All news with #api security tag

🔐 This post explains why API keys are sensitive credentials for accessing Google AI and Cloud services and why careless handling leads to misuse or billing abuse. It outlines simple, actionable steps: create keys in dedicated projects, apply API and application restrictions, and store keys in Secret Manager or equivalent. The article also covers detection and response—how to list keys, monitor usage metrics, delete compromised keys, and rotate keys to reduce risk.

🏆 Microsoft has been named a Leader in the IDC MarketScape: Worldwide API Management 2026 Vendor Assessment, reflecting its emphasis on scaling APIs and AI together. Built on a decade-old foundation, Azure API Management governs over 38,000 customers, nearly 3 million APIs, and 3 trillion monthly requests while extending to AI gateway capabilities used by 2,000+ enterprises. The platform provides a single, Azure-native control plane to enforce policy, observability, and cost controls for both APIs and AI workloads.

🛡️ Check Point has been honored with Frost & Sullivan’s 2026 Technology Innovation Leadership recognition for WAF and API security. The accolade underscores a shift in application security as apps span APIs, microservices, AI-driven services and hybrid/multi‑cloud deployments. Check Point’s WAF is positioned to help organizations secure rapid DevSecOps releases, reduce attack surface and protect both traditional web and emerging AI applications.

🚀 Cloudflare today launched the Registrar API in beta, enabling programmatic domain search, availability checks, and direct registration. Designed for editors, CI pipelines, and agent-driven workflows, the API exposes a simple Search → Check → Register flow that agents can use to suggest names, confirm pricing, and complete purchases using account defaults. Registrations are offered at-cost, with WHOIS privacy enabled by default and explicit fee acknowledgement required for premium domains.

🔒 A flaw in Google's API key model has allowed embedded Android app keys to gain silent access to the Gemini AI endpoints when the API is enabled in a project. CloudSEK's April 8 advisory found 32 active keys across 22 apps with more than 500 million installs and demonstrated retrieval of user-uploaded audio via the Gemini Files API. Developers should immediately audit projects, rotate exposed keys and apply strict API restrictions.

🔒 AI-driven changes in web applications and APIs are outpacing traditional controls, creating large visibility and detection gaps. The 2026 Web Application Security Report, based on a global survey of over 800 security professionals, finds only 29% confidence in overall application security and just 15% for AI-integrated apps. FortiAppSec Cloud is presented as an integrated platform combining WAF, API protection, bot mitigation, and application security services to provide shared telemetry and consistent enforcement across dynamic, service-generated traffic.

🔒 APIs are increasingly the enterprise perimeter, and recent breaches show traditional protections often miss API-layer abuse. Security teams report attacks that exploit business logic or use stolen credentials, which EDR and WAF tools can treat as legitimate traffic. CISOs are adopting API governance, centralized inventories, identity-aware access controls, and API gateways integrated into CI/CD to enforce least-privilege and reduce misconfiguration risk. As agentic AI and automated agents proliferate, stronger token handling, credential rotation, and real-time behavioral monitoring are becoming essential.

🔒 SpyCloud's 2026 Identity Exposure Report details a structural shift in credential theft, reporting a 23% increase in its recaptured datalake to 65.7B distinct identity records. Attackers are increasingly targeting non-human identities — exposed API keys, session tokens and AI-linked credentials — which often lack MFA and rotate infrequently. The report also flags large volumes of phished records, session artifacts, and malware-exfiltrated data that enable persistent, scalable access across cloud and enterprise environments.

🔒 Akamai’s 2025 State of the Internet report finds APIs have become the dominant attack surface, with an average of 258 API attacks per organization (up 113% year‑on‑year). The vendor reports 61% of attacks involved unauthorized workflows or abnormal behavior, signaling a shift towards behavior‑based exploitation. Top exploited issues included security misconfigurations, broken object property level authorization and broken authentication. Akamai also warns that agentic AI and automation are amplifying the risk of sensitive data exposure across APIs.

🔍 Cloudflare today announced the beta of its Web and API Vulnerability Scanner, initially focused on detecting Broken Object Level Authorization (BOLA) in APIs. The scanner integrates with API Shield, leveraging passive schema learning and API discovery to construct stateful, credentialed tests without extensive setup. It builds automatic scan plans from OpenAPI specs, augments missing or ambiguous schema data using Workers AI, and can create owner and attacker request chains to detect logic flaws. Credential handling uses HashiCorp Vault Transit to encrypt secrets and Temporal for orchestration.

