Podcast series: The Security Strategist

Guest: Chip Witt, Principal Security Analyst at Radware

Host: Richard Stiennon, Chief Analyst Researcher at IT-Harvest

When attackers target modern enterprises, they don’t break in; they log in. This insight came from the recent episode of The Security Strategist Podcast, where host Richard Stiennon, a cybersecurity analyst and Chief Analyst Researcher at IT-Harvest, speaks to Chip Witt, Principal Security Analyst at Radware.

The conversation spotlights a critical issue faced by most enterprises – defending APIs as if they are just infrastructure while attackers exploit them as part of the business logic. That gap represents the real risk.

What’s the Core Misunderstanding with APIs?

As per Witt, enterprise teams often view APIs as technical plumbing instead of business products. Security programs focus on endpoints and authentication, believing that a locked front door means the house is safe.

However, the true risk lies deeper — in authorisation logic, identity sprawl, and how applications change over time. Modern development methods lead to constant API drift. New routes appear, fields change, and versions multiply. In many organisations, security leaders cannot confidently state which APIs are live in production. The uncertainty to many is theoretical, but in reality, it’s an operational risk.

Also Watch: How Do You Stop an Encrypted DDoS Attack? How to Overcome HTTPS Challenges

How are Enterprises Shifting Towards Intent-Aware Protection?

As enterprises speed up their use of serverless architectures, microservices, and AI-driven applications, API sprawl intensifies. With sprawl, the security model cannot remain unchanged while the application structure evolves.

According to Witt, the future of API security must be intent-aware. Protection should assess whether a sequence of calls makes sense within its context for the user, system, or resource initiating them. Simply confirming identity is not enough; security also needs to validate behaviour.

Zero trust principles have reshaped strategies for networks and identities. APIs now require similar scrutiny—not just at the perimeter, but within the workflow itself.

APIs are no longer just back-end connectors; instead, they are now the visible surface of the enterprise. The most concerning attacks are not brute-force attempts. Most distressing attacks, in fact, are authenticated actions carried out with malicious intent.

Organisations that continuously track their APIs, enforce strict authorisation, and identify workflow misuse in real time can significantly reduce their risk of breaches. More importantly, they can align security with the business pace. In today’s digital economy, APIs are the product.

Takeaways

1. APIs are your primary business attack surface, not back-end infrastructure.
2. Most damaging API attacks use valid credentials and exploit weak authorisation.
3. Visibility gaps and API drift quietly expand your exposure over time.
4. Machine-to-machine identities often carry excessive, unmonitored privileges.
5. Runtime, intent-aware detection is now essential to stopping business logic abuse.

Chapters

1. 00:00 Introduction to API Security
2. 02:04 Understanding API Misconceptions
3. 04:49 Current API Threat Landscape
4. 06:43 Business Logic Abuse in APIs
5. 09:11 Challenges in API Security
6. 12:03 Runtime Protection and Intent Detection
7. 13:40 Key Takeaways for IT Decision Makers

For more information, please visit em360tech.com and radware.com

Follow: @EM360Tech on YouTube, LinkedIn and X

Radware YT: @radware

Radware LinkedIn: https://www.linkedin.com/company/radware/

Radware X: @radware

#APISecurity #BusinessLogicAbuse #AuthenticatedAttacks #RuntimeProtection #IntentAwareSecurity #Radware #Cybersecurity2026 #OWASP #BusinessLogic #ZeroTrust #TechPodcast #EnterpriseSecurity #IntentAwareProtection #TheSecurityStrategist #Cybersecurity