GigaOm Radar for Application and API Security (AAS)v3.0

1. Executive Summary

Application development architecture has been changing to accommodate new platforms, processes, and application needs. Increasingly, applications are collections of APIs, both public and private, connected in the core application to a user interface (UI).

Modern applications need a comprehensive security capability that covers all points of vulnerability. This means a combination of what we have seen in traditional web application firewalls (WAFs), plus all the protection offered by API security and API management products. Together, these types of protection create a comprehensive application and API security (AAS) solution category.

Application deployment architectures have also changed—applications can be spread across multiple clouds, running in Kubernetes, hosted in a data center, or co-hosted with a vendor. AAS products must protect all important parts of the overall application, wherever they are deployed.

Critical to protecting modern applications is understanding them. AAS products provide two tools to help understand and validate an application via its APIs. The first is API “import from definition,” whether in WSDL, OpenAPI, or another standard. This helps us to understand what the API should be doing. The other is “runtime detection” of APIs, which covers what the API is doing. It also offers a view of APIs that are outside the system and do not have a valid API definition file—which often make up the majority of an organization’s APIs.

As application architectures became more complex, the sophistication and volume of attacks increased as well, causing a litany of issues for IT staff. The volume of attack data, the number of attack vectors, and dispersion of attack activity all make protecting applications harder. AAS products must either block known and identifiable attacks outright or offer advanced filtering of data that’s escalated to IT staff to keep the volume of alerts at a manageable level.

There are many attack vectors, some requiring unique protection capabilities. The AAS space requires that application-layer distributed denial of service (DDoS) attacks be protected against while other well-known attacks are detected and/or blocked at the same time—even though these two types of protection generally use different detection and remediation techniques.

Integration with security information and event management (SIEM) solutions allows this critical piece of application security to be included in post-mortem and even secondary detection generated and managed on the SIEM solution.

This is our third year evaluating the AAS space in the context of our Key Criteria and Radar reports. This report builds on our previous analysis and considers how the market has evolved over the last year.

This GigaOm Radar report examines 13 of the top AAS solutions and compares offerings against the capabilities (table stakes, key features, and emerging features) and nonfunctional requirements (business criteria) outlined in the companion Key Criteria report. Together, these reports provide an overview of the market, identify leading AAS offerings, and help decision-makers evaluate these solutions so they can make a more informed investment decision.