Skip to content
White paper 18 pp · April 10, 2026

API Security in the Age of CTEM

A technical whitepaper on securing APIs through continuous exposure management — covering OWASP API Top 10 2023, gateway limitations, GraphQL risks, and schema drift.

The Numbers That Should Worry You

APIs now carry 71% of web traffic (Akamai 2024). They are the primary attack surface for modern applications — and the least tested. Worse: 95% of API attacks come from authenticated sources. Your perimeter defenses are irrelevant when the attacker has a valid token.

The average organization discovers 40% more API endpoints during a proper inventory than their documentation reflects. Those undocumented endpoints — shadow APIs, deprecated versions still live in production, internal services accidentally exposed — are where breaches start.

The OWASP API Security Top 10 (2023): What Actually Gets Exploited

The OWASP API Security Top 10 2023 defines the risk landscape. Most scanners cover maybe three of these well.

API1:2023 — Broken Object Level Authorization (BOLA). The single most exploited API vulnerability. Attackers manipulate object IDs to access other users’ data. Detection requires context-aware testing because HTTP responses look identical to legitimate requests.

API2:2023 — Broken Authentication. Weak token validation, missing rate limits on credential endpoints, flawed JWT implementations. Testing must cover token expiration, refresh rotation, and OAuth/OIDC misconfigurations.

API3:2023 — Broken Object Property Level Authorization. APIs returning full database objects instead of filtered views. Compare response schemas against declared OpenAPI specs to detect over-exposure.

API4:2023 — Unrestricted Resource Consumption. Missing rate limiting, unbounded pagination, expensive query execution. GraphQL is especially vulnerable due to nested query complexity.

API5:2023 — Broken Function Level Authorization. Privilege escalation through admin endpoints exposed without role checks.

API6:2023 — Unrestricted Access to Sensitive Business Flows. Credential stuffing, inventory hoarding, scraping — business logic abuse that signature-based scanners cannot detect.

API7:2023 — Server-Side Request Forgery (SSRF). APIs fetching remote resources tricked into hitting internal services. Cloud metadata endpoints (169.254.169.254) remain a common target.

API8:2023 — Security Misconfiguration. Permissive CORS, verbose errors, missing TLS, default credentials.

API9:2023 — Improper Inventory Management. Shadow APIs, deprecated endpoints still accessible, undocumented versions in production.

API10:2023 — Unsafe Consumption of APIs. Trusting third-party API responses without validation — supply chain attacks through API dependencies.

API Gateways: Necessary, Not Sufficient

API gateways (Kong, Apigee, AWS API Gateway) handle authentication, rate limiting, request validation, and TLS termination. They cannot detect:

  • Authorization logic flaws inside your application code (BOLA, BFLA)
  • Business logic abuse using valid credentials and well-formed requests
  • Schema drift where actual API behavior diverges from gateway-configured policies
  • Internal API vulnerabilities between microservices that bypass the gateway entirely

Gateways protect the front door. The 95% of attacks from authenticated sources walk right through it.

GraphQL: A Scanner Blind Spot

GraphQL introduces risks that REST-focused scanners miss entirely:

  • Query depth attacks — nested queries exhausting server resources. Without depth limiting and cost analysis, a single query causes denial of service.
  • Introspection exposure — production endpoints exposing their full schema give attackers a complete data model map.
  • Batching bypass — multiple operations in one request circumvent rate limiting applied at the HTTP level.
  • Field-level authorization gaps — access control enforced at query level but not at resolver level leaks data through crafted queries.

CTEM Applied to API Security

Map CTEM’s five phases specifically to APIs:

Scope: Inventory every API — public, partner, internal, third-party. Use traffic analysis and code scanning to find undocumented endpoints.

Discover: Parse OpenAPI/Swagger specs, analyze gateway configs, monitor traffic. Detect schema drift by comparing documentation against runtime behavior.

Prioritize: A BOLA vulnerability on a public payment API ranks higher than a missing rate limit on an internal monitoring endpoint. Asset criticality and data sensitivity drive ranking.

Validate: Authenticated scanning with multiple user roles to verify authorization controls. BAS sequences testing privilege escalation, data exfiltration, and injection against production defenses.

Mobilize: Route findings to the team that owns the service, with framework-specific remediation (Express, FastAPI, Spring Boot). Block deployments introducing new API vulnerabilities via CI/CD gates.

VirtueThreatX’s API security scanning is schema-aware, authentication-aware, and event-driven — testing APIs the way attackers actually exploit them. See the platform overview or schedule a 30-minute walkthrough.

Ready to implement?

Our team can help you scope a CTEM program against your environment — usually in one call.

Schedule a demo Talk to our team
Keep reading

More long-form pieces.

Guide 24 pp

The Complete CTEM Implementation Guide

A phase-by-phase roadmap for implementing Continuous Threat Exposure Management, with timelines, ROI benchmarks, and common failure modes.

Guide 20 pp

Ransomware Readiness Assessment Framework

A five-domain scoring framework for assessing ransomware resilience — with specific checks, scoring methodology, and continuous validation using CTEM principles.