Contributed"> How To Strengthen API Security With Zero Trust - The New Stack
TNS
SUBSCRIBE
Join our community of software engineering leaders and aspirational developers. Always stay in-the-know by getting the most important news and exclusive content delivered fresh to your inbox to learn more about at-scale software development.
REQUIRED
 
It seems that you've previously unsubscribed from our newsletter in the past. Click the button below to open the re-subscribe form in a new tab. When you're done, simply close that tab and continue with this form to complete your subscription.
Welcome and thank you for joining The New Stack community!
Please answer a few simple questions to help us deliver the news and resources you are interested in.
REQUIRED
REQUIRED
REQUIRED
REQUIRED
REQUIRED
Great to meet you!
Tell us a bit about your job so we can cover the topics you find most relevant.
REQUIRED
REQUIRED
REQUIRED
REQUIRED
REQUIRED
REQUIRED
Welcome!

We’re so glad you’re here. You can expect all the best TNS content to arrive Monday through Friday to keep you on top of the news and at the top of your game.

What’s next?

Check your inbox for a confirmation email where you can adjust your preferences and even join additional groups.

Become a TNS follower on LinkedIn.

Check out the latest featured and trending stories while you wait for your first TNS newsletter.

PREV
of
NEXT
VOXPOP
As a JavaScript developer, what non-React tools do you use most often?
Angular
0%
Astro
0%
Svelte
0%
Vue.js
0%
Other
0%
I only use React
0%
I don't use JavaScript
0%
 
