Future-Proofing API Security: Insights from HCL AppScan and Salt Webinar

The rapid growth of APIs and the rise of unmanaged, hidden endpoints are raising serious security and compliance challenges across organizations. 

In light of this growing complexity, Colin Bell, CTO of HCL AppScan, and Eric Schwake, Director of Cybersecurity Strategy at Salt Security, joined a recent webinar to explore the evolving API landscape, the pressing need for better visibility and posture management, and how their joint solution gives organizations a smarter, more scalable way to secure APIs. 

The API Ecosystem

The conversation began with a look both backward and forward. Bell and Schwake reflected on how APIs have evolved from simple integration points to being the backbone of digital business, emphasizing their vital role in modern software architecture.

Bell pointed out that APIs now surface across mobile devices, microservices, SaaS, DevOps pipelines, and IoT systems. This breadth adds layers of complexity and stretches the responsibility of API management across multiple teams.

The Growing Threat

Schwake emphasized that as modern applications become increasingly API-driven, APIs will become a go-to attack surface for cybercriminals. Yet, many organizations still lack a complete view of their API landscape—leaving critical gaps open to exploitation. “The worst case scenario is that an attacker finds a shadow API that still has access to sensitive data or internal systems — and exploits it before you even know it exists” said Schwake.

He went on to explain that the rise of AI-generated code and fast development cycles only makes the problem worse, leaving organizations with fragmented inventories and limited visibility into their API ecosystem.

Identifying Gaps 

This lack of visibility led the panel to a key question: Where do current tools fall short in securing APIs?

Schwake explained that while many traditional or legacy tools aim to address API security, they offer only limited visibility—often overlooking internal traffic and lacking integrated posture governance. This fragmented approach makes it difficult for organizations to gain a complete view of their API ecosystem.

Bell addressed similar limitations on the testing side. He explained that even dynamic testing often struggles due to incomplete Swagger files, limited data, and a lack of real-world traffic behavior—making it hard to fully test what’s actually in use. “When it comes to dynamic analysis, the challenge isn’t the ability to test APIs, but ensuring the right data is used. A standard Swagger file might only show entry points, but understanding actual traffic behavior allows for deeper, more effective testing—turning data into valuable insights.” said Bell.

Regulations Are Catching Up 

This increasing complexity and risk are driving regulators to pay closer attention to APIs. While many security standards remain broad, specific compliance mandates now directly address APIs. Schwake highlighted New York's NYDFS regulation as a prime example—it now requires financial organizations operating in the state to maintain a full API inventory.

This shift shows a growing awareness that APIs are security weak points and must be managed with the same attention as other critical security infrastructure.

Making Security Easier

Amid these challenges and regulatory demands, a recurring theme throughout the webinar was that security needs to be friction-free for both developers and security teams. Bell and Schwake pointed out that many teams work in silos and feel stretched thin. Highlighting real API risks and offering straightforward next steps helps everyone concentrate on what matters most.

Bell also mentioned that more organizations are looking for all-in-one security platforms—solutions that combine capabilities, trim down tool sprawl, and simplify deployment. That way, scaling API protection doesn't add to already busy teams' workloads.

A Smarter Solution: HCL AppScan API Security

To help tackle these challenges, Bell introduced HCL AppScan API Security—a collaborative solution from HCL AppScan and Salt Security. It brings together continuous discovery, posture governance, and dynamic testing to help teams find overlooked APIs, apply security policies, and better understand how APIs behave in real-world conditions.

As the session concluded, both speakers encouraged attendees to explore the solution—either through a trial or a proof-of-concept—to see how well it integrates into their everyday processes.

Final Thoughts

By the end of the discussion, it was clear that API security is becoming increasingly critical as threats grow and environments become more complex. Visibility remains the foundation—without understanding what’s out there and how it behaves, gaps will persist. A unified platform that brings together API discovery, testing, and governance offers a practical way forward for organizations to stay secure and in control.

Watch the replay to catch the full talk with Colin Bell and Eric Schwake, and see how HCL AppScan API Security can help teams secure APIs more confidently.