---
title: "12 Practices and Tools to Ensure API Security"
description: "These are the most effective practices and tools to fortify API security. Learn about Zero trust, RBAC, rate limiting, and more!"
canonicalUrl: "https://zuplo.com/learning-center/practices-and-tools-to-ensure-api-security"
pageType: "learning-center"
authors: "adrian"
tags: "API Security, API Tooling"
image: "https://zuplo.com/og?text=12%20Practices%20and%20Tools%20to%20Ensure%20API%20Security"
---
Here's a scary fact - nearly
[99% of businesses have experienced API security issues](https://www.techradar.com/pro/security/businesses-are-being-plagued-by-api-security-risks-with-nearly-99-percent-affected)
in the last 12 months. I'm pretty sure that you might not be part of that 1% -
or you wouldn't be reading this article. Or maybe you are part of the 1% and are
trying stay a part of it by keeping up with the latest trends. Either way - API
security is clearly not easy to implement. Part of the issue is that the types
and number of threats are constantly evolving, requiring new tooling and
techniques to combat them. To get a full picture of what practices and tools are
most useful - I chatted with 12 technology leaders to understand what they are
doing. Here's what they recommended:

- [Implement API Rate Limiting and Gateways](#implement-api-rate-limiting-and-gateways)
- [Adopt Zero Trust and MDR Services](#adopt-zero-trust-and-mdr-services)
- [Use Role-Based Access Control](#use-role-based-access-control)
- [Utilize Dynamic Secrets for Authentication](#utilize-dynamic-secrets-for-authentication)
- [Deploy AI-Driven Security for APIs](#deploy-ai-driven-security-for-apis)
- [Focus on Robust Encryption Protocols](#focus-on-robust-encryption-protocols)
- [Employ Server-Side Processing for API Calls](#employ-server-side-processing-for-api-calls)
- [Use API Firewalls for Protection](#use-api-firewalls-for-protection)
- [Conduct Continuous API Discovery](#conduct-continuous-api-discovery)
- [Set Up API Honeypots](#set-up-api-honeypots)
- [Perform Regular Penetration Testing](#perform-regular-penetration-testing)
- [Implement a Defense in Depth Strategy](#implement-a-defense-in-depth-strategy)

## **Implement API Rate Limiting and Gateways**

The best place to start when it comes to API security is centralization behind
an API gateway. Gateways provide a single pane-of-glass for you wrangle all of
your APIs behind. In addition to helping you catalog all of your endpoints, they
let you apply policies like [rate limiting](/learning-center/api-rate-limiting)
consistently.[Amit Doshi](https://www.linkedin.com/in/amitdoshi-myturn/),
Founder & CEO of [MyTurn](https://myturn.careers), implemented both of these:

"Ensuring API security is a top priority, especially considering the sensitive
data we handle in the cybersecurity space. One specific practice we implement is
API rate limiting to prevent abuse and minimize the risk of denial-of-service
attacks. By setting strict limits on the number of API calls a user or service
can make within a specific time frame, we ensure that our APIs are not
overwhelmed and can handle legitimate traffic efficiently.

Additionally, we use API gateways to centralize and enforce security policies,
such as authentication, logging, and rate limiting, across all endpoints. I
highly recommend tools like Kong Gateway or AWS API Gateway for these purposes.
They not only secure your APIs but also help streamline the management and
monitoring processes, ensuring that your organization stays one step ahead in
protecting sensitive information."

Just a quick plug - we at Zuplo are also in the API gateway space so if you're
evaluating options, check out our
[Kong](https://zuplo.com/api-gateways/kong-alternative-zuplo) and
[AWS API gateway](https://zuplo.com/api-gateways/aws-api-gateway-alternative-zuplo)
comparisons.

## **Adopt Zero Trust and MDR Services**

![Zero trust](/media/posts/2025-03-04-practices-and-tools-to-ensure-api-security/image-1.png)

[Zero Trust Architecture](https://www.cisa.gov/zero-trust-maturity-model) is all
the rage these days in the security space. Zero Trust security takes a "trust
nothing, verify everything" approach, treating every interaction as potentially
harmful. Unlike traditional models, it continuously verifies each request,
ensuring no assumptions are made about trustworthiness, regardless of origin.
[Ryan Carter](https://www.linkedin.com/in/ryanraycarter), CEO/Founder of
[NetSharx](https://netsharx.com), explains it in further detail:

"In the field of API security, my focus is on a holistic approach incorporating
the Zero Trust model. Zero Trust ensures that every request is authenticated and
authorized, regardless of its origin, which is crucial in today's threat
landscape. Implementing solutions like automated token-based authentication for
APIs reduces the risk of unauthorized access significantly.

