The paper argues that API gateways and web application firewalls provide only partial protection because they lack full API discovery, continuous compliance testing, and defenses against modern automated abuse. With API proliferation, including shadow and third-party APIs, enterprises often cannot protect what they do not know exists, and attacks like ATO, BOLA, scraping, and DoS are common. It proposes a dedicated lifecycle approach, Discover, Comply, Protect: crawl domains to inventory APIs (including inactive ones), test APIs against specs or auto-generate OpenAPI specs, assess risk using OWASP-aligned criteria, then mitigate bot-driven and fraud-driven abuse using behavior-based detection, real-time actions, and granular fraud policies.

Join for free to read