DEVOPSdigest

The idea of embedding security into DevOps isn't new, and it's fair to say it's never been fully realized, but API security presents a particular challenge for DevOps that requires consideration. API adoption has been on the rise for years, but now that enterprises are accelerating their adoption of AI, there's an explosion of new integrations. APIs serve as the connective tissue for these integrations. Wallarm recently completed our annual API ThreatStats report for 2025. The findings reveal a sharp increase in both AI and API-related vulnerabilities.

The Expanding Attack Surface of APIs

In 2024, APIs emerged as the most targeted attack vector in cybersecurity, accounting for over 50% of recorded exploits in the CISA Known Exploited Vulnerabilities catalog. The complexity of modern software ecosystems, with interconnected services, third-party integrations, and AI-driven applications, has significantly increased the number of exposed API endpoints.

We can break down the most common challenges into a few categories:

■ Insecure Authentication and Authorization: Over 89% of AI-powered APIs were found relying on static keys or weak authentication methods.

■ API Misconfigurations: Shadow APIs and misconfigured endpoints remain a top security risk, often leading to data leaks.

■ Injection Attacks and Memory Corruption: The rise of AI-driven workloads has introduced new attack vectors, such as buffer overflows and model poisoning through API endpoints.

Additionally, the report highlighted that AI-related API vulnerabilities surged by 1,025% in 2024, with nearly 99% of AI CVEs tied directly to API weaknesses. A significant portion of these vulnerabilities stemmed from high-performance binary APIs, which introduced new memory corruption risks due to AI's reliance on hardware acceleration. Moreover, over 57% of AI-powered APIs were externally accessible, and 63% of enterprise leaders admitted that AI adoption had increased their overall API security risk profile.

Lessons from Recent API Breaches

The high-profile API breaches in 2024 highlight the urgent need for stronger API security measures:

■ Dell API Exploit: Attackers exploited weak registration processes to scrape data from 49 million customer records.

■ Twilio Authy Breach: API enumeration vulnerabilities led to the exposure of 33.4 million linked phone numbers, enabling phishing and SIM-swapping attacks.

■ Digi Yatra Data Leak: Misconfigured API endpoints exposed 1.74 million Aadhaar-linked personal details, emphasizing the risks of improper access control.

How Can DevOps Teams Strengthen API Security?

Given the current threat landscape, DevOps teams must become fluent in API security. Best practices include:

■ Comprehensive API Discovery and Inventory: Implement automated tools to detect and catalog all API endpoints, including shadow APIs.

■ Stronger Authentication and Access Controls: Shift from static keys to OAuth 2.0, JWTs with expiration, and fine-grained role-based access.

■ Real-Time API Monitoring and Threat Detection: Utilize AI-powered anomaly detection to identify and respond to suspicious API activity.

■ Secure CI/CD Pipelines: Integrate API security testing into the software development lifecycle to catch vulnerabilities before deployment.

■ Rate Limiting and Abuse Prevention: Enforce dynamic rate limiting to prevent API abuse and data scraping attempts.

Conclusion

API security can no longer be an afterthought. It has to be a core capability for DevOps teams. With APIs playing a critical role in enterprise infrastructure, securing them against evolving threats is essential to maintaining operational resilience and protecting sensitive data. By proactively addressing API vulnerabilities, DevOps teams can mitigate risks and ensure secure, reliable API and AI deployments in 2025 and beyond.