One specific practice I recommend is the integration of Managed Detection and
Response (MDR) services. These services monitor API traffic in real-time and
ensure that any anomalies are caught early, preventing potential breaches. This
approach helped a client reduce their average response time to security
incidents by 40%, just by efficiently managing their API endpoints."

Frankly, I am not very well-versed in the MDR space, but I know that
[**Akamai**](https://www.akamai.com/products/enterprise-application-access) and
[**Cloudflare**](https://www.cloudflare.com/zero-trust/products/access/) both
offer Zero Trust Network solutions.

## **Use Role-Based Access Control**

I've already written about
[how RBAC improves API permissions management](/learning-center/how-rbac-improves-api-permission-management)
so I won't go into too much detail here. For a brief explanation of RBAC, here's
[Roman Milyushkevich](https://www.linkedin.com/in/rmilyushkevich), CEO and CTO
of [HasData](https://hasdata.com).

"Role-based access control (RBAC) ensures that users and applications only
access the data and endpoints necessary for their tasks. It assigns granular
permissions and monitors API usage patterns 24/7 to mitigate unauthorized access
and misuse. The RBAC framework makes it easier to manage who can access specific
data or perform certain actions within the API.

For instance, administrators, developers, and end-users are assigned distinct
roles with specific permissions in our API ecosystem. Our developers have
permissions that allow them to configure API endpoints, but they cannot view
sensitive usage logs. Our administrators have permission to monitor analytics
and view usage logs, but they cannot modify any API structure.

Implementing a hierarchical access structure helps us reduce the risk of errors,
unauthorized access, and privilege misuse. It also allows us to streamline
onboarding and offboarding clients/employees. When a new employee joins or
leaves our company, we simply assign or revoke their role instead of auditing
individual permissions, which can be time-consuming."

Once you implement RBAC - make sure you carefully monitor your systems to
understand what your users or employees are doing, and it they have the right
roles (lowest privilege possible). I have an article on
[RBAC analytics](/learning-center/rbac-analytics-key-metrics-to-monitor) that
might be useful for you.

## **Utilize Dynamic Secrets for Authentication**

Let's switch things up a little bit and talk about API security for consumers of
APIs.
[**Dynamic secrets**](https://docs.akeyless.io/docs/how-to-create-dynamic-secret)
are short-lived, unique credentials that are generated on demand. They are also
known as "just-in-time" (JIT) codes. With dynamic secrets, users can access a
resource for a temporary period with a defined set of permissions. This greatly
reduces the impact of a lost/stolen API credential. Hashicorp has written at
length about
[why we need dynamic secrets](https://www.hashicorp.com/en/blog/why-we-need-dynamic-secrets)
(primarily because **Hashicorp Vault** is a popular solution for this) but
here's [Lucas Wyland](https://www.linkedin.com/in/lucas-wyland-23429078),
Founder & CTO of [Steambase](https://steambase.io) for an example grounded in
APIs:

"As an API consumer, I use dynamic secrets for authentication. Static API keys
have a much bigger chance of exposure and pose security risks. This is why I am
using a free dynamic secret manager that frequently rotates the keys. This
leaves the attackers almost zero chance of exhausting my API limits.

If you also want to integrate a dynamic secret manager, make sure you set up the
RBAC (Role-Based Access Control) to make sure that API keys have the least
privileges needed to do the task. Also, I highly recommend setting up a secret
injection instead of storing the keys in config files—this option is much more
secure."

I definitely recommend creating an abstraction layer over APIs you consume,
which is often known as an
[API integration platform](/learning-center/building-an-api-integration-platform).

## **Deploy AI-Driven Security for APIs**

I bet you were wondering how long I could ramble on before mentioning AI. In the
API security space - most of the chatter about AI is with regards to threats and
attack vectors it can introduce. This is especially true when it comes to APIs -
agents like operator are already using organization's APIs in ways they weren't
intended to be used. It's so serious that OWASP recently published a
[Non-Human Identities](https://owasp.org/www-project-non-human-identities-top-10/)
vulnerabilities list. Luckily, we can fight fire with fire, and integrate AI
into our API security stack to help defend against new threats.
[Stefan Van der Vlag](https://nl.linkedin.com/in/stefanvandervlag), Founder of
[Clepher](https://clepher.com), made this recommendation:

"Traditional rate-limiting and Web Application Firewalls aren't always enough to
detect sophisticated API attacks. I like AI-driven security platforms like
Darktrace that use machine learning to analyze API traffic and flag anomalies
based on behavioral patterns. This means the system can detect subtle threats,
such as token manipulation or low-and-slow attacks before they escalate.

I recommend **Darktrace** because it goes beyond rule-based systems and can
adapt to changing attack techniques. This tool also provides real-time
visibility into API traffic, allowing organizations to quickly respond and
mitigate any potential threats. I like its ability to integrate with existing
security tools and its user-friendly interface, making it easy for our
developers to use."