Open Source Cloud Native Ecosystem Containers Edge Computing Microservices Networking Serverless Storage
Open Source Needs Younger Maintainers. How Can It Get Them?
Oct 2nd 2024 5:00am, by Richard Gall
Does Your Open Source Project Need Foundation Oversight? 
Sep 28th 2024 6:00am, by Joe Fay
Why Open Source Forking Is a Hot-Button Issue
Sep 26th 2024 10:00am, by Amanda Brock
Russ Cox's Next Act: AI-Powered Help Agents for Open Source Projects
Sep 26th 2024 6:00am, by David Cassel
Microsoft Open Sources OpenHCL, a Linux-Based 'Paravisor'
Sep 24th 2024 11:00am, by Steven J. Vaughan-Nichols
Abstracting Cloud SDKs, Starting With the Runtime
Oct 1st 2024 8:42am, by Rak Siva
How Agentless Security Can Prevent Major Ops Outages
Sep 30th 2024 7:36am, by Manas Chowdhury
3 Key Practices for Perfecting Cloud Native Architecture
Sep 24th 2024 10:00am, by Rahul Shrivastava
CNCF Artifact Hub, a One-Stop Shop for Cloud Native Config
Sep 23rd 2024 1:17pm, by Joab Jackson
Distributed Cloud Delivers a Win for Customers and for Developers
Sep 20th 2024 6:20am, by Mike Elissen
Is Kubernetes Green?
Oct 2nd 2024 8:24am, by Anne Currie
Abstracting Cloud SDKs, Starting With the Runtime
Oct 1st 2024 8:42am, by Rak Siva
Microsoft Open Sources OpenHCL, a Linux-Based 'Paravisor'
Sep 24th 2024 11:00am, by Steven J. Vaughan-Nichols
What Is Testcontainers, and Why Should You Care?
Sep 17th 2024 7:53am, by Kevin Wittek
Docker Overhauls, Simplifies Subscription Plans
Sep 15th 2024 6:00am, by Steven J. Vaughan-Nichols
From VMs to AI: How Edge Computing Is Evolving
Sep 13th 2024 3:54am, by Ben Cohen
The New 2GB Raspberry Pi 5: Another Option for Linux Sysadmins
Sep 2nd 2024 9:00am, by Damon M. Garn
Golang Pub/Sub: Why It’s Better When Combined With GoFr
Aug 28th 2024 6:00am, by Robert Kimani
With eLxr, Wind River Brings Debian Linux to the Edge
Aug 12th 2024 1:30pm, by Joab Jackson
How To Get Started Running Small Language Models at the Edge
Jul 24th 2024 6:00am, by Janakiram MSV
Binary Provenance, SBOMs and the Software Supply Chain for Humans
Oct 1st 2024 10:00am, by Mike Long
Platform Engineering Reshapes Software Dev at Bechtle
Sep 4th 2024 6:00am, by Todd R. Weiss
Shift Left on a Budget: Cost-Savvy Testing for Microservices
Aug 27th 2024 12:03pm, by Nočnica Mellifera
Remocal Development: The Future of Efficient Kubernetes Workflows
Aug 25th 2024 10:00am, by Anita Ihuman
Why Staging Doesn't Scale for Microservice Testing
Aug 16th 2024 10:13am, by Arjun Iyer
Internet Architecture Board ISO Future Networking Tech
Sep 29th 2024 8:00am, by Joab Jackson
Git: Set Up a Local Repository Accessible by LAN
Sep 28th 2024 9:00am, by Jack Wallen
Linux: Create and Connect to an NFS Share
Sep 21st 2024 8:00am, by Jack Wallen
AlmaLinux: Deploy a DHCP Server for Your Internal Network
Sep 14th 2024 7:00am, by Jack Wallen
How Meta Is Reinforcing its Global Network for AI Traffic
Sep 12th 2024 11:45am, by Joab Jackson
Azure Durable Functions: FaaS for Complex Workflows
Aug 15th 2024 8:16am, by Lily Ma and David Justo
Momento: Caching at Scale and More, Without All the Hassle
Jul 22nd 2024 11:23am, by Susan Hall
WebAssembly and Kubernetes Go Better Together: Matt Butcher
May 22nd 2024 2:00pm, by Raghavan "Rags" Srinivas
How to Conquer Cold Starts for Better Performance
Apr 25th 2024 9:17am, by Henry Hamid Safi
Meet DBOS: A Database Alternative to Kubernetes 
Mar 12th 2024 4:00am, by Joab Jackson
Redis Users Want a Change
Oct 2nd 2024 9:00am, by Aleksandra Mitroshkina
Linux: Recover Files From a Machine That Won't Boot
Sep 29th 2024 6:00am, by Jack Wallen
Columnar Storage: A Developer’s Key to Real-Time Analytics
Sep 27th 2024 7:00am, by Steph Rogers
Bring Storage and Databases Under Kubernetes Control
Sep 23rd 2024 1:00pm, by Murli Thirumale
Ceph: 20 Years of Cutting-Edge Storage at the Edge
Sep 10th 2024 5:55am, by Steven J. Vaughan-Nichols
AI Large Language Models Frontend Development Software Development API Management Python JavaScript TypeScript WebAssembly Cloud Services Data Security
Techniques for Tackling Catastrophic Forgetting in AI Models
Oct 1st 2024 11:44am, by
What’s Wrong With Generative AI-Driven Development Right Now
Oct 1st 2024 6:00am, by
Using Vite and Vike for Microfrontends; Plus Other Dev News
Sep 28th 2024 7:00am, by
Prioritize Robust Engineering Over Overblown GenAI Promises
