Key Takeaways<\/p>\n
- \n
- The attack surface has relocated.<\/strong> Instead of a single website, today there are dozens of APIs behind apps, integrations, and partner connections-each with its own data access.<\/li>\n
- BOLA tops the OWASP list.<\/strong> Broken Object Level Authorization-where incrementing a foreign ID is enough-is one of the most common API flaws and rarely appears in intentionally written code.<\/li>\n
- You only protect what you know.<\/strong> Shadow and zombie APIs from old releases are the silent problem. An API inventory is step one, not step five.<\/li>\n
- The countermeasures are unglamorous.<\/strong> Object-level authorization, rate-limiting, schema validation at the gateway. It\u2019s about configuration and discipline-not an expensive appliance.<\/li>\n<\/ul>\n<\/div>\n
Related:<\/span>Shared Kernel as a Vulnerability: How Container Escapes Succeed<\/a> \/<\/span> 14 Malicious npm Packages in 4 Hours: Why Static Third-Party Checks Fall Short<\/a><\/p>\n
Why the Attack Surface Has Moved Behind the App<\/h2>\n
A decade ago, the website was the gateway. Today, it\u2019s just the facade-APIs do the heavy lifting behind the scenes. The mobile app talks to an API, the partner portal pulls data through an API, the ERP syncs via an API, and the AI assistant someone just integrated? It calls an API too. Each of these connections is a door through which data flows in and out.<\/p>\n
\n![\"Close-up](\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/06\/st-inline-260608-hero.jpg\")
APIs are often coded quickly to serve an app, with security checks deferred for later. Photo: Godfrey Atima \/ Pexels<\/figcaption><\/figure>\n The uncomfortable truth? These doors are far less visible than the front entrance. A pentest might scrutinize the web app, but an API endpoint used only by a mobile app can easily slip through the cracks. I\u2019ve lost count of how many times I\u2019ve stumbled upon an API the team swore no longer existed.<\/p>\n
BOLA and the OWASP List: Where It Specifically Fails<\/h2>\n
What is API Security?<\/strong> API security encompasses the measures that protect an interface from misuse: correct authentication, authorization at the object and function level, load limitation, and verification of the data passed. It differs from classical web security because in an API, every call directly hits the business logic without a protective surface in front of it.<\/p>\n
The OWASP API Security Top 10 is the most useful map for vulnerabilities that actually occur in practice. At the top is BOLA, Broken Object Level Authorization. The server checks if someone is logged in, but not if the requested object also belongs to them. A call to \/api\/orders\/1043<\/span> delivers their own order, a call to \/api\/orders\/1044<\/span> delivers someone else’s. No tool needed, a counter suffices.<\/p>\n
Right next to it are broken authentication, where tokens live too long or are checked too leniently, and unlimited resource consumption, where a single client with unbridled requests forces the interface to its knees. None of these gaps are exotic. They arise because an API was built quickly to serve an app, and security questions were postponed to later. This later rarely came in practice.<\/p>\n
\n\n\n
\n \nClassical Perimeter View<\/th>\n API Reality<\/th>\n<\/tr>\n<\/thead>\n \n Protects the visible web application<\/td>\n Dozens of endpoints, many of which are not documented anywhere<\/td>\n<\/tr>\n \n Attack via input fields and sessions<\/td>\n Attack via incremented IDs, token weaknesses, and load<\/td>\n<\/tr>\n \n A WAF covers a lot<\/td>\n Authorization must be located per object in the application<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n Shadow APIs: You Only Protect What You Know<\/h2>\n
The biggest problem is rarely the interface that everyone talks about, but the one that no one remembers. Shadow APIs arise when a team quickly builds an endpoint and never takes it into the official documentation. Zombie APIs are old versions that continued to run after a release because they didn’t hurt anyone. Both are unpatched, unchecked, and often without current access rules.<\/p>\n
Therefore, API security does not start with a tool, but with a list. If you don’t know your endpoints, you can’t secure them, monitor them, or shut them down. This sounds trivial, but it’s the step that most people skip because it looks like drudgery. Without this drudgery, the rest remains cosmetic.<\/p>\n
