Why enterprises are securing the wrong front door: The API security crisis

For years, enterprise security strategies have prioritized endpoints, networks, and email systems. Yet attackers have shifted their focus to a less visible but equally critical layer: Application Programming Interfaces (APIs). APIs connect the digital economy, enabling everything from financial transactions to mobile experiences, but they are often left under-protected compared to endpoints.

As Rajesh Dimania, Co-founder & CTO at Callerdesk.io, noted, “APIs are the backbone of digital transformation today, powering everything from cloud telephony to banking and e-commerce… but with that scale comes risk. If you don’t know what exists, you can’t secure it and that blind spot is where attackers thrive.”

The Akamai Web Application and API Attacks Report 2025 underlines the scale of the problem: nearly 60% of application layer attacks now involve APIs. Meanwhile, Indusface’s State of Application Security Report 2025 highlights that enterprises still treat API risks with less urgency than other cyber threats.

Shadow APIs and Misconfigurations: The Hidden Entry Points

Unlike endpoints, which are centrally managed and closely monitored, APIs proliferate rapidly across teams and third parties. Many go undocumented or remain active long after retirement. These “shadow” or “zombie” APIs are invisible to security tools, yet they remain accessible to attackers.

Lalit Kalra, Cybersecurity Partner at EY India, explained: “Even after so much focus on addressing API security, there’s a significant gap between our reliance on APIs and the necessary security considerations. Primarily, the lack of visibility into shadow and untraced APIs in enterprises is the main concern.”

These blind spots have already fueled major breaches. Indusface’s report found that over 57% of organizations experienced API-related breaches in the past two years, with a majority facing multiple incidents.

Adding to the risk, APIs are highly exposed to misconfigurations. Subhalakhsmi Ganapathy, Chief IT Security Evangelist at ManageEngine, warned: “The real danger isn’t always malicious code; it’s the subtle misconfigurations and misuse that slip through in today’s rapid, cloud-first development cycles. We’ve seen developers leave default settings active or expose debug endpoints—small gaps that can open the door to catastrophic breaches.”

Rajashekara V. Maiya, VP and Global Head of Business Consulting at Infosys Finacle, shared a financial-sector view: “In the financial technology world, regulators have passed open banking requirements in markets like the UK, India, and Singapore. APIs provide the gateways for these integrations, but they also expose institutions to risks such as Denial of Service, brute force, and injection attacks. A robust security infrastructure with adequate measures to authenticate and authorise is the only way to address these challenges.”

Why Boards Lag Behind on API Security

Despite their importance, APIs rarely get the same attention as ransomware or phishing in the boardroom. API security often remains a technical discussion, buried in engineering and security teams.

Pankit Desai, Co-founder of Sequretek, put it plainly: “Boards have traditionally zeroed in on high-profile attacks—ransomware, phishing and the like—because they’re easy to grasp and headline-making. API risks, by contrast, live in the weeds: they’re technical, often undocumented, and don’t show up on a threat map until data is already leaking.”

This disconnect between technical risk and business impact has slowed investments and left organizations exposed. However, some progress is being made. Reuben Koh, Director of Security Technology & Strategy at Akamai Technologies, observed: “Encouragingly, I see boards and senior leaders now beginning to treat API risk with the same seriousness as ransomware or phishing, recognizing that APIs are no longer just a technical concern but a business continuity issue.”

Ajay Trehan, Founder and CEO of AuthBridge, added: “APIs are the backbone of digital identity verification and onboarding, but security has not always kept pace with their rapid adoption. Misconfigured endpoints, shadow APIs, and credential-based attacks remain key risks, especially given the sensitivity of personal data. The way forward lies in adopting secure-by-design principles, zero-trust frameworks, and greater industry collaboration.”

Toward a Security-First API Future

Industry leaders agree that enterprises must elevate API security to the same level as endpoint security. That means better discovery tools, continuous monitoring, and unified security frameworks across the API lifecycle.

Sundareshwar Krishnamurthy, Partner, Cybersecurity at PwC India, stressed the governance aspect: “API security isn’t just an extension of application security; it’s a discipline requiring visibility, governance, and continuous monitoring. The real opportunity is to elevate API security from a technical concern to a board-level priority.”

Similarly, Samit Shetty, Country Leader, Automation Platform at IBM India & South Asia, connected the issue to resilience: “Visibility remains a major gap. Shadow and deprecated APIs are persistent blind spots, exposing organizations to misconfigurations, duplication, and unchecked access points. Governance must therefore be central, ensuring APIs are discoverable, reusable, and secure by design.”

Rizwan Patel, Head of Information Security and Emerging Technology at Altimetrik, pointed to the next phase of defenses: “Complete API visibility remains aspirational for most enterprises. APIs proliferate rapidly, and shadow or deprecated endpoints often remain accessible. To counter this, we’re leveraging Agentic AI systems that continuously explore, reason, and share discoveries across environments—moving toward a future where APIs become increasingly self-healing.”

The path forward will also require greater collaboration. Rajesh Dimania suggested that public-private intelligence sharing and national standards could help enterprises move from reactive defenses to proactive readiness.

As enterprises expand their digital ecosystems, the question is no longer whether APIs will be attacked, but whether organizations can close the monitoring gap fast enough. Until API security is embedded into enterprise risk frameworks with the same rigor as endpoint security, the disconnect will remain, and attackers will continue to exploit it