Application Programming Interface (API) Security in Cloud Applications




Cloud API, Cybersecurity, zero trust., Cloud Security, API Security, Cloud/API Security


Many cloud services utilize an API gateway, which enables them to be offered to users through API platforms such as Platform as a Service (PaaS), Software as a service (SaaS), Infrastructure as a Service (IaaS) and cross-platforms APIs. APIs are designed for functionality and speed by developers who write a small portion of code, which has visibility and is secure. The code that is created from third-party software or libraries has no visibility, which makes it insecure. APIs are the most vulnerable points of attack, and many users are not aware of their insecurity. This paper reviews API security in cloud applications and discusses details of API vulnerabilities, existing security tools for API security to mitigate API attacks. The author’s study showed that most users are unaware of API insecurity, organizations lack resources and training to educate users about APIs, and organizations depend on the overall security of the network instead of the security of standalone APIs.


Butler, B. (2015). The myth about how Amazon’s web service started just won’t die: How AWS got started and what its co-founder is doing now that he says could be bigger than cloud. Network world, URL won-t-die.html

Campbell, S. (2021) Postman’s 2021 State of API Report Finds APIs Key to Sparking Innovation During Pandemic, Ushering in API-First World, Business Wire. URL

Market Research Future Cloud (2022) API Market Is Anticipated Grow USD 3.71 Billion at a CAGR of 23.2% by 2030 - Report by Market Research Future (MRFR) URL

Bettendorf, M. (2021) API growth continues to skyrocket in 2020 and into 2021. URL

Salt Labs (2023) Salt State of API Security Report Q1 2023

Salt Security. (2022) Salt Security State of API Security Report Reveals 94% of Companies Experienced Security Incidents in Production APIs in the Past Year. URL

Lemos, R. (2022) API Security Losses Total Billions, But It's Complicated,” Dark Reading, June 30, 2022. )

Qazi, F. and S. Miller, A Qualitative Study of Security in Application Programming Interfaces (APIs). In 20th International Conference on Security & Management (SAM'21), July 26-29, 2021, USA.

Bush, T. (2021) What is an API gateway? URL gateway/

Sandoval, K. (2015). API Keys ≠ Security: Why API Keys Are Not Enough. URL

Berlind, D. (2020) Understanding the realities of API security. URL

Deahl, D. (2018) Panera bread leaked customer data on its website for eight months. The verge. URL,

Chinnasamy V. (2022) Bad bots are coming at APIs! How to beat the API bot attacks?” Help Net Security. URL

Psarris, S. (2022) API Security in the Cloud, Reblaze,. URL

Bavati. I (2020) Moving to the Cloud? How to Secure APIs on AWS, Azure, and GCP,” Nordic APIs URL

Taylor, D., John Downs, J., Vic Vhorne V; Alex Buck, A. (2020) Azure Web Application Firewall on Azure Application Gateway bot protection overview. URL

Microsoft, (2022) Protect APIs with Application Gateway and API Management. URL

Liu , N. (2022) Google Cloud Combats API Misconfiguration, Bot Attacks. URL

Macy, J. (2018). Public cloud API security: How safe is our data?, URL

Walker, A. (2021) API vs Web Service: What’s the Difference?, URL

Fitzgerald, A. (2021) SOAP vs REST APIs: The Key Differences Explained for Beginners. URL

Sengupta, S. (2021) What is GraphQL Security? Best Practices for GraphQL Security. URL

Populi, N. (2018) How to Secure a GraphQL API (The Complete Vulnerability Checklist). URL

Wallarm, (2022) Q2-2022 API Vulnerability & Exploit full report, Wallarm Resource Library. URL

Vizard, M. (2021) Survey Finds API Security Incidents on the Rise URL

OWASP. (2021) OWASP Top Ten Web Application Security Risks. URL

Schmidt, J.) OWASP OWASP Top 10 risks get update, highlighting insecure design — injection No longer on top. URL

Madhani, P. (2021) “OWASP Working Group Releases Draft of Top 10 Web Application Risks for 2021. URL

Writer, G. (2021) API Security: Protect your APIs from Attacks and Data Breaches. Insight, URL

L7Defence. (2021) API Security Attacks, How API attacks work and How to Identify and Prevent them. URL

GoldSky Security. (2023) Understanding API Attacks and How to Prevent Them (2021) Akamai Finds API Vulnerabilities to be a High-Stakes Game for Companies and Individuals Worldwide. URL game-for-companies-and-individuals-worldwide.

Coble, S. (2021) Q1 2021 Sees 2.9 million DDoS Attacks Launched. URL attacks#:~:text=Sarah%20Coble%20News%20Writer%20Approximately%202.9%20million%20Distributed,increase%20compared%20to%20the%20same%20period%20in%202020.

Constantin, L. (2020) APIs are becoming a major target for credential stuffing attacks. URL

Harguindeguy, B. (2018, January 17). API security: the past, present, and future [Video file]. Retrieved from

Perry, M. (2019, June 17). The dangerous connections that can damage your business: Why API security is critical to the digital business era [Web log post]. Retrieved from

Simpson, J (May 2023). 8 Significant API Breaches of Recent Years. years/

Kerner, L. (2020) Critical API security risks: 10 best practices. URL security-risks-10-best-practices.

Juviler, J. (2021) 8 API Security Best Practices to Protect Sensitive Data. URL Security.

Backer, S. (2020) Securing APIs:10 Ways to Keep Your Data and Infrastructure Safe. URL

Chinnasamy, V. (2021) Top 6 API Security Best Practices for 2022. URL api-security-best-practices for-2022.

