Application programming interfaces (APIs) are no longer a niche technical concern; they are fundamental building blocks of modern business. From streamlining business processes and enabling external partners to create seamless customer experiences, APIs have become an integral part of modern enterprises.
As Andrew Comstock, senior vice-president and general manager at MuleSoft, puts it, APIs are the “bedrock of an enterprise’s agent-ready foundation”, enabling integration and data exchange across increasingly diverse systems, including artificial intelligence (AI).
David Irecki, chief technology officer for Asia-Pacific and Japan at Boomi, concurs, noting the market is “mature and well-established”, with APIs being the “standard method for exchanging information both internally and externally”.
The widespread adoption of APIs has brought business benefits. According to the MuleSoft connectivity benchmark report, APAC organisations have cited increased productivity and faster response to business demands as the top benefits of APIs. Furthermore, Comstock notes that “APAC IT leaders also estimate an average of 38% of their company’s revenue is generated from APIs and API-related implementations”.
Enterprises typically deploy different types of APIs. According to Reuben Koh, director of security strategy at Akamai Technologies Asia-Pacific and Japan, the common ones include external and open APIs accessible publicly, partner APIs that are shared selectively with business partners, and internal APIs used within organisations to streamline internal workflows.
Across the APAC region, organisations in various industries are already leveraging the power of application programming interfaces. Koh points to financial firms using APIs for open banking, retailers integrating e-commerce with inventory management, and healthcare providers connecting health records with telemedicine apps. Comstock cites M1 in Singapore as an example of a telco using APIs to speed up time to market.
However, this proliferation isn’t without challenges. A 2023 Forrester report cited by Koh highlights that API adoption and agile integration are critical challenges, with integration historically a significant bottleneck in IT execution. Irecki also warns of API sprawl, where organisations struggle with hundreds or thousands of APIs deployed across different supplier technologies, leading to management complexities.
Laying the foundation
Organisations embarking on their API journey need to align their API strategy with their business objectives, advises Koh. This involves analysing existing IT, cloud and data strategies, identifying core business objectives and constraints, defining the target architecture, and establishing governance.
Comstock suggests starting by identifying key business capabilities, defining APIs that expose those capabilities as reusable services, and mapping current systems to find valuable assets to expose via APIs.
Ken Ng, director for solutions consulting at Workato Asia-Pacific and Japan, recommends identifying two to three high-impact use cases, such as customer data unification, that can drive significant value and conducting a “build versus buy” analysis to optimise costs and ensure scalability.
Just as important is stakeholder engagement, where “companies should engage with API stakeholders early to ensure that if they build an API in a certain way, it will actually be adopted”, says Irecki.
Koh notes that prioritising security from the outset is essential, adding that strong authentication mechanisms, robust security policies and proper protection of sensitive data are critical for building trust with API users. Defining an API’s purpose, data requirements, functionalities, infrastructure needs, security considerations and documentation standards are also vital first steps.
Avoiding the pitfalls
Many enterprises stumble on their API journey. A common pitfall is the lack of centralised API management, says Koh, leading to so-called “shadow APIs” which introduce security vulnerabilities.
Comstock notes that many companies fail to treat APIs as products, resulting in inconsistency, sprawl and low adoption. Siloed development and a lack of governance can also result in technical debt, less reuse and hinder scalability.
Many companies fail to treat APIs as products, resulting in inconsistency, sprawl and low adoption
Ng warns against treating APIs merely as technical tools, and not business drivers, which often leads to poor adoption and a lack of executive buy-in. Organisations also tend to underestimate the importance of consistent long-term maintenance and over-architect an API-led strategy, as APIs aren’t a panacea for all integration needs.
Indeed, Irecki notes that organisations should not try to API-enable everything, particularly legacy systems which are difficult to interface with. He also flags data governance concerns: “Companies need to consider if the data collected is being shared over APIs – whether this data is high-quality and whether it should be shared.”
Koh highlights another danger, which is underestimating the impact of compromised APIs, especially those handling sensitive data that require additional safeguards and monitoring, similar to a critical application.
API design and architecture
Effective API design is key for maintainability and usability. Both Koh and Comstock advocate for RESTful principles like statelessness and resource-based modelling. “Ensuring consistent and intuitive endpoint naming conventions improves developer experience,” Koh adds, while Comstock urges organisations to design APIs with “simplicity, consistency and discoverability”.
Ng recommends adopting a semantic design that accounts for resource-oriented endpoints “with proper HTTP verbs”. He also underscores the importance of a versioning strategy, favouring header versioning over URL versioning for smoother transitions between API versions without breaking existing client integrations.
Building scalable and resilient platforms requires specific architectural patterns. Koh advocates for a distributed, fault-tolerant and security-first approach, citing patterns like geo-distributed deployments and fault isolation with circuit breakers. Intelligent load balancing will also ensure real-time traffic steering, while observability with AI-driven monitoring helps detect and mitigate failures early.
Another architectural pattern to consider would be implementing an asynchronous API mesh, which is valuable for event-driven architectures, Ng says. This allows for better handling of asynchronous communication and decouples services for improved scalability and fault tolerance. Its ability to support dynamic scaling and improved resilience against failures will ensure that APIs can manage high traffic volumes and unpredictable workloads more effectively.
Cell-based architecture is another key architectural pattern, which offers resilience by isolating failures within autonomous API cells. This architecture ensures that if one part of the system is disrupted, it does not impact the entire platform, allowing for better fault isolation and system robustness.
