Understanding the NCSC’s New API Security Guidance

Legislative, regulatory, and advisory bodies the world over are waking up to the importance of API security. Most recently, the UK’s National Cyber Security Centre NCSC has published detailed guidance on best practices for building and maintaining secure APIs. In this blog, we’ll break down that...

Inside the AI Threat Landscape: From Jailbreaks to Prompt Injections and Agentic AI Risks

AI has officially moved out of the novelty phase. What began with people messing around with LLM-powered GenAI tools for content creation has rapidly evolved into a complex web of agentic AI systems that form a critical part of the modern corporate landscape. However, this transformation has give...

What CISA’s BOD 25-01 Means for API Security and How Wallarm Can Help

The US government has taken another significant step towards strengthening cloud security with the release of CISA’s Binding Operational Directive BOD 25-01. Aimed at improving the security posture of federal cloud environments, BOD 25-01 mandates robust configuration, visibility, and control...

Beyond Traditional Threats: The Rise of AI-Driven API Vulnerabilities

AI has had dramatic impacts on almost every facet of every industry. API security is no exception. Up until recently, defending APIs meant guarding against well-understood threats. But as AI proliferates, automated adversaries, AI-crafted exploits, and business logic abuse have complicated matter...

Five Uncomfortable Truths About LLMs in Production

Many tech professionals see integrating large language models LLMs as a simple process -just connect an API and let it run. At Wallarm, our experience has proved otherwise. Through rigorous testing and iteration, our engineering team uncovered several critical insights about deploying LLMs secure...

CISO Spotlight: Rick Bohm on Building Bridges, Taming AI, and the Future of API Security

Nestled in a log cabin high in the Rocky Mountains, Rick Bohm starts his day the same way he’s approached his career: intentionally, with a quiet commitment to learning and action. Boasting more than three decades of cybersecurity experience, Rick has watched tech evolve from dial-up ISPs to...

Addressing API Security with NIST SP 800-228

According to the Wallarm Q1 2025 ThreatStats report, 70% of all application attacks target APIs. The industry can no longer treat API security as a sidenote; it’s time to treat it as the main event. NIST seems to be on board with this view, releasing the initial public draft of NIST SP 800-228, a...

CISO Spotlight: Mike Wilkes on Building Resilience in an Evolving Threat Landscape

Mike Wilkes has had a career many cybersecurity professionals could only dream of. An adjunct professor, former CISO of Marvel and MLS, member of the World Economic Forum, drummer, and board member at the National Jazz Museum in Harlem, his interests and achievements are as eclectic as they are...

Attackers Abuse TikTok and Instagram APIs

It must be the season for API security incidents. Hot on the heels of a developer leaking an API key for private Tesla and SpaceX LLMs, researchers have now discovered a set of tools for validating account information via API abuse, leveraging undocumented TikTok and Instagram APIs. The tools, an...

Mapping the Future of AI Security

AI security is one of the most pressing challenges facing the world today. Artificial intelligence is extraordinarily powerful, and, especially considering the advent of Agentic AI, growing more so by the day. But it is for this reason that securing it is so important. AI handles massive amounts ...

Developer Leaks API Key for Private Tesla, SpaceX LLMs

In AI, as with so many advancing technologies, security often lags innovation. The xAI incident, during which a sensitive API key remained exposed for nearly two months, is a stark reminder of this disconnect. Such oversights not only jeopardize proprietary technologies but also highlight systemi...

The Ongoing Risks of Hardcoded JWT Keys

In early May 2025, Cisco released software fixes to address a flaw in its IOS XE Software for Wireless LAN Controllers WLCs. The vulnerability, tracked as CVE-2025-20188, has a CVSS score of 10.0 and could enable an unauthenticated, remote attacker to upload arbitrary files to a susceptible syste...

API Threat Trends: How Attackers Are Exploiting Business Logic

As businesses rely more on APIs, attackers are quick to turn that trust into opportunity. Among the most dangerous and difficult-to-detect threats are business logic exploits, which let cybercriminals manipulate legitimate functionality to gain unauthorized access, exfiltrate data, or disrupt...

The API Imperative: Securing Agentic AI and Beyond

We recently released The Rise of Agentic AI, our API ThreatStats report for Q1 2025, finding that evolving API threats are fueled by the rise of agentic AI systems, growing complexity in cloud-native infrastructure, and a surge in software supply chain risks, and uncovered patterns and actionable...

Threat Replay Testing: Turning Attackers into Pen Testers

API security is no longer just a concern; it’s a critical priority for businesses. With APIs serving as the backbone of modern applications, they’ve become a primary target for attackers. While automated security testing tools help detect vulnerabilities, their limitations leave organizations...

Test

The post Test appeared first on Wallarm...

Wallarm Research Releases Nuclei Template to Counter Threats Targeting LLM Apps

Wallarm Research has just released a powerful new Nuclei template targeting a new kind of exposure: the Model Context Protocol MCP. This isn’t about legacy devtools or generic JSON-RPC pinging. It’s about the protocol fueling next-gen LLM applications — and it’s already showing up exposed in the...