Sep 27th 2024 10:00am, by
Amazon Revamps Developer AI With Code Conversion, Security
Sep 27th 2024 6:00am, by
Using Vite and Vike for Microfrontends; Plus Other Dev News
Sep 28th 2024 7:00am, by
OpenAI Structured Outputs: How-To Guide for Developers
Sep 27th 2024 9:00am, by
Amazon Revamps Developer AI With Code Conversion, Security
Sep 27th 2024 6:00am, by
What a CTO Learned at Nvidia About Managing Engineers
Sep 26th 2024 9:20am, by
Semantic Router and Its Role in Designing Agentic Workflows
Sep 25th 2024 10:17am, by
The Pros and Cons of Web Components, Via Lit and Shoelace
Sep 29th 2024 7:00am, by
Using Vite and Vike for Microfrontends; Plus Other Dev News
Sep 28th 2024 7:00am, by
Turso Offers Web Developers Simpler, Faster Database
Sep 25th 2024 7:11am, by
Introduction to Vercel, Frontend as a Service for Developers
Sep 21st 2024 7:00am, by
Node Removes Corepack, Bun Runs Native C From JavaScript
Sep 21st 2024 6:00am, by
Binary Provenance, SBOMs and the Software Supply Chain for Humans
Oct 1st 2024 10:00am, by
Git: Set Up a Local Repository Accessible by LAN
Sep 28th 2024 9:00am, by
Handling Edge Cases and Exceptions in Python
Sep 28th 2024 5:00am, by
How To Get Started With Native Python
Sep 27th 2024 8:00am, by
Amazon Revamps Developer AI With Code Conversion, Security
Sep 27th 2024 6:00am, by
How To Strengthen API Security With Zero Trust
Oct 2nd 2024 10:00am, by
OpenAI's Realtime API Takes a Bow
Oct 1st 2024 9:05pm, by
Building for Integrations Is a Future-Minded Growth Strategy
Sep 20th 2024 10:38am, by
3 API Vulnerabilities Developers Accidentally Create
Sep 18th 2024 11:00am, by
How Nuanced Rate Limiting Transforms Your API and Business
Sep 17th 2024 11:00am, by
Handling Edge Cases and Exceptions in Python
Sep 28th 2024 5:00am, by
How To Get Started With Native Python
Sep 27th 2024 8:00am, by
Python Under the Hood
Sep 26th 2024 12:00pm, by
How to Use Comments in Your Python Code (And Why You Should)
Sep 15th 2024 2:08pm, by
Python Try ... Except: What It Is and How to Use It
Sep 15th 2024 5:05am, by
Using Vite and Vike for Microfrontends; Plus Other Dev News
Sep 28th 2024 7:00am, by
Node Removes Corepack, Bun Runs Native C From JavaScript
Sep 21st 2024 6:00am, by
Most Dangerous JavaScript Vulnerabilities To Watch For in 2025
Sep 19th 2024 9:00am, by
Frontend Schism: Will React Server Components Destroy React?
Sep 19th 2024 7:04am, by
Free 'JavaScript' from Legal Clutches of Oracle, Devs Petition
Sep 17th 2024 4:00am, by
Why ChatGPT Shifted From Next.js To Remix: Some Theories
Sep 14th 2024 8:05am, by
Is React Now a Full Stack Framework? And Other Dev News
Aug 31st 2024 5:00am, by
Implementing IAM in NestJS: The Essential Guide
Aug 30th 2024 6:26am, by
TypeScript 5.5: Faster, Smarter and More Powerful
Jun 25th 2024 6:41am, by
UIX: A Full Stack Web Dev Framework Leveraging Deno
Jun 11th 2024 11:30am, by
Traefik 3.0 Works Better With WebAssembly and OpenTelemetry
Sep 17th 2024 1:30pm, by
Arcjet Launches: Wasm-Powered Security for Modern Developers
Sep 10th 2024 2:05pm, by
Golang for WebAssembly Can Now Work Like IT Should
Aug 9th 2024 9:00am, by
How To Run WebAssembly on Kubernetes
Jul 28th 2024 10:00am, by
Chicory: Write to WebAssembly, Overcome JVM Shortcomings 
Jul 19th 2024 12:33pm, by
3 Key Practices for Perfecting Cloud Native Architecture
Sep 24th 2024 10:00am, by
AWS Transfers OpenSearch to the Linux Foundation
Sep 17th 2024 12:33pm, by
Why Cloud Migrations Fail
Sep 13th 2024 11:05am, by
Did Broadcom’s VMware Hit Nutanix Where It Hurts?
Sep 2nd 2024 7:00am, by
Broadcom’s VMware Tanzu Platform 10 Becomes a PaaS
Aug 28th 2024 12:34pm, by
With WarpStream, Confluent Got a New Type of Kafka Platform
Oct 1st 2024 7:11am, by
OpenAI Structured Outputs: How-To Guide for Developers
Sep 27th 2024 9:00am, by
Hard Truths to Consider When Designing SLOs for Mobile Apps
Sep 26th 2024 11:00am, by
Turso Offers Web Developers Simpler, Faster Database
Sep 25th 2024 7:11am, by
Graph Embeddings 101: Key Terms, Concepts and AI Applications
Sep 23rd 2024 6:20am, by
How To Strengthen API Security With Zero Trust
Oct 2nd 2024 10:00am, by
What’s Wrong With Generative AI-Driven Development Right Now
Oct 1st 2024 6:00am, by
How Agentless Security Can Prevent Major Ops Outages
Sep 30th 2024 7:36am, by
Microsoft Open Sources OpenHCL, a Linux-Based 'Paravisor'
