APIs are everywhere. Any business with a mobile app, modern web apps (SPAs), using the cloud, doing a digital transformation, integrating with business partners, running microservices or using Kubernetes has APIs. There's a solid foundation of AppSec knowledge out there - thanks, in part, to OWASP - but API security isn't exactly the same as AppSec. Additional complexity is part of the landscape with multiple competing API technologies like REST, gRPC and GraphQL, not to mention stakeholders spread across multiple parts of the business. How do you make sense of the API security landscape? This talk will cover the three fundamental areas to consider, the various chess pieces and the many ways those pieces can be put on your API chessboard. The goal is for you to leave knowing how to map out your API security landscape and reach a state of solid API security.