Meeting NIST API Security Guidelines with Wallarm

On March 25, 2025, NIST released the initial public draft of NIST SP 800-228, "Guidelines for API Protection for Cloud-Native Systems." The document provides a comprehensive framework for securing APIs in cloud-enabled environments. However, for organizations looking to align with these objective...

The API Security Challenge in AI: Preventing Resource Exhaustion and Unauthorized Access

Agentic AI is transforming business. Organizations are increasingly integrating AI agents into core business systems and processes, using them as intermediaries between users and these internal systems. As a result, these organizations are improving efficiency, automating routine tasks, and drivi...

Unsolved Challenge: Why API Access Control Vulnerabilities Remain a Major Security Risk

Despite advancements in API security, access control vulnerabilities, such as broken object-level authentication BOLA and broken function-level authentication BFLA, remain almost impossible to detect. This blog will explore why these vulnerabilities are so difficult to detect, the limitations of...

AI Agents and API Security: The Hidden Risks Lurking in Your Business Logic

Modern organizations are becoming increasingly reliant on agentic AI, and for good reason: AI agents can dramatically improve efficiency and automate mission-critical functions like customer support, sales, operations, and even security. However, this deep integration into business processes...

Data Leaks and AI Agents: Why Your APIs Could Be Exposing Sensitive Information

Most organizations are using AI in some way today, whether they know it or not. Some are merely beginning to experiment with it, using tools like chatbots. Others, however, have integrated agentic AI directly into their business procedures and APIs. While both types of organizations are undoubted...

One PUT Request to Own Tomcat: CVE-2025-24813 RCE is in the Wild

A devastating new remote code execution RCE vulnerability, CVE-2025-24813, is now actively exploited in the wild. Attackers need just one PUT API request to take over vulnerable Apache Tomcat servers. The exploit, originally published by a Chinese forum user iSee857, is already available online:...

API Specifications: Why, When, and How to Enforce Them

APIs facilitate communication between different software applications and power a wide range of everyday digital experiences, from weather apps to streaming services and everything in between. They are also a critical ingredient of AI. However, if not structured and standardized properly, APIs ca...

API Armor: How Bybit’s Real-Time Blacklisting Is Thwarting a $1.5B Crypto Heist

APIs present a security risk—that much is a given. Attacks on APIs have caused some of the most significant security incidents of the past decades. But the question now is: How can we flip the script and leverage their power to enhance security? Bybit might just have the answer. Bybit—one of the...

DORA: Strengthening Digital Resilience Through API Security

The Digital Operational Resilience Act DORA is one of the most significant cybersecurity regulations for financial institutions in the European Union EU. Failure to comply can have massive consequences, including financial penalties and forced operational downtime, meaning achieving DORA complian...

Overcoming Security Challenges in Real-Time APIs

Speed is everything in the modern business world. Our attention spans are shorter than ever, consumers demand short and seamless interactions, and the slightest delay in service delivery can see organizations fall far behind their competitors. This is why real-time APIs are so important; they...

AI Security is API Security: What CISOs and CIOs Need to Know

Just when CIOs and CISOs thought they were getting a grip on API security, AI came along and shook things up. In the past few years, a huge number of organizations have adopted AI, realizing innumerable productivity, operational, and efficiency benefits. However, they’re also having to deal with...

Analyzing DeepSeek’s System Prompt: Jailbreaking Generative AI

DeepSeek, a disruptive new AI model from China, has shaken the market, sparking both excitement and controversy. While it has gained attention for its capabilities, it also raises pressing security concerns. Allegations have surfaced about its training data, with claims that it may have leveraged...

API Security Is At the Center of OpenAI vs. DeepSeek Allegations

With a high-stakes battle between OpenAI and its alleged Chinese rival, DeepSeek, API security was catapulted to priority number one in the AI community today. According to multiple reports, OpenAI and Microsoft have been investigating whether DeepSeek improperly used OpenAI’s API to train its ow...

API Security’s Role in Responsible AI Deployment

By now, you will almost certainly be aware of the transformative impact artificial intelligence AI technologies are having on the world. What you may not be aware of, however, is the role Application Programming Interfaces APIs are playing in the AI revolution. The bottom line is that APIs are...

Considerations for Selecting the Best API Authentication Option

Implementing API authentication is one of the most critical stages of API design and development. Properly implemented authentication protects data, user privacy, and other resources while streamlining compliance, preventing fraud, and establishing accountability. In fact, broken authentication i...

Effective API Throttling for Enhanced API Security

APIs are the backbone of modern digital ecosystems, but their misuse can expose systems to cyber threats. Effective API throttling not only optimizes performance but also acts as a critical defense mechanism against abuse, such as denial-of-service attacks. Discover how this powerful strategy...