Sep 24th 2024 11:00am, by
How AI Changes App Authentication and Authorization
Sep 24th 2024 7:54am, by
Platform Engineering Operations CI/CD Tech Careers Tech Culture DevOps Kubernetes Observability Service Mesh
How to Build an Internal Developer Platform Like a Product
Sep 23rd 2024 10:57am, by Jennifer Riggins
Platform Engineering Reshapes Software Dev at Bechtle
Sep 4th 2024 6:00am, by Todd R. Weiss
Build Platform Engineering as a Product for Dev Adoption
Sep 2nd 2024 6:00am, by Todd R. Weiss
How Supabase Is Building Its Platform Engineering Strategy
Aug 29th 2024 6:42am, by Todd R. Weiss
How To Implement InnerSource With an Internal Developer Portal
Aug 28th 2024 11:00am, by Aidan O'Connor
Is Kubernetes Green?
Oct 2nd 2024 8:24am, by Anne Currie
Binary Provenance, SBOMs and the Software Supply Chain for Humans
Oct 1st 2024 10:00am, by Mike Long
Abstracting Cloud SDKs, Starting With the Runtime
Oct 1st 2024 8:42am, by Rak Siva
Future-Proof Your SRE Strategy: AI for Performance Gains
Sep 30th 2024 11:11am, by Robert Kimani
How Agentless Security Can Prevent Major Ops Outages
Sep 30th 2024 7:36am, by Manas Chowdhury
How Generative AI Is Revolutionizing Debugging
Sep 25th 2024 8:30am, by Eran Kinsbruner
Stop Blaming Regulation for Poor Software Delivery Performance
Sep 24th 2024 12:00pm, by Steve Fenton
How To Jump-Start Your Stalled Kubernetes Migration
Sep 24th 2024 5:00am, by Vicki Walker
Breaking Up With Java: Is the Cost and Complexity Worth It?
Sep 23rd 2024 12:00pm, by Simon Ritter
For Terraform Deployment, Any CI/CD Can Beat TACOS
Sep 19th 2024 11:07am, by Eran Bibi
What a CTO Learned at Nvidia About Managing Engineers
Sep 26th 2024 9:20am, by Heather Joslyn
Kelsey Hightower on What’s Next for Developers After GenAI
Sep 17th 2024 11:30am, by Joe Fay
SaaS Is Dead, Long Live SaaS!
Sep 16th 2024 10:00am, by Paris Heymann
Should You Become a Contractor?
Sep 13th 2024 10:05am, by Jennifer Riggins
Learning Linux? Start Here
Sep 8th 2024 6:00am, by Damon M. Garn
Social Web Foundation Launched — How In Is W3C on Fediverse?
Sep 24th 2024 6:00am, by Richard MacManus
How To Find Success With Code Reviews
Sep 19th 2024 5:00am, by Loraine Lawson
3 API Vulnerabilities Developers Accidentally Create
Sep 18th 2024 11:00am, by Loraine Lawson
Continuous Stewardship for More Sustainable Code
Sep 12th 2024 7:35am, by Jennifer Riggins
The New 2GB Raspberry Pi 5: Another Option for Linux Sysadmins
Sep 2nd 2024 9:00am, by Damon M. Garn
Techniques for Tackling Catastrophic Forgetting in AI Models
Oct 1st 2024 11:44am, by Kimberley Mok
How To Streamline DevOps With Automated Testing
Sep 30th 2024 12:09pm, by Dima Kramskoy
Want Real Time? Run Scripts Inside the Database
Sep 30th 2024 9:31am, by Matt Sarrel
Prioritize Robust Engineering Over Overblown GenAI Promises
Sep 27th 2024 10:00am, by Dmitry Petrov
Columnar Storage: A Developer’s Key to Real-Time Analytics
Sep 27th 2024 7:00am, by Steph Rogers
Is Kubernetes Green?
Oct 2nd 2024 8:24am, by Anne Currie
Enterprise Data Platforms on Kubernetes Challenge Status Quo
Oct 2nd 2024 7:06am, by Mark Cusack
Databases on Kubernetes: Why, When and What To Consider
Oct 1st 2024 6:16am, by Kathryn Hsu
How To Jump-Start Your Stalled Kubernetes Migration
Sep 24th 2024 5:00am, by Vicki Walker
CNCF Artifact Hub, a One-Stop Shop for Cloud Native Config
Sep 23rd 2024 1:17pm, by Joab Jackson
Why Grafana Offers $100,000 to Startups for Observability
Sep 28th 2024 4:00am, by B. Cameron Gain
The Path to Autonomous Observability
Sep 25th 2024 6:14am, by David Lotan Bolotnikoff
Tetragon eBPF for Kubernetes: The Verdict Is Out
Sep 22nd 2024 7:00am, by B. Cameron Gain
Instrumenting a React App Using OpenTelemetry
Sep 19th 2024 6:00am, by Joaquín Díaz
Traefik 3.0 Works Better With WebAssembly and OpenTelemetry
Sep 17th 2024 1:30pm, by B. Cameron Gain
Istio 1.23 Drops the Sidecar for a Simpler 'Ambient Mesh'
Aug 19th 2024 12:59pm, by Joab Jackson
Can Cilium Be a Control Plane Beyond Kubernetes?
Jul 28th 2024 6:00am, by Alex Williams
6 Tips to Integrate Container Orchestration and APM Tools
May 20th 2024 11:03am, by Chris Cooney
Enhancing Business Security and Compliance with Service Mesh
Apr 1st 2024 10:00am, by Ninad Desai
Some Linkerd Users Must Pay: Fear and Anger Explained
Feb 28th 2024 9:21am, by B. Cameron Gain
AI Operations / API Management / Security

