How an invisible threat is putting our data—and trust—on the line
What do the theft of 49 million Dell customer records and the quiet scraping of Verizon call logs have in common?
Both stemmed from a single point of failure: insecure APIs.
APIs—the software glue that connects apps, services, and platforms—are now essential to everything from logging into your bank account to tracking your Uber Eats order. But as our reliance on them grows, so too do the cracks in the foundation. The truth is: many APIs today are fundamentally broken from a security standpoint. And what’s more disturbing is that everyone seems to know it—but few are doing anything about it.
This isn’t some fringe problem. It’s a systemic failure across industries.
In 2025, we’re still seeing companies—big and small, regulated and not—relying on static API keys, long-lived bearer tokens, and OAuth setups that are barely better than a username and password.
A recent study by Raidiam, profiling 68 organizations across various sectors, found that a staggering 84% had API security measures that were completely misaligned with the sensitivity of the data they handled. We’re talking payment systems, medical records, even identity verification endpoints—secured with little more than duct tape and hope.
So how did we get here? And more importantly, what needs to change?
The API Explosion—And Its Growing Pains
APIs are everywhere. Behind the scenes, they power your social feeds, enable e-commerce checkouts, allow allow apps to talk to payment providers, and let developers access powerful models like GPT or Claude.
But in the rush to innovate, security has often been an afterthought.
The reason? APIs are built fast. Speed is the name of the game in SaaS and app development. The faster you launch features or integrate third-party services, the better. Unfortunately, speed often comes at the cost of security architecture.
That’s especially true outside of tightly regulated industries like banking, where standards like Open Banking force companies to use strong protections like mutual TLS and certificate-bound tokens.
For everyone else? It’s the Wild West.
Many companies still rely on:
Static API keys hardcoded into apps
Basic OAuth 2.0 with shared client secrets
No real client identity verification
Overly broad permissions with no role- or attribute-based access control
And perhaps most damning: less than half conduct regular API security testing, and even fewer monitor their APIs in real-time for unusual behavior.
In short: the doors are open, and nobody’s watching them.
When “Act Urgently” Is an Understatement
Raidiam’s 2025 API Security Report lays out the problem with uncomfortable clarity. Of the 68 organizations surveyed:
84% fell into the “Act Urgently” category, meaning their API security was dangerously insufficient given the data they handled.
15% were in the “Start Planning” group, with some protections but still serious gaps.
Just 1 company—a participant in a regulated Open Banking framework—met the gold standard for secure APIs.
Let that sink in: 1 out of 68 had protections that matched the sensitivity of their APIs. That’s not a warning bell—it’s a five-alarm fire.
And it’s not theoretical. Dell’s massive breach in 2023 wasn’t due to some zero-day vulnerability. The attacker simply registered as a fake partner, found an unsecured API that accepted a service tag ID, and used it to scrape tens of millions of customer records—at a rate of 5,000 requests per minute. No rate limiting. No anomaly detection. No monitoring.
That’s all it took.
The Everyday Risks You Probably Don’t See
If you’re not a developer, all this may sound abstract. But the consequences are real—and personal.
Let’s say you use a budgeting app that connects to your bank via an API. You trust that app to access sensitive financial data. But what if their API accepts static tokens that never expire? Or doesn’t verify that the incoming request is really from your phone and not a bot? If those tokens are ever stolen—say, from a server log or a compromised mobile device—your financial data could be exposed in seconds.
And because many companies don’t monitor API usage closely, they may not even realize the breach is happening until it’s far too late.
One survey respondent admitted that an attacker had been scraping customer data for weeks via their API before anyone noticed.
That's like someone robbing your house slowly, day by day, while you sleep—and you don’t find out until they’ve taken everything.
Why Are So Many APIs So Broken?
There are a few reasons this problem persists:
1. Security Isn’t Built Into the Culture
Most developers aren't trained in secure API design. They’re rewarded for building features quickly, not for protecting endpoints. And without cross-team collaboration between engineering and security, API flaws slip through the cracks.
