By Mateus Santos
APIs have become the backbone of the digital economy, but they have also become one of the main vectors for cyberattacks. In Brazil, each company suffered an average of 2,600 attempted intrusions per week in the first quarter of 2025, according to a report by Check Point Research (July/25), an increase of 21% compared to the same period of the previous year, a scenario that places the integration layer at the center of security discussions.
Without governance, well-defined contracts, and adequate testing, seemingly small errors can bring down e-commerce checkouts, disrupt Pix (Brazil's instant payment system) operations, and compromise critical integrations with partners. The case of Claro, for example, which had credentials exposed, S3 buckets with logs and configurations, as well as access to databases and AWS infrastructure put up for sale by a hacker, illustrates how failures in integrations can compromise both the confidentiality and availability of cloud services.
However, protecting APIs isn't solved by acquiring isolated tools. The key is to structure secure development processes from the start. The approach design-first, Using specifications like OpenAPI allows for the validation of contracts and the creation of a solid foundation for security reviews involving authentication, permissions, and the handling of sensitive data. Without this foundation, any subsequent reinforcement tends to be palliative.
Automated testing, in addition to being the next line of defense, performs API security tests with tools such as OWASP ZAP and Burp Suite, continuously generating failure scenarios such as injections, authentication bypasses, request limit overruns, and unexpected error responses. Similarly, load and stress tests ensure that critical integrations remain stable under heavy traffic, blocking the possibility of malicious bots, responsible for a large portion of internet traffic, compromising systems through saturation.
The cycle is completed in production, where observability becomes an essential element. Monitoring metrics such as latency, error rate, etc. endpoint Call correlation between systems allows for the early detection of anomalies. This visibility shortens response time, preventing technical failures from turning into downtime incidents or vulnerabilities exploitable by attackers.
For companies operating in e-commerce, financial services, or mission-critical sectors, neglecting the integration layer can lead to significant costs in lost revenue, regulatory sanctions, and reputational damage. Startups, in particular, face the additional challenge of balancing speed of delivery with the need for robust controls, as their competitiveness depends on both innovation and reliability.
API governance is also gaining relevance in light of international standards, such as the ISO/IEC 42001:2023 (or ISO 42001) standard, which establishes requirements for artificial intelligence management systems. Although it doesn't directly address APIs, it becomes relevant when APIs expose or consume AI models, especially in regulatory contexts. In this scenario, the best practices recommended by OWASP API Security for model-based language applications are also gaining strength. These guidelines offer objective paths for companies seeking to reconcile productivity with regulatory compliance and security.
In a scenario where integrations have become vital for digital businesses, secure APIs are APIs that are continuously tested and monitored. Combining structured design, automated security and performance testing, and real-time observability not only reduces the attack surface but also creates more resilient teams. The difference between operating proactively or reactively can define survival in an environment increasingly exposed to threats.
*Mateus Santos is CTO and partner at Vericode. With over 20 years of experience in systems across the financial, electrical, and telecommunications sectors, he possesses expertise in architecture, analysis, and optimization of system performance, capacity, and availability. Responsible for the company's technology, Mateus leads innovation and the development of advanced technical solutions.
*Mateus Santos, CTO and partner at Vericode
Notice: The opinion presented in this article is the responsibility of its author and not of ABES - Brazilian Association of Software Companies
