I recently sat down with Tejpal Garwhal, Application Security and DevSecOps Leader, for a conversation debunking some of the most common API security myths. From zombie endpoints to the limits of WAFS and gateways, we covered what’s really happening on the ground; and what security teams need to do differently. Here’s a quick rundown of the key takeaways, but for the full picture, watch the full webinar. Myth 1: “We Know What APIs We Have” This was the first and most persistent myth we tackled. Most teams assume that if they’ve deployed APIs, they must know what exists in their environment. But the reality is very different. Tejpal pointed out how API sprawl often happens without anyone noticing. Developers build and deploy endpoints on short timelines, documentation lags behind, and different teams might assume someone else is keeping track. In practice, no single group holds a full view of the API inventory. Worse, many rely on API gateways or management platforms as their source of truth, but those tools only track what’s been routed through them. They won’t catch endpoints deployed ad hoc or legacy APIs left behind in codebases long forgotten. We agreed: without complete visibility, securing APIs is guesswork. Myth 2: “Our APIs Don’t Expose Sensitive Data” Often, Tejpal and I hear that encryption solves the data exposure problem. As long as you’re using HTTPS, the assumption goes, everything’s safe. However, as we discussed, encryption in transit or at rest…Read More