2. No Regulatory Pressure
Unlike banks, fintechs, and healthcare providers, most industries face little to no oversight when it comes to API security. If there's no penalty for doing it wrong, why invest in doing it right?
3. Outdated Practices Stick Around
Static API keys and shared secrets are still the norm, even though we’ve had better options for years. Practices like mutual TLS, private-key JWTs, and certificate-bound tokens are considered “too complex” for many teams—so they default to convenience over safety.
4. Visibility Is Low
Without proper logging, monitoring, and alerting, companies don’t know what their APIs are doing. And you can’t fix what you can’t see.
The Path Forward: Modern Security Is Here—Just Not Used
The good news? We already have the tools to fix this.
Modern API security isn’t some futuristic pipe dream. It’s built on proven, scalable methods that are already being used in regulated sectors:
Strong Authentication
Use mutual TLS (mTLS) to require both client and server to present valid certificates.
Prefer private-key JWTs for OAuth clients instead of shared secrets.
Bind tokens to certificates so they can’t be replayed by attackers.
Fine-Grained Authorization
Implement scoped OAuth tokens that grant only the permissions needed—nothing more.
Move beyond basic RBAC (Role-Based Access Control) and adopt ABAC (Attribute-Based Access Control) when possible.
Continuous Monitoring
Watch for anomalies: sudden spikes in traffic, strange IPs, failed auth attempts.
Alert and respond quickly when something looks off.
Rotate credentials regularly and use short-lived tokens that expire quickly.
Secure by Design
Conduct dedicated API security testing, including fuzzing and penetration tests.
Use composition analysis to identify insecure third-party libraries.
Enforce API reviews and security sign-off before production releases.
All of these measures are achievable with the right combination of tools and commitment. And as the Raidiam report points out, organizations that adopt them are better positioned not just to avoid breaches—but to build customer trust and regulatory resilience.
The Bigger Picture: Security Is a Business Imperative
Let’s be honest: most companies won’t prioritize API security until it’s too late—until a breach happens, headlines erupt, and customers walk away.
But forward-thinking leaders don’t wait for disaster. They prepare for it.
JPMorgan Chase’s Chief Information Security Officer made waves earlier this year with a candid open letter warning vendors that today’s API-driven software supply chain is “quietly enabling cyber attackers.” He pointed out that in the race to ship features, too many companies are launching products “without comprehensive security built in—or even enabled by default.”
If that’s true for the world’s most sophisticated bank, what does that say about everyone else?
So, What Should Companies Do?
Here's a simplified roadmap from the Raidiam report:
1. Recognize the Risk
Stop pretending this isn’t your problem. Every company with APIs is exposed.
2. Build Security Into Culture
Train your teams. Make API security part of your engineering objectives, not just a checkbox for compliance.
3. Fix the Glaring Gaps
If you’re still using static API keys, fix it—today. Add rate limiting, monitoring, and revocation mechanisms. Audit your tokens and scopes.
4. Adopt Modern Identity
Move to mutual TLS, certificate-bound tokens, and OAuth with strong client authentication.
5. Engage Experts
You don’t have to do it alone. Leverage platforms and partners that specialize in API security. Many offer plug-and-play solutions to enforce mTLS, monitor behavior, and prevent abuse in real-time.
Conclusion: The API Reckoning Is Here
We’ve reached a turning point. APIs are no longer just developer tools—they’re high-value targets.
The message from experts, CISOs, and the data itself is clear: API security can no longer be optional. If you’re not actively improving it, you’re falling behind. And the next breach could be yours.
Yes, implementing mTLS or rotating credentials may seem like a chore. But compared to the cost of a data breach, lost trust, and regulatory penalties—it’s a bargain.
It’s time to stop kicking the can down the road. The attackers aren’t waiting. Neither should we.