API Security: Purple Teaming Exercises

PUBLISHED ON January 29, 2024
LAST UPDATED Jan 29, 2024

The first step to establishing your API security program is to obtain visibility. The proliferation of APIs across a distributed infrastructure inevitably leads to API sprawl, and most organizations don’t know how many APIs they have or how they’re utilized. Developers often stand up new APIs or reuse existing ones, but much of this is out of sight of security. As a result, the attack surface created by APIs is significantly larger than most organizations realize.

Get details on API discovery steps in How to Discover and Document Your API Landscape.

Once you know what APIs you have and are familiar with their functionality, it’s time to think about protecting them. Protection falls under three categories that most security professionals are familiar with: red teaming, blue teaming, and purple teaming.

Learn more about API security red-teaming exercises and blue-teaming exercises.

API Security Purple Teaming

Once the red teaming and blue teaming pieces are in place, mature your API security program with purple teaming. This concept emphasizes collaboration between your red and blue teams. Purple teaming is your people, process, and technology working together to improve security.


Regardless of the technology you implement, people will remain the weakest link. Security awareness training is a must-have for all employees, and developers should have their own dedicated training. Make sure security “reaches across the aisle” and has transformative conversations with development to ensure developers have bought-in to the program and you’re actually protecting your applications throughout the entire software development lifecycle, to production.


There are a number of processes that can help improve your API security and mature your program:

Stress testing your APIs. Do a tabletop exercise of a DDoS attack or botnet attack against one of your applications. Determine what would happen if you had downtime and how that risk can be reduced or prevented.

Policies and procedures are important, but they must be flexible. They must be able to change over time as new threat actors advance their techniques against your organization. Also consider compliance and regulations and how your APIs may be transmitting certain data types, particularly personally identifiable information (PII) that may be covered by various industry and governmental mandates.


Defense in depth is a security best practice that involves leveraging multiple security technologies to provide a layered defense. For your API security program, defense-in-depth includes red teaming and blue teaming controls and measures, including API gateways and an API protection platform to protect against real-time threats. While not exhaustive, consider deploying technologies throughout your SDLC (software development lifecycle) such as SAST, DAST, and SCA. In addition, at least annually, perform penetration testing and vulnerability assessments against your applications and APIs.

Get more details on API security, including discovery, blue teaming, and purple teaming, in our Guide to Getting Started With API Security.


About the Author

Bret Settle

Bret has served in multiple executive roles for Corporate Express/Staples and BMC Software and has extensive knowledge of the software development and security products industries. Bret has been responsible for enterprise security in multiple roles and has been an innovator throughout his career and has a proven track record of building and developing high performing organizations and dynamic cyber security teams.