Podcast series: The Security Strategist
Guest: Chip Witt, Principal Security Analyst at Radware
Host: Richard Stiennon, Chief Analyst Researcher at IT-Harvest
When attackers target modern enterprises, they don’t break in; they log in. This insight came from the recent episode of The Security Strategist Podcast, where host Richard Stiennon, a cybersecurity analyst and Chief Analyst Researcher at IT-Harvest, speaks to Chip Witt, Principal Security Analyst at Radware.
The conversation spotlights a critical issue faced by most enterprises – defending APIs as if they are just infrastructure while attackers exploit them as part of the business logic. That gap represents the real risk.
What’s the Core Misunderstanding with APIs?
As per Witt, enterprise teams often view APIs as technical plumbing instead of business products. Security programs focus on endpoints and authentication, believing that a locked front door means the house is safe.
However, the true risk lies deeper — in authorisation logic, identity sprawl, and how applications change over time. Modern development methods lead to constant API drift. New routes appear, fields change, and versions multiply. In many organisations, security leaders cannot confidently state which APIs are live in production. The uncertainty to many is theoretical, but in reality, it’s an operational risk.
Also Watch: How Do You Stop an Encrypted DDoS Attack? How to Overcome HTTPS Challenges
What’s the Illusion of Authentication
One uncomfortable truth in API security is that most serious attacks happen after successful authentication. Attackers don’t try to force their way in. Instead, they use valid credentials, often stolen or replayed, to interact with APIs exactly as intended, but with malicious goals.
This is where traditional advice, including frameworks from OWASP, starts to fall short. The familiar categories outline weaknesses, but real-world attacks target business workflows. They manipulate object-level authorisation, pivot through insecure direct object references, abuse overly broad tokens, and over-fetch sensitive data because developers include more than necessary. The traffic may appear normal, but the sequence does not.
Stiennon pointed out an unsettling market reality. “A few years ago, API security startups attracted significant funding, encouraged by expectations of rapid growth. Then the momentum slowed. Vendors plateaued. The sector stopped acting like the next big wave.”
If APIs are essential to digital business, why hasn’t API security become a thriving standalone market?
Witt answered clearly: " Effective API security is tough. Achieving visibility is possible. Blocking obvious abuse is doable. However, understanding intent at runtime—differentiating between legitimate use and subtle exploitation of business logic—requires behavioral modeling, sequence awareness, and AI-driven analysis that many tools were not designed to offer.
Organisations that invested in basic discovery tools learned that simply knowing an API exists does not guarantee protection for how it behaves.
Also Watch: From Prompt Injection to Agentic AI: The New Frontier of Cyber Threats
Inside API Business Logic Risk
How business logic abuse turns legitimate API traffic into a board-level risk, and what visibility and governance changes it demands.
How are Enterprises Shifting Towards Intent-Aware Protection?
As enterprises speed up their use of serverless architectures, microservices, and AI-driven applications, API sprawl intensifies. With sprawl, the security model cannot remain unchanged while the application structure evolves.
According to Witt, the future of API security must be intent-aware. Protection should assess whether a sequence of calls makes sense within its context for the user, system, or resource initiating them. Simply confirming identity is not enough; security also needs to validate behaviour.
Zero trust principles have reshaped strategies for networks and identities. APIs now require similar scrutiny—not just at the perimeter, but within the workflow itself.
APIs are no longer just back-end connectors; instead, they are now the visible surface of the enterprise. The most concerning attacks are not brute-force attempts. Most distressing attacks, in fact, are authenticated actions carried out with malicious intent.
Organisations that continuously track their APIs, enforce strict authorisation, and identify workflow misuse in real time can significantly reduce their risk of breaches. More importantly, they can align security with the business pace. In today’s digital economy, APIs are the product.
Inside AI-Driven Web Defenses
Examine how AI assistants, browsers and bot frameworks bypass DLP, CAPTCHA and network controls, demanding new telemetry and governance models.
Takeaways
- APIs are your primary business attack surface, not back-end infrastructure.
- Most damaging API attacks use valid credentials and exploit weak authorisation.
- Visibility gaps and API drift quietly expand your exposure over time.
- Machine-to-machine identities often carry excessive, unmonitored privileges.
- Runtime, intent-aware detection is now essential to stopping business logic abuse.
For more information, please visit em360tech.com and radware.com
Follow: @EM360Tech on YouTube, LinkedIn and X
Radware YT: @radware
Radware LinkedIn: https://www.linkedin.com/company/radware/
Radware X: @radware
#APISecurity #BusinessLogicAbuse #AuthenticatedAttacks #RuntimeProtection #IntentAwareSecurity #Radware #Cybersecurity2026 #OWASP #BusinessLogic #ZeroTrust #TechPodcast #EnterpriseSecurity #IntentAwareProtection #TheSecurityStrategist #Cybersecurity
Comments ( 0 )