I haven't used Darktrace myself, but its definitely something I will check out
in the near future.

## **Focus on Robust Encryption Protocols**

When it comes to security, sometimes we forget the very basics. Ensuring that
data being sent over the wire is encrypted can mitigate several vectors around
interception. [Steve Payerle](https://www.linkedin.com/in/spayerle/), President
of [Next Level Technologies](https://www.nextleveltech.com) had this to say
about encryption and his security tech stack:

"In managing API security, we focus heavily on establishing robust encryption
protocols. Having an API endpoint with data encryption ensures that sensitive
information remains protected from unauthorized access. Specifically, we use TLS
(Transport Layer Security) as a cornerstone for securing data in transit,
providing a strong barrier against interception and tampering.

One tool we incorporate is Postman for API testing, ensuring all endpoints
adhere to our security standards before deployment. For real-time monitoring and
anomaly detection, we employ a mix of AI-driven solutions. These systems flag
unusual activity patterns, allowing us to mitigate potential threats swiftly."

Whether its Postman, or some other
[end-to-end testing solution](/learning-center/end-to-end-api-testing-guide) -
it's critical to ensure data is encrypted across all of your endpoints that
handle sensitive data. There are also many realtime
[API monitoring tools](/learning-center/8-api-monitoring-tools-every-developer-should-know)
to choose from, but my personal picks are a combo of **Moesif** for API-specific
analytics and **DataDog** for general analytics.

## **Employ Server-Side Processing for API Calls**

Okay - this should be pretty obvious right now, but I still see it all the time.
**Do not use API keys from your client-side application!**. If an API you are
working with requires an API key, you should proxy your call through a gateway
or some other service, and securely store the key in a secrets manager.
[Karl Bagci](https://www.linkedin.com/in/karl-bagci), Head of Information
Security at [Exclaimer](https://exclaimer.com), has this recommendation for
frontend devs:

"One of the most important elements when it comes to API security is to use
server-side processing for any API calls. It helps to ensure API data cannot be
leaked on the front end, keeping security keys and other vital information
directly on the server. This includes using server-side rendering on our secure
platform using React along with a framework such as **NextJS**."

If you are an API key issuer, please integrate with
[Github Secret Scanning](https://github.blog/changelog/2022-07-13-zuplo-is-now-a-github-secret-scanning-partner/)
to keep your users safe from themselves.

## **Use API Firewalls for Protection**

![API firewall](/media/posts/2025-03-04-practices-and-tools-to-ensure-api-security/image-3.png)

You might already be familiar with
[Web Application Firewalls (WAF)](https://www.cloudflare.com/learning/ddos/glossary/web-application-firewall-waf/#:~:text=A%20WAF%20or%20web%20application,and%20SQL%20injection%2C%20among%20others.),
but here's the tl;dr from [Adam Yong](https://www.linkedin.com/in/adamyong),
Founder of [Agility Writer](https://agilitywriter.ai), in case you are new to
them:

"In our company, I make sure to use API firewalls to protect our systems from
unauthorized access and malicious traffic. An API firewall acts as a gatekeeper,
filtering incoming requests and blocking anything that looks suspicious before
it reaches our core systems.

We use **Cloudflare** API Gateway because it provides strong protection against
DDoS attacks, bot traffic, and injection attempts. It analyzes incoming requests
in real-time and automatically blocks suspicious activity.

This helped us when we noticed an unusual spike in API requests coming from a
single region. The firewall flagged it as a bot attack attempting to overload
our servers. Because the firewall automatically blocked the suspicious traffic,
we avoided any disruption, and our users never experienced any downtime."

Like Adam said - WAF is Cloudflare's bread-and-butter product offering, but
Amazon also offers [AWS WAF](https://aws.amazon.com/waf/) in case you want to
stick to a single-cloud solution.

## **Conduct Continuous API Discovery**

If you've asked "is there an API for XYZ" before at a large enterprise, chances
are that you will get a different answer depending on which team you are on.
Without proper cataloging of APIs using an
[API definition](/learning-center/mastering-api-definitions) specification like
OpenAPI - internal developers will just build their own versions. Many of these
will fall out of use and eventually evolve into security threats as their auth
systems become outdated.
[Ayush Trivedi](https://www.linkedin.com/in/ayushtrivedi), CEO of
[Cyber Chief](https://www.cyberchief.ai), had exactly this issue - here's how he
resolved it:

"One specific practice I highly recommend is implementing continuous API
discovery. It’s surprising how easy it is for APIs to proliferate across an
organization, often without proper documentation or oversight. We use automated
tools to regularly scan our network and identify all active APIs, including
those that may have been forgotten or deployed without authorization—what we
call “shadow APIs.”

We’ve found that this continuous discovery approach helps us maintain a
comprehensive inventory of our APIs, ensuring that none slip through the cracks
of our security protocols. It’s particularly useful for large organizations
where different teams might be developing and deploying APIs independently.

