Hi Community,
I hope you all enjoyed the API Security session last week, or have had a chance to view the recording here: Know Your Grey-Matter API: Best Practices to Secure Unmanaged APIs Webinar Recording.
API Security is a major focus in the current threat landscape which is why produced Imperva’s API Threat Report. Check out my recent blog for the highlights, key takeaways and a link to the full report.
.
Here is a sneak preview for Community…
That’s why this report matters. It’s not just telemetry — it’s a playbook: how to find forgotten or shadow endpoints, how to validate actions at runtime (not just the shape of a request), how to enforce per-object authorization, and how to tie bot defenses to business KPIs (promo redemptions, refund spikes, reservation velocity) so you stop attacks that look “normal” but are anything but.
The five biggest truths from the report (what every exec should know)
- APIs are the primary attack surface now. Attackers prioritize endpoints that map to revenue or identity. Protect those first.
- Valid ≠ safe. The most damaging attacks are valid requests that break business logic; they require context, not signatures.
- Discovery is non-negotiable. Organizations routinely have 10–20% more live endpoints than they believe. Shadow APIs are a top source of compromise.
- Automated, targeted scraping and promo-loop attacks bleed revenue quietly. Read operations are not harmless — enforce object-level rules.
- Combine defenses — signatures alone won’t cut it. Runtime schema enforcement, behavior analytics, adaptive throttling and short-lived tokens are core capabilities.
,
If you have questions after checking out my blog and the report, please post them below. Also, keep your eye on Community for more resources and live demonstrations coming soon.
We’d love to hear from you!
n
Tim Chang,
VP, Application Security Product Management
#APISecurity