Key Criteria for Evaluating API Security Solutionsv2.0

An Evaluation Guide for Technology Decision-Makers

Table of Contents

  1. Summary
  2. API Security Primer
  3. Report Methodology
  4. Decision Criteria Analysis
  5. Evaluation Metrics
  6. Key Criteria: Impact Analysis
  7. Analyst’s Take

1. Summary

Application programming interfaces (APIs) are now central to modern development, but as their use has skyrocketed over the past 15 years or so, intrusions that successfully exploit API security issues have grown in equal measure. Given the large and growing number of APIs that attackers can target to gain access to sensitive data and systems, protecting APIs is increasingly imperative.

In most organizations, public-facing APIs have become a larger attack surface than regular interactive web pages, and with applications spanning multiple cloud vendors and the data center, perhaps even including a hosting provider, the number of publicly accessible APIs is growing exponentially. Add to that the growth of microservices architecture, and it’s clear there’s a big risk that must be managed. API security solutions are among the primary methods of limiting that risk.

While not entirely new, this space is only recently coming to market prominence as organizations now realize how many APIs they rely on that may or may not be protected by existing infrastructure. In fact, many organizations don’t know how many APIs they have running, let alone if or how those APIs are protected.

This realization and new interest has led to an increase in vendors offering a variety of solutions that prospective customers should consider to increase their API security posture.

This technology space is aimed specifically at protecting APIs, not at protecting applications. For organizations that are just starting to get their security infrastructure up and running—who do not have a web application firewall (WAF) or data loss prevention (DLP) strategy—our 2023 application and API security Key Criteria report might be worth a read. For those who are comfortable with the level of protection their WAF provides, this report covers the piece of API-specific functionality that WAF is missing.

This is the second year that GigaOm has reported on the API security space. This report builds on our previous analysis and considers how the market has evolved over the last year.

This GigaOm Key Criteria report details the capabilities (table stakes, key criteria, and emerging technologies) and non-functional requirements (evaluation metrics) for selecting an effective API security solution. The companion GigaOm Radar report identifies vendors and products that excel in those capabilities and metrics. Together, these reports provide an overview of the category and its underlying technology, identify leading API security offerings, and help decision-makers evaluate these solutions so they can make a more informed investment decision.

How to Read this Report

This GigaOm report is one of a series of documents that helps IT organizations assess competing solutions in the context of well-defined features and criteria. For a fuller understanding, consider reviewing the following reports:

Key Criteria report: A detailed market sector analysis that assesses the impact that key product features and criteria have on top-line solution characteristics—such as scalability, performance, and TCO—that drive purchase decisions.

GigaOm Radar report: A forward-looking analysis that plots the relative value and progression of vendor solutions along multiple axes based on strategy and execution. The Radar report includes a breakdown of each vendor’s offering in the sector.