Guidelines for API Protection for Cloud-Native Systems

In March 2025 the National Institute of Standards and Technology (NIST) released a special publication: NIST SP 800-228 initial public draft, Guidelines for API Protection for Cloud-Native Systems

The publication highlighted the importance of APIs as the core of today’s enterprise architecture, where they serve as critical interfaces for internal operations, third-party integrations, and customer-facing applications. However, this ubiquity comes with a significant risk: APIs expose application logic and sensitive data, making them attractive targets for attackers. The document provides guidelines for a structured risk-based framework where security is built into the APIs themselves.

The OWASP API Top 10 catalogues the most common and dangerous API vulnerabilities—such as broken authentication, insufficient authorization, and insecure endpoints—that, if left unaddressed, can leave systems wildly exposed to threats. NIST’s guidelines, as documented in SP 800-228, provide a detailed framework for protecting APIs across their entire lifecycle. NIST stresses the importance of building security into APIs from the design phase through to runtime operation—dividing recommended controls into two main categories: pre-runtime protections and runtime protections. This structured, iterative approach echoes the philosophy behind the OWASP API Top 10 by insisting that security cannot be a one-off checklist but must be an ongoing, adaptive process integrated into the entire development and deployment pipeline. NIST also advocates for a zero trust mindset and the adoption of DevSecOps practices, reinforcing that continuous monitoring and incremental improvements are essential to counter rapidly evolving API risks .

The Convergence of Best Practices

While OWASP clearly defines the threat exposures of APIs (an offensive approach), such as broken object-level authorization and unsafe access patterns, NIST offers a slightly different perspective, focusing on defensive measures and implementation best practices. This convergence is critical, as it enables organizations to move beyond merely identifying vulnerabilities to deploying practical controls based on solid, risk-based methodologies. By doing so, enterprises can safeguard sensitive information, manage access effectively, and ensure their APIs remain resilient against evolving threats.

In Summary The importance of the OWASP API Top 10 lies in its clear, actionable identification of API security risks that stem from the very nature of modern, interconnected systems. NIST’s guidance reinforces this by prescribing a comprehensive, lifecycle-oriented framework to mitigate these vulnerabilities. Together, the OWASP and NIST recommendations serve as complementary pillars of API security—highlighting that a proactive, methodical, and continuously evolving security posture is essential for protecting enterprise systems in today’s digital landscape.

We recently made secure programming challenges for each of the OWASP API Top 10, you can jump into a hands-on experience of testing your capability of implementing security into your APIs:

They will be available for free to everyone for a Limited Time via our: Weekly Incident game.

You can access them anytime, with a Pro subscription, from the API Game:

• API1:2023 - Broken Object Level Authorization
• API2:2023 - Broken Authentication
• API3:2023 - Broken Object Property Level Authorization
• API4:2023 - Unrestricted Resource Consumption
• API5:2023 - Broken Function Level Authorization
• API6:2023 - Unrestricted Access to Sensitive Business Flows
• API7:2023 - Server Side Request Forgery
• API8:2023 - Security Misconfiguration
• API10:2023 - Unsafe Consumption of APIs