerly OpenText NetIQ):

MFGS, Inc. is the trusted advisor to the U.S. Government, its partners, and system integrators for achieving optimal efficiency throughout an agency’s enterprise software architecture. We bring a comprehensive portfolio of enterprise-grade software capabilities and a deep understanding of how DOD agencies operate to support your entire software development lifecycle, enabling you to securely plan, build, deliver, and run agency missions. 

 

Article written by Jeremy Kelly, an external cybersecurity professional. 
,