Sandoval, K. (2020) Introducing the API security maturity model. URL

Farrell, S. (2016, September 25). 28 tips for creating great qualitative surveys [Web log post]. Retrieved from

Castellani, S., & Dorairajan, A. (2020, April). What are the different types of apis?. APIfriends. Retrieved from

Pompon, R. (2018, November 27). Reviewing recent api security incidents. [Web log post]. f5 labs. Retrieved from

Richer, J., & Sanso, A. (2016). Understanding API security. Shelter Island, NY: Manning Publications

Gerring, J. (2007) Case study research: Principles and practices. Cambridge University Press, Cambridge, England, U.K.

Silverman, D. (2000). Doing qualitative research: A practical handbook. Thousand Oaks, CA: Sage.

Kabir, S. M. S. (2016). Methods of data collection. In Basic guidelines for research: An introductory approach for all disciplines (pp.201–275). Retrieved from

Jansen, H. (2010). The logic of qualitative survey research and its position in the field of social research methods. Forum: Qualitative Social Research, 11(2), 1–21. Retrieved from https://www.qualitative

} Creswell, J. W. (2015). Educational research: Planning, conducting, and evaluating quantitative.and qualitative research (5th ed.). Lincoln, Nebraska: Pearson.

Stake, R. E. (1995). The art of case study research [DX Reader version]. Retrieved from,+coming+to+understand+its+activity+within+important+circumstances&source=bl&ots=KvNMk6Mocu&sig=ACfU3U0621yLWdK_VaU8d446pIIN9ByfXg&hl=en&ppis=_e&sa=X&ved=2ahUKEwjfnqilmPzmAhUDhOAKHS6YBEgQ6AEwC3oECAgQAQ#v=onepage&q=nuance&f=false

Myers, M. D. (1997). Qualitative research in information systems. MIS quarterly, 21(2), 1–19. Retrieved from

Braun, V., & Clarke, V. (2013). Successful qualitative research: A practical guide for beginners. London, U.K.: Sage

Meng, M., Schubert, A., & Steinhardt, S. (2017). Application programming interface documentation: What do software developers want? Journal of Technical Writing and Communication, 48(3), 295–330. Retrieved from

Elliott, V. (2018). Thinking about the coding process in qualitative data analysis. The qualitative report, 23(11), 2850–2861. Retrieved from

Creswell, J. W. (2013). Qualitative inquiry & research design: Choosing among five approaches (3rd ed.). Los Angeles, CA: SAGE Publications.

Creswell, J. W. (2013, November). Steps in conducting a scholarly mixed methods study. Discipline-Based Education Research Group. Retrieved from

DeCuir-Gunby, J. T., Marshall, P. L., & McCulloch, A. W. (2011). Developing and using a codebook for the analysis of interview

Saldaña, J. (2013). The coding manual for qualitative researchers (2nd ed.). Los Angeles, California: SAGE

Yin, R. K. (2014). Case study research design and methods (5th ed.). Thousand Oaks, CA: SAGE.

Dowell, A., Roberts, K., & Nie, J. B. (2019). Attempting rigour and replicability in thematic analysis of qualitative research data; a case study of codebook development. BMC Medical Research Methodology, 19(66), 1–8. Retrieved from

Bowen, G. A. (2006). Grounded theory and sensitizing concepts. International Journal of Qualitative Methods, 5(3), 12–23. Retrieved from url=

Lewins, A., & Silver, C. (2020). Using software in qualitative research: A step-by-step guide (2nd ed.). Thousand Oaks, California: SAGE.

Green, M., & Smith, M. (2016) Developers are not the enemy: The need for usable security APIs. URL

Yin, R.K. (2014) Case study research design and methods (5th ed.), Thousand Oaks, CA: SAGE.

Patton, M.Q. (2014) Qualitative research & evaluation methods: Integrating theory and practice (4th ed.), Thousand Oaks, CA: Sage Publications.

O’Neill, M., S. Heidbrink, J. Whitehead, T. Perdue, L. Dickinson, T. Collett, N. Bonner, and D. Zappala, “The secure socket API: TLS as an operating system service.” 27th USENIX Security Symposium, 799–816, URL

National Institute of Standards and Technology. (2019) “Security strategies for microservices-based application systems,” (Special Publication 800-204), Gaithersburg, MD: U.S. Government Printing Office.

Swanner, N. (2017) Build: What ‘intelligent cloud, intelligent edge’ means. URL

Dadhich., P. (2020) Top 10 cybersecurity incidents in 2020. URL

Drake, N. & Turner, B. (2021) Best cloud log management services of 2021. URL

Jon. (2021) Cyber-attacks and data breaches list from 2014 to 2021, 2021, URL,

Gaurav, S. (2017) Machine learning impact on cloud computing. URL learning-impact-on-cloud-computing.

Gander, M., B. Katt, B. M. Felderer, A. Tolbaru, R. Breu, R., & A. Moschitti. (2012). Anomaly detection in the cloud: detecting security incidents via machine learning. URL

Drinkwater, D. (2016) How to get more from your security budget. URL

Stoltzfus, J. (2019) How cloud computing is changing cybersecurity. URL

Fiala, J. (2015) A Survey of Machine Learning Applications to Cloud Computing. URL

Hoadley, D.S. & N.J. Lucas, N.J. AI and national security,” 2018, Library of Congress Congressional Research Service, URL

Canner, B. (2018) Ping identity releases survey on the perils of enterprise APIs. URL survey-on-the-perils-of-enterprise-apis/.

Jason Kent (March 2023) Using ChatGPT to Improve API Security: Open AI & Security , Security Boulevard




How to Cite

F. Qazi, “Application Programming Interface (API) Security in Cloud Applications ”, EAI Endorsed Trans Cloud Sys, vol. 7, no. 23, p. e1, Oct. 2023.