Key Criteria for Evaluating Application and API Security Solutionsv2.0

1. Summary

Modern applications are composed of the application itself and the application programming interfaces (APIs) that represent application subsystems. Recent trends in application development—including API-first approaches, service-oriented architectures, and microservices—have served to make APIs part and parcel of today’s applications. In short, many applications are now being broken into a collection of API calls, with some glue and UI code, and a collection of back-end APIs that need protection. The increasing use of containers only exacerbates this division; indeed, microservices are largely enabled by container architectures. Modern application protection must address both of these unique access points to protect the entire application.

Traditionally, application security and API security were viewed as totally different areas. However, the needs of the market have driven them together because, generally, one is not deployed without the other. Thus, application and API security (AAS) encompasses both of these fields.

This report is focused on universal application protection, which includes protecting applications traditionally, as with a web application firewall (WAF), as well as protecting APIs the way API security or API management products do. For the runtime protection portion of the products in this space, the report also considers what new and unique protection might be offered based on the merging of these two fields and the increasing use of artificial intelligence and machine learning (AI/ML), such as runtime application self protection (RASP)-style protections via next-generation firewalls.

Solutions today need to protect applications and their underlying APIs, not only from traditional attacks like structured query language (SQL) injection but also from more subtle attacks that may include several stages and different attack vectors all in one. Inline or side-arm, on the same platform or on remote platforms, the tools must be adaptable enough to protect modern digital applications across the range of their architectures and deployment environments. By the same token, the ability to work with the standard reporting and processing tools of the modern enterprise is vital.

This technology space is closely related to API security, and organizations that have a WAF or next-gen WAF implementation that they are happy with should consider those solutions. Note that some development security solutions also offer real-time protections, and organizations should consider where to place that functionality.

This GigaOm Key Criteria report details the criteria and evaluation metrics for selecting an effective AAS solution. The companion GigaOm Radar report identifies vendors and products that excel in those criteria and metrics. Together, these reports provide an overview of the category and its underlying technology, identify leading AAS offerings, and help decision-makers evaluate these solutions so they can make a more informed investment decision.