Top Open Source API Security Tools

The modern world relies on Application Programming Interfaces APIs. They allow applications to communicate with each other, servers, and consumers to facilitate data sharing and simplify application development. Without them, the internet would be unrecognizable. However, APIs also present a...

Top Tool Capabilities to Prevent AI-Powered Attacks

Recent advances in AI technologies have granted organizations and individuals alike unprecedented productivity, efficiency, and operational benefits. AI is, without question, the single most exciting emerging technology in the world. However, it also brings enormous risks. While the dystopian,...

Protecting Against Bot-Enabled API Abuse

APIs have become the backbone of modern digital ecosystems, powering everything from mobile apps to e-commerce platforms. However, as APIs grow in importance, they also become prime targets for malicious actors. Increasingly, bots are being weaponized to exploit vulnerabilities, overwhelm systems...

How Is API Abuse Different from Web Application Attacks by Bots?

API abuse and web application bot attacks are often confused. This is understandable, as both involve automated interactions and are usually executed by bots. Both attack vectors are prevalent; criminals are always eager to disrupt the foundations on which businesses base their operations to...

Taming API Sprawl: Best Practices for API Discovery and Management

APIs are the backbone of interconnected applications, enabling organizations to innovate, integrate, and scale rapidly. However, as enterprises continue to expand their digital ecosystems, they often encounter a common and complex challenge: API sprawl. Unchecked, API sprawl can lead to increased...

Your AppSec Journey Demystified: Driving Effective API Security with Wallarm and StackHawk

There is no doubt that attackers have shifted their attention to APIs. Wallarm’s API ThreatStats research identifies that 70% of attacks now target APIs instead of Web Applications. While APIs have become the backbone of innovation and connectivity for businesses, they have also introduced a vast...

Context is King: Using API Sessions for Security Context

There’s no doubt that API security is a hot topic these days. The continued growth in API-related breaches and increase in publicized API vulnerabilities has pushed API security to the top of CISO’s lists. The tools in the market for API security still have room for improvement, of course. One of...

The Hidden Costs of API Breaches: Quantifying the Long-Term Business Impact

API attacks can be costly. Really costly. Obvious financial impacts like legal fines, stolen finances, and incident response budgets can run into the hundreds of millions. However, other hidden costs often compound the issue, especially if you’re not expecting them. This article will explore the...

AI-Powered APIs: Expanding Capabilities and Attack Surfaces

AI and APIs have a symbiotic relationship. APIs power AI by providing the necessary data and functionality, while AI enhances API security through advanced threat detection and automated responses. In 2023, 83% of Internet traffic traveled through APIs, but there was a 21% increase in API-related...

Attackers Abuse DocuSign API to Send Authentic-Looking Invoices At Scale

In a concerning trend, cybercriminals are leveraging DocuSign's APIs to send fake invoices that appear strikingly authentic. Unlike traditional phishing scams that rely on deceptively crafted emails and malicious links, these incidents use genuine DocuSign accounts and templates to impersonate...

How to Mitigate the Latest API Vulnerability in FortiManager

Overview of the FortiManager API Vulnerability Recently, a critical API vulnerability in FortiManager CVE-2024-47575 was disclosed. Certain threat actors exploited it in the wild to steal sensitive information containing configurations, IP addresses, and credentials used by managed devices. In...

Reducing False Positives in API Security: Advanced Techniques Using Machine Learning

False positives in API security are a serious problem, often resulting in wasted results and time, missing real threats, alert fatigue, and operational disruption. Fortunately, however, emerging technologies like machine learning ML can help organizations minimize false positives and streamline t...

How Security Edge Revolutionizes API Security

Wallarm’s Security Edge is setting a new standard in API security—far beyond the reach of traditional Content Delivery Networks CDNs. Let’s get it straight: Security Edge is not just a new addition to the API security market; it’s a disruption. Designed to deliver fast, effective, and advanced AP...

Beyond Passwords: Advanced API Authentication Strategies for Enhanced Security

Passwordless authentication for end users is taking the world by storm, offering organizations and individuals alike unprecedented security, user experience, and efficiency benefits. By all indications, the next generation of authentication for end users has finally arrived, sending the password...

Choosing the Right Deployment Option for Your API Security Solution

You need an API security solution. That much is a given although some may argue it isn’t!. While essential for business growth and innovation, APIs, or Application Programming Interfaces, expose the organizations that use them to cyber threats. Attackers are both aware of and actively exploiting...

API Gateways and API Protection: What’s the Difference?

Modern businesses are increasingly reliant on APIs. They are the building blocks facilitating data exchange and communication between disparate systems. Because of their prevalence and importance, they are also under attack by actors exploiting vulnerabilities and misconfigurations. Unauthorized...

Deep Dive into the Latest API Security Vulnerabilities in Envoy

Envoy has carved out a critical role in cloud-native computing, becoming increasingly prevalent as the default ingress controller for Kubernetes. This high-performance proxy, developed by Lyft and now part of the Cloud Native Computing Foundation’s arsenal, is integral for companies scaling up...