There is a large amount of recent buzz around API security which is surprising considering how long APIs have been at the center of web applications. Is API security a bunch of new things or is it merely a repackaging of something familiar? The answer is somewhere in the middle. This talk discusses the new practices and tools around API security, but it will also rank them by risk-addressed in context with less buzz-worthy practices and tools from web application security.