APIs are the new perimeter: Here’s how CISOs are securing them

Source Domain: www.csoonline.com

As Subramaniam explains, “AI agentic systems, which autonomously access APIs to perform tasks, complicate API security by expanding the attack surface, enabling dynamic and unpredictable interactions, and amplifying existing vulnerabilities through high-speed, automated actions.” Preventing unauthorized access by agents will require more granular control and more time-bound role-based access control (RBAC).

Other API risks stem from the broader software supply chain. In 2025, JPMorganChase CISO Patrick Opet published an open letter about diminishing standards for SaaS providers, writing that the SaaS delivery model is “quietly enabling cyber attackers” and creating a “substantial vulnerability that is weakening the global economic system.”

Third-party API consumption can open an organization to sensitive data exposure. According to Gartner, 71% of organizations use APIs provided by third parties such as SaaS vendors, making third-party APIs another major risk vector.

“For third-party APIs, we already require vendor security reviews and contractual security assurances,” says Fortitude Re’s Franklin, noting that this is part of a broader SaaS security program that provides visibility into the SaaS systems employees use.

The onus, however, is also on the consuming organization to implement better token-handling processes to secure API connections to SaaS platforms. This is especially important, as developers are often reckless with API keys and secrets. In 2024, Escape discovered 18,000 API secrets and tokens floating around on the open web.

Some CISOs are actively addressing this. “Our team centralizes and encrypts all third-party credentials — API keys, tokens — within the API management layer,” says Subramaniam. “We never distribute raw credentials to our internal development teams.”

Maintaining safe integrations requires ongoing discipline, too. “We apply the same rigor to third-party APIs: Credentials…

Source