SHARED INTEL Q&A: A sharper lens on rising API logic abuse — and a framework to fight back – Source: www.lastwatchdog.com

By Byron V. Acohido

In today’s digital enterprise, API-driven infrastructure is the connective tissue holding everything together.

Related: The DocuSign API-abuse hack

From mobile apps to backend workflows, APIs are what keep digital services talking—and scaling. But this essential layer of connectivity is also where attackers are gaining traction, often quietly and with alarming precision.

Jamison Utter, a cybersecurity strategist at A10 Networks, refers to APIs as the “fuzzy underbelly” of modern infrastructure. He leans on a useful analytical shorthand known as the FUSS framework—short for Fuzzy, Ubiquitous, Shifting and Shallow—to help security teams recognize a widening disconnect between how modern applications behave and how traditional defenses are designed.

“In the race to transform, organizations built layers of API connectivity without building a corresponding model of trust,” Utter explains. “And adversaries are exploiting that asymmetry.”

Moving to anticipatory

Gone are the days when attackers simply hunted for exposed ports or outdated software. They’re now studying how microservices make decisions, how APIs authenticate across trust zones, and where subtle gaps in identity controls allow lateral movement without detection.

In this Q&A, Utter unpacks how the FUSS lens can help security teams better understand the shifting attack surface—and how to move from checkbox compliance to something more adaptive and anticipatory.

LW: You’ve described APIs as the blind spot—or fuzzy underbelly—of modern infrastructure. What do you mean by that?

Utter: APIs are “fuzzy” in the sense that they lack the firm boundaries most security teams are used to working with. They aren’t always mapped. Their intended behavior isn’t always well defined. And they tend to multiply quietly, often outside of centralized control. So, you’ve got this expansive, ever-evolving attack surface that’s neither well understood nor closely monitored. That’s exactly the kind of terrain adversaries love—where they can probe around without triggering alarms and find subtle ways in.

LW: Why are attackers increasingly drawn to APIs as an entry point?

Utter: Attackers know that APIs hold the keys to the kingdom. They don’t just expose data—they expose logic. And because traditional defenses often don’t inspect what APIs do at runtime, adversaries can manipulate inputs and outputs to produce business logic abuses that fly under the radar. Instead of brute-forcing a password, they might query an API a thousand different ways to figure out how it handles permissions, or what kind of response it gives under certain edge conditions. That’s a different mindset—and a lot of security tools just aren’t built to detect that.

LW: You mentioned that identity is being redefined. What do you mean by that in the context of APIs?

Utter: Historically, identity meant a user with credentials. But in today’s distributed systems, identity can be a process, a bot, a container, a CI/CD pipeline, even a third-party service calling an API. These entities act autonomously and make decisions based on policy—or sometimes on incomplete information. But as identities cross API boundaries, context often disappears. You don’t know who or what initiated the call, or what their level of trust should be. That lack of continuity breaks traditional enforcement models and opens the door for misuse.

LW: How does the FUSS model help teams focus their security efforts?

Utter: FUSS gives security and IT leaders a way to reframe the problem. Instead of chasing every API vulnerability like a game of Whack-A-Mole, it encourages them to think more strategically. If something is fuzzy, you work to define it better. If it’s ubiquitous, you prioritize visibility. If it’s shifting, you adapt your tooling to follow change. And if it’s shallow—meaning it lacks depth of protection—you embed guardrails closer to runtime. The framework creates a shared language for discussing why APIs are risky and what it takes to govern them effectively.

LW: What’s the biggest misconception CISOs have about API protection?

Utter: Many assume that if they’ve deployed an API gateway or WAF, the problem is solved. But those tools, while useful, only give you a partial view. They can’t tell you how APIs behave across time, how trust relationships evolve, or how identities get reused in unexpected ways. True API protection means understanding the why behind each call—not just blocking the known bad. It’s about mapping the web of trust inside your system and monitoring for deviations that suggest something’s off.

LW: If you had to give one practical step for security leaders today, what would it be?

Utter: Start building an API inventory—but don’t stop at names and endpoints. Tag them by purpose, sensitivity, and the type of data or actions they expose. Ask: What does this API do? Who calls it? What’s the blast radius if it’s abused? That starts to build a model of intent and consequence. Once you have that, you can begin layering in behavioral monitoring and adaptive controls.

LW: What does the future of API protection look like?

Utter: It’s heading toward deeper, more contextual security—things like identity graphing, behavioral analytics, and continuous trust scoring. We’ll move beyond perimeter enforcement and into runtime accountability. That means being able to say, with high confidence, “This call looks legitimate because I understand its history, its purpose, and its normal behavior.” It’s a heavy lift, but we’re already seeing signs of that evolution. The key is to start building that visibility now—because once attackers redefine the terrain, playing catch-up gets harder.

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

June 12th, 2025 | Q & A | Top Stories