GigaOm Radar for API Securityv2.01

1. Summary

APIs are quickly becoming the largest attack surface in organizations. API security solutions help organizations improve their security posture by finding and locking down APIs wherever they reside, either by blocking attackers or offering information to help IT teams better protect their APIs.

With the growing number of APIs spread across the entire corporate infrastructure, protecting those APIs has become as important as protecting web properties hosted across the same infrastructure. But while the task of protecting web pages (even dynamic web pages) is now routine for most organizations, thanks to increasing experience and higher-quality security tools, the same can’t be said for APIs. We’re still learning about protecting our API infrastructure, and even when we do a great job with one API or API family, similar APIs might not have the same level of protection. Indeed, many enterprises are at the very start of their API security journey—discovering exactly what APIs are hidden within their infrastructure.

API security products were generally developed before API use burgeoned to the extent we see today, and early targeting was simple. Those products were based on the idea that insisting developers secure the code they write is asking for failure—and there is a lot of truth in that reasoning. Most developers do not knowingly create insecure code, so if they develop code with vulnerabilities, it is likely because they are unaware of what vulnerabilities a given API might suffer from. Once API security came into use, though, IT teams quickly discovered a new reason to use a security product: some vulnerabilities are far easier blocked in the network than in each and every application.

The idea that some attacks are best blocked in the network before access to the API occurs, along with the presence of numerous undocumented APIs that likely exist in organizations, spurred customers to demand that security products have a way to detect APIs running on the corporate network. For this analysis, a corporate network is the new extended network that includes data center, cloud vendor(s), and hosting. In some environments, it can also include software as a service (SaaS) that have the ability to develop and deploy APIs.

Just as an API security solution must have a way to learn about APIs, it also must be able to protect them once it finds them. API security started under simple object access protocol (SOAP) when APIs first saw broad adoption but soon had to adapt to protect representational state transfer (REST), which is the primary architecture requiring protection today, although new API standards are growing in popularity. Which standards can be protected and how deep that protection goes are important considerations when evaluating API security products. In this analysis, we will also consider whether the product protects the data layer and what level of protection it receives.

This GigaOm Radar report highlights key API security vendors and equips IT decision-makers with the information needed to select the best fit for their business and use case requirements. In the corresponding GigaOm report “Key Criteria for Evaluating API Security Solutions,” we describe in more detail the capabilities and metrics that are used to evaluate vendors in this market.

This is our second year evaluating the API security space in the context of our Key Criteria and Radar reports. All solutions included in this Radar report meet the following table stakes—capabilities that are widely adopted and well implemented in the sector:

• API discovery and import
• API analysis
• API protection
• API monitoring
• API access control