Does your organization have an API-first strategy? Does it include application security for design, testing, and continuous monitoring or does it rely upon gateway appliances and web-application firewalls? Is your CISO engaged in all aspects of your organizations application modernization to execute on that strategy? Join us to examine the prevalence of the insecurity of API endpoints on the Internet today and to examine the well-known data breaches that had APIs at their focal point. We discuss the challenges pertaining to API authentication, access control, and rate limiting. A concise API security framework is presented that can be used to govern and enforce API security throughout a secure SDLC, which incorporates best practices for endpoint asset management and data loss prevention.