Skip to content

The Challenge

Applications feature two types of APIs with different security requirements. The accuracy of a comprehensive defense relies on context provided by the running code.

Remote APIs

Remote APIs expose a service, making it possible for applications to interact with other systems such as a browser or mobile device.

Risks Faced:

  • Authentication
  • Authorization 
  • Insecure Direct Object Reference
  • Cross-site Scripting (XSS)
  • API Abuse

Code APIs

Code APIs give life to remote APIs, enabling the application to gather data and respond to incoming requests.

Risks Faced:

  • Injection Attacks
  • Authorization (can someone or something act on what was requested?)
  • Deserialization
  • Sensitive Data and Logging
  • Components With Known Vulnerabilities

Adopt a continuous approach to API security across the API development and delivery cycle, designing security into APIs. Include API security testing and the creation and application of reusable API security policies.”


Gartner®, “API Security: What You Need to Do to Protect Your APIs”, Mark O'Neill, et al, Refreshed 1 March 2021, Published 28 August 2019.

API security challenges have emerged as a top concern for most software engineering leaders, as unmanaged and unsecured APIs create vulnerabilities that could accelerate multimillion dollar security incidents” 

Gartner®, “Predicts 2022: APIs Demand Improved Security and Management”, Shameen Pillai, et al, Published 6 December 2021. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.




Discover why the Contrast Secure Code Platform is built for DevSecOps

The Contrast Solution

Contrast defends code APIs that power all applications.

Monitoring the security
of code APIs

Understand custom code, library code, and third-party code

Expand your application for better defense in depth by leveraging code to reduce false alerts. By monitoring code APIs, Contrast can locate custom vulnerabilities in applications through normal usage or testing without the need for a dedicated security test.

Leverage automation to understand the impact of code security on APIs. A single agent enables teams to identify vulnerable libraries for known CVEs, ensuring that even “safe” code is not put together in an unsafe way.

Asset 2-Feb-24-2021-09-31-03-33-AM-1

Stopping zero-day attacks

Defend against open vulnerabilities

Contrast provides protection against exploits against code.. Contrast’s runtime context and software composition analysis (SCA) capabilities ensure blocking is highly accurate while differentiating between a truly exploitable attack and a “probe.”

In the event of zero-day attacks, Contrast can block attacks against APIs without patching or updating.

Learn how Contrast customers were protected against Log4j attacks

Learn More

Asset 3-4-1

​​Learn how Contrast
Defends APIs.

Learn more about how to test and
protect your APIs