Embedding security throughout the API lifecycle
Given that APIs are increasingly targeted by attackers – Akamai’s 2024 State of the internet report found that 29% of web attacks now target APIs – security cannot be an afterthought.
“Securing APIs throughout their lifecycle – from design to deployment – is crucial,” says Koh. This involves integrating security by design, enforcing secure coding practices, input validation, authentication and encryption during development, subjecting APIs to rigorous testing prior to production, and performing real-time monitoring for attacks, abuse and vulnerabilities once operational.
Ng advocates for a proactive, multi-layered approach. In the design phase, conducting threat modelling and reviewing security risks helps to identify vulnerabilities early and establish a strong security foundation. This ensures that security is embedded into the API architecture right from the start.
Embedding security measures at every stage of the API lifecycle ultimately ensures companies can build robust, resilient and trustworthy API platforms
During the development phase, integrating static application security testing (SAST) and dynamic application security testing (DAST) into continuous integration/continuous deployment (CD/CD) pipelines also helps to detect security flaws before deployment. This continues the hygiene from the initial introduction, and consistent security assessment helps to minimise risks and strengthen the overall security posture.
At the deployment stage, companies can consider leveraging AI-powered anomaly detection to enhance real-time threat prevention and effectively block attacks. This proactive monitoring helps identify and mitigate emerging security threats before they can be exploited and builds on the preventative measures established in earlier phases.
Even in the deprecation phase, Ng says, implementing automated sunset policies with clear client migration paths ensures a secure and seamless transition when APIs are retired or replaced. Embedding security measures at every stage of the API lifecycle ultimately ensures companies can build robust, resilient and trustworthy API platforms.
Overlooked vulnerabilities and emerging threats
Despite best efforts, critical vulnerabilities in API implementations are often missed. Koh points to broken object-level authorisation, where APIs expose endpoints that allow unauthorised access to sensitive data, as well as insufficient logging and monitoring. Comstock flags injection attacks and poor management of keys and secrets.
Meanwhile, the threat landscape is evolving. Koh warns of sophisticated business logic attacks that exploit legitimate API functionalities for malicious purposes like fraud or unauthorised data scraping. Attackers are increasingly targeting APIs to perform actions within the intended business logic, but in a manner that benefits the attacker, such as manipulating transaction amounts or bypassing security checks.
Another key concern is AI-powered attacks, where malicious actors use AI to generate synthetic traffic that mimics legitimate user behaviour. Ng says these attacks can bypass traditional security measures, making it difficult to distinguish between genuine and fraudulent API requests.
To prepare for this, companies can implement behavioural biometric authentication, which analyses user behaviour patterns, such as keystroke dynamics and mouse movements, to detect anomalies and prevent unauthorised access.
QL injection, particularly targeting GraphQL APIs, is another rising threat where attackers manipulate queries to access unauthorised data. These attacks have surged recently, and there is a growing need for robust input validation and query complexity analysis. Implementing API-specific web application and API protection (WAAP) capabilities can help mitigate these risks by detecting and blocking malicious queries before they reach back-end systems, says Ng.
With advancements in quantum computing, traditional encryption methods may become vulnerable to brute-force attacks as well. To stay ahead of this threat, Ng calls for companies to explore quantum-resistant cryptography pilots, which develop encryption algorithms designed to withstand quantum-based decryption techniques.
Finally, Ng notes that regularly auditing API endpoints, including shadow and deprecated APIs, and using API security tools such as API gateways, web application firewalls (WAF) and API security testing tools, remain equally important strategies. These measures can help prevent emerging threats by ensuring that APIs are secure, up-to-date and resilient against evolving attack vectors.
Best practices and future trends
As part of best practices in managing APIs, Comstock advocates shifting from viewing APIs as technical assets to thinking of them as exposing an organisation’s core digital capabilities, along with treating APIs as products designed for reuse, including by AI agents.
Ng adds that when APIs are treated as products with dedicated owners responsible for their long-term success, they can be continuously improved, aligned with business objectives and optimised for user needs, rather than being treated as one-time technical projects.
Another best practice is automated governance, using policy-as-code to enforce style, security and compliance requirements consistently across all APIs. “By integrating governance into the development pipeline, companies can prevent security vulnerabilities and ensure uniform standards without slowing down innovation,” says Ng.
Looking ahead, several trends are set to shape API management. Koh sees the internet of things (IoT) and 5G environments driving demand for decentralised and low-latency architectures such as edge computing.
Comstock points to the emergence of large action models (LAMs), a type of generative AI that can perform specific actions based on user queries. These models not only analyse data, but are designed to take action based on the findings.
“The key to unlocking the full potential of LAMs lies in their integration with APIs,” says Comstock. “By integrating LAMs with APIs, organisations can enable AI agents to interact with a wide range of cloud-based and on-premises systems and services, allowing agents to carry out complex actions.”
The rapid rise of AI-driven applications is also reshaping API management, focusing on AI agent integration and enhanced security. Irecki foresees AI enhancing API analytics, documentation, security and lifecycle automation.
In the coming years, Ng notes that proficiency in AI-driven development tools, real-time observability platforms and federated governance frameworks will be essential for API professionals. Additionally, expertise in prompt engineering and understanding how to leverage AI for both API design and threat detection will be invaluable as these technologies continue to evolve and integrate into API management practices.
