API security: why ignoring it is no longer an option

27 May 2025

Joshua Goldfarb, Field CISO, F5

Joshua Goldfarb (Twitter: @ananalytical) is currently Field CISO at F5. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels.

In my work, I’ve had the opportunity to meet with security teams across a wide range of industries and regions. These conversations are always insightful, offering a real-world view into the challenges teams face. While the specifics evolve over time, one topic that keeps coming up lately is API security.

And not just in passing; it has become a central concern.

When I talk about API security, I’m referring to the full lifecycle. That includes everything from discovering APIs and analysing vulnerabilities to implementing controls, monitoring activity, and responding to incidents. I find it helpful to think of it in seven parts: code-based discovery, vulnerability analysis, API discovery, preventive controls, continuous monitoring, incident response, and learning from what happened.

The first three, which include discovery and visibility, are foundational. Without them, the rest becomes guesswork. Most teams I speak with understand this and are actively working to gain that visibility. But occasionally, I come across a different mindset.

Some teams, believe it or not, would rather not know.

The thinking goes like this: if we don’t know about a problem, we’re not responsible for fixing it. It’s a tempting shortcut, but one that comes with serious consequences.

Here’s why that approach is risky.

Responsibility

Security is a shared responsibility. That includes protecting sensitive data and critical systems. Even if awareness makes our jobs harder, we have a duty to know what’s going on in our environments.

Risk

The biggest threats often come from the things we don’t see. Unknown APIs, sometimes called shadow or zombie APIs, are prime targets for attackers. Ignoring them doesn’t make them go away.

Ownership

Security professionals are expected to act in the best interest of the organisations we protect. That means taking ownership, even when it’s inconvenient.

Pain

Problems don’t disappear when ignored. They grow. And when they finally surface, the impact is usually far worse than if they’d been addressed early.

Liability

Organisations are accountable for the data they hold. If a breach occurs and it’s discovered that issues were knowingly ignored, the legal and reputational fallout can be severe.

The good news is that there’s a better way forward. At F5, we’ve seen how automated API discovery, continuous visibility, and full-lifecycle protection can help teams stay ahead of threats while supporting innovation.

If this resonates with you, I’d like to invite you to a webinar I’m presenting, hosted by CACI, a trusted F5 partner:

Taming API Chaos: Pain Points and the F5 Advantage
Date: Wednesday 25th June
Time: 11:00am–12:00pm (BST)
Location: GoToWebinar
Speakers:
• Josh Goldfarb, Field CISO, F5
• Alice Strachan, Senior Account Director, CACI

Register here

We’ll explore the real-world challenges of API sprawl, hybrid complexity, and rising threats and how leading organisations are solving them. If you’re ready to take a more proactive approach to API security, I hope you’ll join us.