APIs are powering everything from fintech platforms to patient portals — and threat actors are targeting them at every stage. To help security and development teams stay ahead, we’ve delivered a range of updates across releases 3.50 to 3.54.
These enhancements improve visibility, automation, coverage, and compliance across the API lifecycle — and help teams address real-world challenges, from audit prep to runtime protection.
Here’s what’s new.
HIPAA and FAPI are now supported in the Compliance Dashboard
The API Compliance Dashboard now supports two additional industry-standard frameworks: the Health Insurance Portability and Accountability Act (HIPAA), for healthcare data protection, and FAPI (formerly Financial-grade API), for high-assurance financial data flows (Figure 1).
These additions help security and compliance teams identify configuration gaps, track remediation efforts, and prepare audit documentation — all without manual spreadsheet wrangling.
For example, a healthcare provider can now evaluate encryption and authentication posture for APIs that handle protected health information and export that data directly into an auditor-friendly report during a HIPAA compliance review. Similarly, a bank working under open banking guidelines can validate conformance to FAPI and mitigate risks before they trigger regulatory findings.
To learn more about our Compliance Dashboard, please see the documentation.
Discover APIs from source code
Our APIs from Code capability scans your repositories and identifies internal, undocumented, or dormant APIs that would otherwise be invisible to solutions that only rely on traffic-based discovery (Figure 2). This is critical for AppSec teams who need a comprehensive inventory of APIs, especially when compliance frameworks demand full visibility into systems that process personally identifiable information.
APIs from Code also helps reduce mean time to remediation (MTTR) by mapping findings directly to file paths and commit authors. For example, you can uncover APIs that are not yet protected by Akamai API Security or do not yet generate traffic, trace them to the responsible team, and close posture gaps before production deployment — avoiding both data leakage and regulatory violations.
In addition, we’ve extended APIs from Code to support NestJS, a widely used back-end framework for JavaScript and TypeScript applications. This helps teams that rely on modern server-side architectures to discover APIs earlier in the development lifecycle and reduce the risk of unsecured endpoints making it into production.
Current frameworks supported by APIs from Code
- Java: Spring MVC
- JavaScript: Express, NestJS
- Python: FastAPI, Flask
- TypeScript: Express, NestJS
Languages supported by APIs from Code
- Java
- Python
To learn more about our code scanning capabilities, please see the documentation.
Akamai API Security app for Splunk (now on Splunkbase)
Our official Splunk integration lets you bring API findings and incidents into your existing security information and event management (SIEM) workflows, with support for the Common Information Model (Figure 3). Security teams can now correlate Akamai-detected API threats with logs from other sources, create dashboards, and trigger alerts from within the Splunk interface they already use.
This is particularly valuable for security operations center teams that need to investigate and respond to multilayered attacks quickly. For example, you can use this integration to detect patterns of token reuse across APIs and web sessions, which can help you identify and block abuse in real time.
To learn more about our Splunk integration, please see the documentation.
Active Testing: More flexible, scalable, and CI/CD-ready
Deploy in OpenShift
You can now deploy Active Testing Remote Workers in Red Hat OpenShift, using our certified containers from the Red Hat Ecosystem Catalog (Figure 4).
This makes it easier to scan APIs in secure, internal environments where external access is restricted or prohibited. For example, as a healthcare provider, you can scan internal APIs that process patient records without exposing them to the public internet, thereby maintaining compliance while still conducting thorough testing.
Bamboo CI/CD integration
Development teams that use Atlassian Bamboo can now integrate Active Testing directly into their CI/CD pipelines (Figure 5).
If API tests fail, the build is automatically blocked, preventing uinsecure code from being deployed to staging or production. This supports shift-left security practices and helps teams enforce quality gates early in the development process.
Plug-in–Based secrets via Python scripts
Many enterprises use complex authentication flows that aren’t supported by static secrets or standard OAuth flows. Our new extensible secrets model enables teams to write custom Python scripts that dynamically retrieve secrets from internal systems or third-party vaults.
These scripts execute securely during Active Testing scans and support advanced scenarios, such as chained tokens or body-based credentials.
To learn more about API testing, please see the documentation.
Learn more
Please review the release notes for additional information about these and other features.
Tags