🔧 Cloudflare outlines a truly programmable SASE that lets customers run real-time, inline logic at the edge to make decisions rather than just trigger alerts. Beyond basic APIs, webhooks, and Terraform, Cloudflare One and the Developer Platform enable invoking Workers on policy matches to enrich requests, call risk engines, inject headers, and route traffic with millisecond latency. The post describes managed and custom actions, demonstrates an automated device session revocation Worker, and previews deeper integration and custom action support through 2026.

⚠️ Truffle Security found nearly 3,000 Google Cloud API keys (prefix "AIza") embedded in client-side code that can now authenticate to Gemini endpoints when a project enables the Generative Language API. Attackers scraping sites can use exposed keys to access uploaded files, cached contents, and make LLM calls that charge victims' accounts. Google says it has implemented measures to detect and block leaked keys and advises rotating and restricting exposed keys.

🤖 Apigee API Hub and API Gateway now integrate to centralize dispersed API metadata and make specs agent-ready. A new API Gateway–API Hub sync brings OpenAPI definitions and gateway configurations into a single control plane without changing existing services or client behavior. The spec boost add-on analyzes gaps and produces a specboost-draft that enriches specs with examples, parameter validation, and error details. Teams can review boosted and original specs side-by-side before adopting changes.

🔧 Amazon MSK now exposes three public topic management APIs — CreateTopic, UpdateTopic, and DeleteTopic — enabling programmatic topic lifecycle operations without running Kafka admin clients. You can use AWS CLI, AWS SDKs, and CloudFormation or the integrated MSK console to create and update topics with guided defaults and view partition-level details and metrics. These features are available at no extra cost for provisioned clusters running Kafka 3.6 and above; ensure appropriate IAM permissions before use.

🔐 Intruder's research scanned roughly 5 million web applications and identified over 42,000 exposed tokens across 334 secret types, revealing widespread leakage in front-end JavaScript bundles. The report shows how traditional path-and-regex scanners, many SAST tools, and some DAST deployments miss secrets introduced during build and deployment, especially in SPAs. High-impact findings included active GitHub/GitLab personal access tokens, project-management API keys, and hundreds of live webhooks; Intruder developed automated SPA secrets detection to close these gaps.

🔁 Infinity Playblocks introduces API Request Step and Webhook Trigger to enable seamless bi-directional integration with any external system. Security teams can now call outbound APIs from playbooks and accept inbound webhook events to initiate automations. This open automation approach connects SIEMs, ITSM platforms, cloud and network controls, and third-party services without bespoke connectors. The result is simpler orchestration, fewer manual handoffs, and faster incident response.

🔒 Google’s Apigee now supports MCP with fully managed, remote servers, enabling organizations to expose existing APIs as agent tools without code changes or running MCP infrastructure. By creating an MCP proxy with your OpenAPI spec and a /mcp basepath, Apigee handles transcoding, protocol handling, and automatic registration in API hub. You can apply Apigee’s built-in security, identity, quota, and analytics controls to govern and monitor agent interactions. The capability is currently available in preview for a limited set of customers.

🔗 Amazon API Gateway REST APIs now support private integration with Application Load Balancer (ALB), enabling direct inter‑VPC connectivity to internal ALBs. This removes the previously required Network Load Balancer hop, which can reduce latency and simplify deployments. The integration brings Layer 7 capabilities — such as HTTP/HTTPS health checks, advanced request‑based routing, and native container service alignment — while retaining NLB-based layer‑4 options.

🔧 Amazon API Gateway now offers Portals, a fully managed, AWS-native developer portal for discovering, documenting, governing, and monetizing REST APIs across accounts. Portals automatically discover existing APIs, generate documentation with a "Try It" experience, and support custom content, branding, access controls, and analytics via CloudWatch RUM. This reduces onboarding time and keeps API configurations within AWS boundaries to reduce third-party security risks.

🔒 Check Point expands CloudGuard to protect GenAI applications by extending the ML-driven, open-source CloudGuard WAF that learns from live traffic. The platform moves beyond traditional static WAFs to secure web interactions, APIs (REST, GraphQL) and model-integrated endpoints with continuous learning and high threat-prevention accuracy. This evolution targets modern attack surfaces introduced by generative AI workloads and APIs.