Five Steps That Carry the Bulk of the Load<\/h2>\n
The good news for medium-sized businesses: API security rarely requires a costly new appliance. It requires consistently doing a few things. These five steps carry the bulk of the load.<\/p>\n
- \n
- Maintain an inventory.<\/strong> Capture every endpoint, including old and unofficial ones. A gateway or a simple scan reveals what’s actually accessible.<\/li>\n
- Check authorization per object.<\/strong> With each call, not only check if someone is logged in, but also if they own the requested object. This is the direct answer to BOLA.<\/li>\n
- Centralize authentication at the gateway.<\/strong> Enforce token checks, expiration times, and scopes centrally, rather than rebuilding them in every application, which is error-prone.<\/li>\n
- Implement rate limiting.<\/strong> A limit per client makes rapid ID testing more difficult and catches overload from a single caller. The actual BOLA fix comes from object authorization in step two.<\/li>\n
- Validate inputs against the schema.<\/strong> Anything that doesn’t match the expected structure is rejected before it reaches the business logic.<\/li>\n<\/ol>\n
None of this is new, and that’s the point. API gaps don’t arise from a lack of knowledge, but because the interface was built under time pressure and security was postponed. Setting this configuration as a standard once is cheaper than the first incident where someone has pulled the orders of the entire customer base.<\/p>\n
The First Step Without a Security Team<\/h2>\n
If you don’t have a security team, don’t start with the most expensive tool, but with the most uncomfortable question: Which interfaces do we have, and who can access which data through them? The answer to this typically reveals more than any purchased scanner. An API gateway, which many cloud providers offer, centralizes authentication, rate limiting, and logging in one place and turns scattered doors into a controlled entrance.<\/p>\n
The rest is attitude. An interface isn’t finished until someone has decided who can call it and what happens if someone does it too often. As long as this decision is missing, the API isn’t a product, but an open window that just hasn’t been found yet.<\/p>\n
Frequently Asked Questions<\/h2>\n
What distinguishes API security from classical web security?<\/h3>\n
Classical web security protects a surface behind which the logic lies. An API has no surface; every call directly hits the logic. Therefore, a WAF isn’t enough; the actual control, especially object authorization, must reside in the application itself.<\/p>\n
What is BOLA and why is it so widespread?<\/h3>\n
BOLA stands for Broken Object Level Authorization. The server checks if a user is logged in, but not if they own the requested object. If someone increments an ID in the request, they see foreign data. It’s widespread because the check is easily forgotten when an API is quickly built for an app.<\/p>\n
Do I need an expensive API security tool?<\/h3>\n
Not at first. An API inventory, object authorization, a gateway for authentication and rate limiting, and schema validation cover the bulk. Specialized tools help with scaling and detecting shadow APIs, but aren’t a substitute for the basics.<\/p>\n
What are shadow and zombie APIs?<\/h3>\n
Shadow APIs are endpoints that were built but never documented. Zombie APIs are old versions that continue to run after a release. Both evade monitoring and often have outdated access rules. They’re a main reason why a complete inventory is the first step.<\/p>\n
Where should a medium-sized business without a security team start?<\/h3>\n
With an inventory: Which interfaces exist, and who can access which data through them? Then use an API gateway, which many cloud providers offer, to centralize authentication, rate limiting, and logging. This is cheaper and more effective than a purchased scanner without basics.<\/p>\n
Editor’s Reading Tips<\/h3>\n
- Check authorization per object.<\/strong> With each call, not only check if someone is logged in, but also if they own the requested object. This is the direct answer to BOLA.<\/li>\n
- BOLA tops the OWASP list.<\/strong> Broken Object Level Authorization-where incrementing a foreign ID is enough-is one of the most common API flaws and rarely appears in intentionally written code.<\/li>\n