Product
Solutions
Solutions
Other | Jul 28, 2025 | 4 min read
On June 26, 2025, we hosted a webinar with API security expert Colin Domoney and Treblle’s Vedran Cindrić to unpack what really breaks API security. Here are the key takeaways, including real breach examples, common myths, and a practical security checklist.
On June 26, 2025, we hosted the ‘What Really Breaks API Security’ webinar with API Security expert, Colin Domoney and Vedran Cindrić, moderated by Harsha Chelle.
Together, they explored real-world API breaches, uncovered common mistakes, and shared developer-friendly strategies to harden APIs against modern threats.
In this summary article, you will learn:
How and why API security failures happen
Debunked myths that cloud security focus
A practical checklist to harden your APIs
Emerging threats from AI and new protocols
Recommendations to continuously protect against evolving risks
Want the full deep dive? Download the ebook Colin Domoney wrote after the webinar to explore everything that breaks in API security—and how to fix it.
Colin walked us through critical misconfigurations he encountered in his career, such as deficient rate limiting, exposed debug endpoints, and missing auth enforcement.
Colin shared a breach where a forgotten endpoint, left unauthenticated, exposed sensitive data publicly. He quoted and added:
“It was a simple misconfiguration, but it led to a complete data leak, no patch, no expiry, just open to the world.”
The key takeaway? Even the most basic lapses can have catastrophic consequences. So, remember to audit all endpoints, as security isn’t just about tools; it’s about maintaining configuration discipline.
“Most teams believe their APIs are secure, until something breaks.” - Vedran.
Vedran emphasized that relying on authentication alone creates a false sense of security. He explained that authentication is only one layer of security. True security means:
Authorization: Enforce least-privilege roles in your RBAC policies.
Input validation: Use JSON Schema or OpenAPI validators to reject malformed payloads.
Runtime observability: Monitor anomalies, not just auth failures.
Next, Harsha, Vedran, and Colin discussed the importance of having security checks in the CI/CD pipeline to catch issues before they become breaches.
Here’s a summarized checklist:
[table]
By codifying these checks in your build and using tools like ESLint, GitHub Actions, or Jenkins pipelines, you shift security “left” and catch issues before they are merged.
New to securing REST APIs? Start with this guide to securing your first REST API for a hands-on walkthrough.
Protect your APIs from threats with real-time security checks.
Treblle scans every request and alerts you to potential risks.
Explore Treblle
Protect your APIs from threats with real-time security checks.
Treblle scans every request and alerts you to potential risks.
Explore Treblle
“With AI agents and protocols like MCP, the API attack surface has grown again.” - Colin Domoney
Colin highlighted two fast-evolving fronts:
AI-driven scraping: Bots can now automatically probe thousands of endpoints.
Model Context Protocol (MCP): New metadata channels that, if unguarded, expose business logic via context queries.
Colin then explained that mitigating these threats requires vigilance beyond static defenses. He mentioned implementing the following:
Behavioral baselining: Utilize anomaly-detection libraries to identify and flag non-human traffic patterns.
Scoped tokens: Issue short-lived, context-limited API keys for AI agents.
Entropy-based throttling: Rate-limit per token fingerprint, not just IP.
“Security demands more than checklists and hope.” - Colin Domoney
Colin highlighted that security must be continuous, not periodic. Weekly config scans, canary rollout pipelines, real-time dashboards, and blameless incident reviews are all part of the modern DevSecOps cycle.
Not sure what tools to start with? Explore our top picks for API security tooling in 2025.
Just before closing off the webinar, Colin shared the simple, 5-step playbook that anyone can implement to secure their APIs from conventional and modern malicious actors:
Map your APIs
Embrace Shift-left
Leverage your gateways
Test, test, and test
Use standard patterns and frameworks.
API security is not a checkbox; it’s a developer-embedded discipline that must adapt as infrastructure and threats evolve. As Colin Domoney emphasized:
“In 2025, API security demands more than checklists and hope.”
This encapsulates the core message of the webinar: surface-level measures often fail, and true security requires embedding guardrails at every layer, from CI/CD to runtime.
By regularly auditing environments for auth and misconfig issues, automating schema validation, throttling, and config scans in pipelines, and evolving through continuous feedback loops, canary releases, and security retrospectives, you transition API security from reactive firefighting to proactive resilience.
Protect your APIs from threats with real-time security checks.
Treblle scans every request and alerts you to potential risks.
Explore TreblleProtect your APIs from threats with real-time security checks.
Treblle scans every request and alerts you to potential risks.
Explore Treblle
OtherMissed the webinar? Here are the top takeaways from “The Future Is Federated,” where Daniel Kocot, Vedran Cindrić, and Harsha Chelle shared practical strategies for scaling API governance in complex, fast-moving environments.
OtherAPIs aren’t just connectors, they’re products with real users. To succeed, teams must understand those users deeply. This article explores why consumer insight is the key to building better APIs and how leaders can turn that understanding into action.
OtherWe’ve updated the Treblle Go SDK to support Treblle V3, with a full rewrite focused on performance, ease of use, and better integration with Go tools and frameworks. This guide walks you through the changes, setup, and new features.
