Table of Contents
- Market Categories and Deployment Types
- Key Criteria Comparison
- GigaOm Radar
- Vendor Insights
- Analyst’s Take
- About Don MacVittie
APIs are quickly becoming the largest attack surface in applications. API security solutions help an organization improve its security posture by finding and locking down APIs wherever they may reside, either blocking attackers or offering information to help IT teams better protect the APIs.
With the growing number of APIs spread across the entire corporate infrastructure, protecting those APIs is becoming as important as protecting web properties hosted across the same infrastructure. But while—thanks to increasing education and higher-quality security tools—the task of protecting web pages (even dynamic web pages) is now routine for most organizations, the same can’t be said for APIs. We are still learning about protecting our API infrastructure, and even when we do a great job with one API or API family, similar APIs might not have the same level of protection. Indeed, many enterprises are at the very start of their API security journey—discovering exactly what APIs are hidden within their infrastructure.
API security products were generally developed before API use burgeoned to the extent we see today, and early targeting was simple. Those products were based upon the idea that it is asking for failure to insist developers secure the code they write, and there is a lot of truth in this original reasoning. Most developers do not knowingly create insecure code, so if they develop code with vulnerabilities, it is likely because they are unaware of what vulnerabilities a given API might suffer from. Once API security was in use, though, IT quickly discovered a new reason to use a security product: Some vulnerabilities are far easier blocked in the network than in each and every application.
The idea that some attacks are best blocked in the network before access to the API occurs, along with the presence of numerous undocumented APIs that likely exist in organizations, has spurred customers to demand that these products have a way to detect APIs running on the corporate network. For this analysis, a corporate network is the new extended network that includes data center, cloud vendor(s), and hosting. In some environments, it can also include software as a service (SaaS), though few enough SaaS environments include the ability to develop and deploy APIs.
Just as the API security solution must have a way to learn about APIs, it also must be able to protect them once it finds them. API security started under SOAP, when APIs first saw broad adoption, but soon had to adapt to protect REST, which is the primary area of protection today, although new API standards are growing in popularity. Which standards can be protected and how deep that protection goes are important considerations when evaluating API security products. In this analysis, we will also consider whether the product protects the data layer, and what level of protection the data layer receives.
API security is one of the most important aspects of security in the modern enterprise. There are ever more APIs deployed daily, and many organizations have not kept up with API-specific security. For those just starting to consider API security, our report “Key Criteria for Evaluating API Security Solutions” will help you to understand the market and learn what you need to look for when evaluating these products. For those who do not have either web application security or API security, a look at our 2022 Radar report for Application and API Security is also a good idea, as those products generally cover both API security and web application firewalls (WAFs).
How to Read this Report
This GigaOm report is one of a series of documents that helps IT organizations assess competing solutions in the context of well-defined features and criteria. For a fuller understanding, consider reviewing the following reports:
Key Criteria report: A detailed market sector analysis that assesses the impact that key product features and criteria have on top-line solution characteristics—such as scalability, performance, and TCO—that drive purchase decisions.
GigaOm Radar report: A forward-looking analysis that plots the relative value and progression of vendor solutions along multiple axes based on strategy and execution. The Radar report includes a breakdown of each vendor’s offering in the sector.
Solution Profile: An in-depth vendor analysis that builds on the framework developed in the Key Criteria and Radar reports to assess a company’s engagement within a technology sector. This analysis includes forward-looking guidance around both strategy and product.