How To Strengthen API Security With Zero Trust

How to fortify your APIs using zero trust to combat AI-driven attacks.
Oct 2nd, 2024 10:00am by
Featued image for: How To Strengthen API Security With Zero Trust
Photo by Belinda Fewings on Unsplash

APIs form the backbone of nearly every digital service, from mobile apps to cloud platforms. Because of their central role, APIs have become prime targets for increasingly sophisticated attacks. In 2021, Gartner predicted that APIs would become the leading attack vector, and that prediction has quickly proven accurate. Yet, only some anticipated how rapidly AI would accelerate these attacks, rendering traditional security measures less effective.

In my work with developers and IT leaders across various organizations, I’ve witnessed firsthand how attackers are shifting their strategies. They’ve moved beyond the traditional, predictable attack patterns. Now, they leverage AI to adapt quickly and efficiently, bypassing defenses like firewalls and rate-limiting. The question is: are your APIs evolving quickly enough to defend against these emerging threats?

Traditional API Security Falls Short Against AI-Driven Threats

Many organizations still rely on static defenses — firewalls, token-based authentication, and rate-limiting — to protect their APIs. However, attackers increasingly find ways to bypass these protections with AI-powered tools.

For example, a developer I worked with discovered that a botnet cleverly mimicked legitimate user behavior. It managed to stay within the rate limits, effectively flying under the radar. This incident forced the team to rethink their security strategy and adopt a more adaptive, proactive zero-trust model.

In another situation, I saw how perimeter-based security was bypassed entirely when an attacker exploited a flaw in a third-party service connected to the API. The attacker managed to access sensitive internal data without triggering any alerts. This incident highlighted how vulnerable APIs are when extending beyond the traditional network perimeter.

Perimeter defenses alone simply aren’t enough in today’s API-driven world.

