[gz5]

APIs are usually public (exposed to the Internet). This is why issues in authentication, authorization, configuration are commonly exploited.

That might be ok if you are Stripe and you have tens of millions of dollars of people and infrastructure to mitigate the risk of that Internet exposure. But what if you are not Stripe?

For example, you are a small team inside a financial services company and you need to expose your data (via APIs) to other teams (or to B2B partners), and your enviros are in different private or public DCs.

Historically, teams in those situations used private networks or semi-private networks - VPN, MPLS (ExpressRoute, DirectConnect), private mobile APN, whitelisted IPs, etc. But that's slow, costly and expensive with massive numbers of distributed API clients.

One answer to the above dilemma seems to be reactive API solutions. Constant scanning and reaction to problems. Great visibility. Quarantining. Etc. And of course doing your best to avoid auth issues, misconfigs etc. Is this generally the path which works for teams in that situation?