APIs are the digital glue holding modern systems together—from your favorite apps to the complex infrastructure behind the scenes. But with that power comes a growing list of security challenges. In this talk, we’ll explore how to build a modern API security program from the ground up. You’ll hear real-world lessons, practical strategies, and a few “we’ve all been there” moments. What the Auth? Why do authentication cookies cause so much chaos? We’ll dive into session management headaches—from Azure and ID.me to home-grown methods—and why security tools often struggle to keep up. -That’s a Lot of Vulnerabilities Security tools can flood teams with false positives. We’ll show how to cut through the noise and focus on what really matters. -Whose API Is This Anyways? You can’t secure what you don’t know exists. We’ll talk about the disconnect between known endpoints and actual API inventories—and how to close that gap. -API Overload Ever seen a security tool report with hundreds of APIs and thought, “No way”? We’ll explain why that happens and what it means for your security posture. -Why Does This Matter? “People just don’t do that” isn’t a security strategy. We’ll share stories that show why proactive security matters—even when it’s invisible. To solve the API inventory problem, security needs to meet developers where they are. That means integrating with their tools, using specs like OpenAPI, and building a culture of collaboration. Join us at GrrCon to learn how to lay the foundation for scalable, resilient API security—and walk away with ideas you can use right away.