Key Criteria for Evaluating API Security Solutionsv1.0

1. Summary

Application programming interfaces (APIs) have been a growing attack surface—and a commensurately growing problem—for more than a decade. There have been some spectacular intrusions based on API security issues. The API security market attempts to address those issues so that attackers are less successful.

In our view, in most organizations, public-facing APIs have become a larger attack surface than regular interactive web pages, and this is an ever-increasing trend. Given the large and growing number of APIs that attackers can target to gain access to sensitive data and systems, protecting them is increasingly an imperative. With applications spanning multiple cloud vendors and the data center, perhaps even including a hosting provider, the number of publicly accessible APIs is growing exponentially. Add to that the growth of microservices architecture, and it’s clear there’s a big risk that must be managed. API security products are among the primary methods of limiting that risk.

This market is aimed specifically at protecting APIs, not at protecting applications. For organizations that are just starting to get their security infrastructure up and running—who do not have a web application firewall (WAF) or data loss prevention (DLP) strategy—our Application and API Protection Key Criteria report might be worth a read. For those who are comfortable with the level of protection their WAF provides, this report covers the piece of API-specific functionality that WAF is missing.

The GigaOm Key Criteria and Radar reports provide an overview of the API security market, identify capabilities (table stakes, key criteria, and emerging technology) and evaluation metrics for selecting an API security solution, and detail vendors and products that excel. These reports will give prospective buyers an overview of the top vendors in this sector and will help decision makers evaluate solutions and decide where to invest.