Modern API Security: Infinidat’s Approach to Detecting Risks in Cloud-Native Apps

APIs are now at the heart of modern software, with microservices, mobile and web applications, SaaS platforms, and partner integrations all built on them. Today, APIs enable systems to communicate with each other and facilitate the movement of data across organizations at scale.

In a recent webinar, Twain Taylor, editor at Software Plaza, spoke with Eric Herzog, Chief Marketing Officer at Infinidat, about how quickly the API security landscape is changing. The discussion focused on why traditional security approaches struggle in cloud-native, API-first environments and how attackers take advantage of API-specific weaknesses. The conversation also explored what organizations can do to better understand their exposure, detect threats earlier, and reduce risk before issues turn into incidents.

Digital transformation brings speed and flexibility. It also expands the attack surface in ways many security teams are not fully prepared for.

Why APIs are such high-value targets

Unlike traditional web applications, APIs are built for automation rather than human interaction. That design choice makes them especially attractive to attackers.

Automated tools can send large volumes of requests, scan endpoint structures, and scale attacks quickly. No browser is required. No user interface needs to be bypassed.

What makes API attacks especially difficult to detect is how legitimate they appear. Requests can be properly formatted, authenticated, and sent at reasonable rates. As a result, many attacks slip past web application firewalls and perimeter-based defenses without raising alarms.

API security failures are rarely about missing patches. More often, they come down to flawed logic, weak authorization checks, and limited visibility into how APIs behave once deployed.

Common API-first vulnerabilities

Many real-world API breaches are rooted in design and authorization issues rather than classic exploits. These problems are well known, yet they continue to appear in production systems.

Broken function-level authorization enables access to privileged actions without proper role checks. Excessive data exposure occurs when APIs return more information than clients actually need. Mass assignment vulnerabilities appear when APIs accept more input than intended. Shadow and zombie APIs remain accessible long after teams believe they have been retired.

These risks are clearly documented in the OWASP API Security Top 10. The challenge is not awareness. The challenge is keeping security controls aligned with APIs that change faster than most security processes.

Pre-deployment testing and API specs just are not enough

Pre-deployment testing and API specifications play an important role. They set expectations and help catch obvious issues early.

The problem is that most API risks do not surface during testing. They emerge in production. Real users behave differently than test cases. Services interact in unexpected ways. Traffic patterns shift over time. Assumptions that once held true quietly break.

Static tools struggle in these conditions. Once APIs are exposed to real-world usage, a different kind of visibility is required.

Runtime API security: protection while APIs are in use

Runtime API security focuses on protecting APIs while they are actively handling live traffic. Requests and responses are evaluated to ensure they align with expected behavior. Authentication and authorization are enforced continuously rather than assumed. Patterns associated with enumeration, scraping, or abuse are identified and blocked before damage occurs.

This runtime perspective reveals how APIs behave under real conditions, not ideal ones. It exposes misuse that looks legitimate on the surface. Static testing, even when thorough, cannot capture this reality once systems begin operating at scale.

Machine learning anomaly detection

API attacks rarely announce themselves. Many are designed to blend in.

Rule-based detection struggles with this kind of threat. Attackers deliberately shape requests to avoid known thresholds and signatures. The activity stays slow, consistent, and easy to miss.

Machine learning helps fill this gap. By learning normal API behavior over time, models can detect subtle shifts in usage patterns, request sequences, and access frequency. These changes are often small. Taken together, they reveal activity that does not quite fit.

This approach makes it easier to detect long-running and low-volume attacks that traditional controls miss. It also reduces false positives, allowing security teams to focus attention where it actually matters.

Secure-by-default design

Runtime protection is critical, but it is not sufficient on its own. Security works best when risk is reduced long before APIs reach production.

Secure-by-default design limits access to what is truly necessary. Every request is checked for proper permissions. Schemas are enforced strictly. Authentication behaves consistently across services. APIs are versioned clearly, and old endpoints are removed instead of lingering unnoticed.

When these practices are part of everyday development, security becomes embedded in the system. It stops being something added later and starts shaping how APIs are built in the first place.

Final thoughts

APIs have become the front door for nearly every digital business. They enable customers, partners, and internal services to interact at speed. They also provide attackers with a direct path to data and logic.

Protecting cloud-native applications requires a smarter approach. Automated discovery, runtime validation, AI-driven anomaly detection, and secure-by-default design all play a role. Together, they help API security keep pace with modern systems rather than lag behind them.

For a deeper discussion on these topics, watch the full webinar featuring Twain Taylor and industry experts.