<img src="https://ws.zoominfo.com/pixel/6169bf9791429100154fc0a2" width="1" height="1" style="display: none;">

Curious about how StrongDM works? 🤔 Learn more here!

Search
Close icon
Search bar icon
Search
Close icon
Search bar icon
Blog / Security

4 Things You Can Start Today to Improve Your API Security

Maile McCarthy
by
Contributing Writer and Illustrator
StrongDM
3 min read
Last updated on: March 3, 2023
Found in: Security Webinars
StrongDM manages and audits access to infrastructure.
  • Role-based, attribute-based, & just-in-time access to infrastructure
  • Connect any person or service to any infrastructure, anywhere
  • Logging like you've never seen
Get a demo
Improve API Security

API use is driving the digital economy as organizations increasingly adopt new technologies to improve business processes, culture, and customer experience. Justin McCarthy, CTO and co-founder of StrongDM, recently sat down with securityboulevard.com and a panel of technology experts to discuss the unique challenges of API security, including the role of testing and automation and the value of making smart trade-offs to improve your API security as well as your peace of mind.

The full panel included:

How can teams adapt to API security challenges? Here’s the recap:

Prioritize Testing 

“Testing early, testing often is super important.”

— Scott Gerlach, StackHawk

APIs serve as the connectors between applications. They’re home to all the good stuff—the data, sensitive information, and other things you want to protect. And as organizations develop more APIs, bad actors are starting to leverage more attacks.

Applications often lack good security integration, making them prime targets. The biggest challenge for security experts, then, is how to integrate security into the lifecycle management of the API

Scott Gerlach says, “We’re already doing unit testing and functional testing and integration testing. Security testing should just be part of that suite. It should be an automated thing that gives you information about whether or not you're making security mistakes.” 

Establish a Culture of Quality

But how to automate? While the future role of AI and automation for security testing is unclear, there are several modern tools that can help you discover and pinpoint problems. Additionally, Scott adds, “having a really good culture of testing and being more and more integrated in that testing culture is really really important and super good for application security health.”

But security teams have long been telling developers to test more often—with mixed results. That’s why Justin McCarthy suggests you look for ways to make testing more engaging. “[D]eclare a hack day for your own staff to attack the API for a day. That's a fun way to sort of get everybody involved.” Clear communication is also crucial.

Learn to Speak the Same Language

“One part of bridging [the cultural disconnect between developers and security teams] is bringing concrete examples instead of a fog of suspicion and confusion.” —Justin McCarthy, StrongDM

Developers want to be security-minded. They want an awareness of potential mistakes so they can detect and prevent problems. Security experts must speak in plain language to communicate security needs in a way that is relevant to non-security members of the team.

In short:

  • Drop the security jargon.
  • Sit with developers and understand the problems they face.
  • Maybe even learn the ticketing toolchain and how to submit a topic.

Security experts don’t need to become developers, but it would improve communication if they could learn a bit of code.

Make Smart Trade-Offs

“Can we kill this thing off?”
— Justin McCarthy

API security depends on a common understanding of the threat landscape from day one. The security conversation should start with the product manager, not the developer. Let them weigh security against revenue-generating features. Get them thinking clearly about the business cost of security violations. Clear communication among management, security, and developers will help teams make smart trade-offs before the API is even built.

Take a similar approach to your existing APIs. Sharon says, “We always ask a prospect: How many APIs do you have? No one knows. Like anything in security, what you cannot see, you cannot protect.” Invest in discovery to find any zombie APIs—those that are running with nobody tending to them. 

These legacy APIs are often still out there because somebody believes that they’re making money. Again, it’s essential to address this at the management level. Is this API really something we want to be running? If so, great. If not, let’s kill it off before it becomes a security problem. 

Final Thoughts

Don’t get overwhelmed. While it’s not possible to prevent, fix, or even detect every threat to API security, it is possible to improve. Get as close to the root of the problem as you can. Find the language that’s meaningful to your customers and your environment. And ultimately, make rational tradeoffs between risk and reward. Everyone is going to feel better when you do.

Did you miss the panel? No problem. You can check out the replay. And if you’re looking to manage infrastructure access and audit the use of those APIs, come on over to StrongDM for a free demo.

About the Author

, Contributing Writer and Illustrator, has a passion for helping people bring their ideas to life through web and book illustration, writing, and animation. In recent years, her work has focused on researching the context and differentiation of technical products and relaying that understanding through appealing and vibrant language and images. She holds a B.A. in Philosophy from the University of California, Berkeley. To contact Maile, visit her on LinkedIn.

StrongDM logo
💙 this post?
Then get all that StrongDM goodness, right in your inbox.

You May Also Like

What Is Linux Security? Features, Best Practices & Tools
What Is Linux Security? Features, Best Practices & Tools
Linux powers everything—from servers to IoT devices—and with that power comes a big responsibility: security. Linux security is all about protecting your systems from breaches, misconfigurations, and evolving threats without compromising performance. This guide explores everything from kernel-level protections to enterprise-grade defense strategies—and shows how to simplify Linux security by unifying access, enforcing Zero Trust, and replacing static credentials with identity-based access that works across your entire stack.
How to List All Groups in Linux: Complete Command Guide
How to List All Groups in Linux: Complete Command Guide
One of the most common and straightforward ways to list all groups in Linux systems is by leveraging the Linux "list groups" command. However, this isn’t the only way. There are several alternative methods, such as the "getent" command, the "/etc/group" file, and the "id" command. This guide will explore these methods in detail, so read on to get the full scoop.
A New Era of Vault-Agnostic Secrets Management Is Here
A New Era of Vault-Agnostic Secrets Management Is Here
Discover why traditional secrets management isn't enough. StrongDM Managed Secrets offers vault-agnostic, Zero Trust security with secretless access, dynamic policy enforcement, automated rotation, and unified audits—perfect for complex enterprise environments.
Security vs. Compliance: How to Align The Differences
Security vs. Compliance: How to Align The Differences
Security breaches make headlines, while compliance audits keep teams on edge. The pressure to protect data and meet regulatory requirements is mounting—and often, the lines between security and compliance get blurred. Are they the same thing? Are they working in tandem—or pulling in different directions? This post breaks it down: what security and compliance are, how they intersect, where they differ, and most importantly, how your organization can align the two effectively.
How to Tar a File in Linux: Commands, Examples & Best Practices
In this guide, you'll learn how to create, compress, and extract tar files—plus how to secure access to the systems and data inside them with centralized controls, real-time audit trails, and seamless permission management.