In terms of tools, we’ve had great success with **StackHawk** for automated
security testing. It integrates seamlessly into our CI/CD pipeline, allowing us
to catch potential vulnerabilities early in the development process."

API discovery is mostly a band-aid over the fact that you weren't
creating/generating OpenAPI specs in the first place. Consider adopting API
development frameworks that automatically generate OpenAPI documentation (we
have a good list of
[Python frameworks](/learning-center/top-20-python-api-frameworks-with-openapi)
to pick from). You can import these specs into a tool like
[Zudoku](https://zudoku.dev/) to create a full catalog of endpoints.

## **Set Up API Honeypots**

Sometimes API security requires you to go on the offensive, and proactively
implement methods to detect attackers.
[Kevin Baragona](https://www.linkedin.com/in/baragona), Founder of
[Deep AI](https://deepai.org) proposes a rather interesting solution:

"My go-to choice is to set up API honeypots, fake API endpoints that mimic real
services but contain hidden security traps. If a bad actor interacts with these
endpoints, I can gather intelligence on their attack methods and proactively
block similar attempts on real APIs.

Tools like **CanaryTokens** or custom-built honeypots are best to alert security
teams when unauthorized API access is attempted. For instance, a CDN Token can
be set as a custom API header or parameter and notify the security team when
it's accessed."

This is a pretty smart defense against hackers who try and guess/probe API
endpoints based on reused path formats. You can send them back some fake data
while identifying the culprit.

## **Perform Regular Penetration Testing**

![pen testing](/media/posts/2025-03-04-practices-and-tools-to-ensure-api-security/image-2.png)

Penetration testing is a common practice for ensuring your APIs can handle
various attacks - including
[the OWASP top 10 API risks](https://owasp.org/API-Security/editions/2023/en/0x11-t10/).
Sometimes you can do this yourself, but it can also be worth it to hire an
external firm to perform it for you.
[Rafay Baloch](https://linkedin.com/in/rafaybaloch) is the CEO and Founder of
[REDSECLABS](https://redseclabs.com), a security firm that performs pen-testing.
Here's his recommendation:

"One practice I would like to suggest is penetration testing. It simulates
real-world attacks, and finds misconfigurations or unknown vulnerabilities.
Alongside this, zero-day exploit monitoring means that you are not behind the
curve on new threats.

**Burp Suite** is a useful tool for testing, [alongside] real-time threat
monitoring systems."

I'd definitely advise you to be careful in choosing a pen-testing firm, the
worst thing to have is an illusion of safety when there are vulnerabilities that
were not discovered.

### **Implement a Defense in Depth Strategy**

At the end of the day, none of the recommendation above will suffice on their
own. It's only through the combination of all of them that you can even begin to
understand your APIs' vulnerabilities, if they are being exploited, who is
exploiting them, and how to stop them. At every layer of your API tech stack -
development, infrastructure, developer portal, integration, etc. - security
should always be an omnipresent consideration. This is known as **Defense in
Depth** - and it ensures that API security is everyone's problem at your
company. I'll leave you with a Defense in Depth strategy from
[Evgeny Kapylski](https://www.linkedin.com/in/evgeny-kapylski-38759a34),
Technical Expert at [Vention](https://ventionteams.com):

"We prioritize a Defense in Depth strategy for API security, integrating
multiple layers of protection to address evolving threats. Our approach is
centered on the following key principles:

- API Gateways: We leverage API gateways as a centralized point for traffic
  management and security enforcement, including rate limiting, IP whitelisting,
  and authentication. This ensures secure and efficient handling of all incoming
  API requests.
- Zero Trust Architecture: Adopting a Zero Trust model, we continuously verify
  every request, regardless of origin. This minimizes the attack surface by
  ensuring strict access control and eliminating implicit trust within the
  network.
- Authentication with OpenID and JWT: We implement OpenID Connect for user
  authentication and use JWT for secure, token-based access control. This
  ensures only authorized users and applications can interact with our APIs,
  supporting scalable and flexible identity management.
- Continuous Monitoring: Real-time monitoring and logging are integral to our
  security strategy, allowing us to detect and respond to anomalies or potential
  security incidents promptly. We use several robust tools like Prometheus &
  Grafana, Splunk, AWS CloudWatch, Azure Monitor, and others.

By combining API gateways, Zero Trust principles, OpenID/JWT-based
authentication, and continuous monitoring, we create a robust, scalable API
security framework that adapts to emerging threats while delivering a secure
user experience."

If you'd like to make your API more secure without sacrificing your developer
productivity
[try Zuplo's API gateway today](https://portal.zuplo.com/signup?utm_source=blog)
and discover how easy it is to secure your APIs with our developer-first API
management platform.