Zero Trust: A New Mindset for API Security

The solution? Zero trust. This model is based on the principle of “trust nothing, verify everything.” It doesn’t assume any request is safe, regardless of whether it comes from inside or outside the network. Every API interaction is treated as potentially malicious and must be continuously validated.

This mindset is crucial for modern API security, where traffic comes from various sources — mobile devices, cloud services, and third-party applications — and can no longer be trusted by default.

1. Microsegmentation: Isolating Threats Before They Spread

One key strategy within zero trust is microsegmentation. This breaks APIs into smaller, isolated segments, each with security rules. By doing this, organizations can limit attackers’ lateral movement if they compromise one part of the API.

For instance, I recently worked with a financial services company that wanted to minimize the potential damage of any breach. Through microsegmentation, we ensured that attackers couldn’t reach more sensitive systems even if attackers gained access to one segment. It’s like sealing off parts of a ship to prevent flooding; even if one section is breached, the others remain intact.

2. Continuous Authentication: Securing Without Slowing Down

Continuous authentication is another cornerstone of zero trust, requiring each API request to be verified, not just the initial one. Some teams I’ve worked with have worried about the potential performance hit, mainly when APIs handle high traffic volumes.

In one project, I helped a team fine-tune their continuous authentication process. We found a balance between security and speed by adjusting re-authentication intervals to maintain security without introducing delays. It’s like setting up security checkpoints throughout a building; each visitor is checked regularly to ensure no unauthorized activity sneaks through.

3. AI-Powered Monitoring: Staying One Step Ahead

AI-driven attackers require AI-powered defenses. AI-powered real-time monitoring helps detect suspicious behavior before damage occurs. In one case, a client’s API traffic spiked unusually during off-peak hours. The AI monitoring system flagged the activity as abnormal, prompting further investigation.

It turned out that a botnet was attempting to exploit a vulnerability. Fortunately, because the system detected the attack early, the team could neutralize the threat before it escalated. This experience highlighted how critical AI-driven monitoring is for staying ahead of sophisticated attacks.

4. Least Privilege Access: Limiting the Impact of Breaches

Zero trust also emphasizes the principle of least privilege. This ensures that users and systems are only granted access to the data they need, minimizing the damage caused by any breach.

For example, a healthcare organization I worked with effectively applied most minor privilege access controls. The attackers couldn’t access sensitive patient data even after a breach because the compromised account lacked the necessary permissions. It’s like giving someone a key that only opens a single room rather than the entire building.

By limiting access in this way, organizations can significantly reduce the damage any breach might cause.

Lessons From the Field: The Zero-Trust Journey

Transitioning to zero trust isn’t always straightforward, especially for organizations with legacy systems that are not designed with modern security principles in mind. I’ve worked with teams that had to overcome significant challenges in integrating continuous authentication and AI monitoring into older APIs. Performance concerns and resistance to change are common hurdles.

However, in every instance, the long-term security benefits have far outweighed the initial challenges. The shift to zero trust is not just about technology — it’s about embracing a new mindset where security is continuously refined and improved.

There’s no one-size-fits-all approach to zero trust. Each organization’s path will differ depending on its infrastructure, security requirements, and technical challenges. Some organizations prioritize microsegmentation, while others focus on AI-driven monitoring or least privilege access.

The key is treating zero trust as an ongoing investment in security. Regular adjustments and refinements are required to stay effective against evolving threats.

As AI-driven threats evolve, traditional API security measures are quickly becoming inadequate. Organizations adopting a zero-trust architecture can better defend their APIs, secure sensitive data, and stay ahead of attackers constantly refining their tactics.

TRENDING STORIES
Group Created with Sketch.
Akhil Mittal is a cybersecurity thought leader with extensive experience in application security, cloud security, AI, and DevSecOps. Certified in CISSP and CCSP, he is known for driving strategic security initiatives and contributing to industry best practices as an IEEE...
Read more from Akhil Mittal
SHARE THIS STORY
TRENDING STORIES
TRENDING STORIES
TNS DAILY NEWSLETTER Receive a free roundup of the most recent TNS articles in your inbox each day.