API Security

Terms You Might Hear

• Application Programming Interface (API)

• API Gateway

• Secure API Gateway

• Web Application and API Protection (WAAP)

Problem Statement

• APIs are “single points of entry” into modern applications. APIs are used to communicate with customer interfaces such as web and mobile apps or to communicate with suppliers and business partners.

• By nature, APIs expose application logic and sensitive data such as Personally Identifiable Information (PII) and because of this have increasingly become a target for attackers.

• Rapid adoption of cloud and serverless services causes rapid growth of APIs, both sanctioned and unsanctioned. These services allow for the creation of rogue APIs that operate outside of enterprise security. The more APIs and connected systems and resources behind them, the higher the security risk and potential fallout it is. Instant deployment of API services can create instance exposure to potential threats (SolarWinds also had an API authentication bypass vulnerability).

Market Solutions

Enter the API Security product market space.

• API Security platforms are designed to continually discover APIs in your environment and baseline standard behaviors. This helps you discover unsanctioned APIs and spot anomalous activity sooner so you can take action.

• API Security platforms show you where you are potentially exposing sensitive data with your APIs. These solutions help simplify compliance and adherence to security standards around authentication, authorization, encryption, rate limiting, and general misuse.

Players in the Space

This issue focused specifically on pure API Security plays or those closely related to it.

• 42Crunch(Venture funding in 2021)

• AAPI(Seed funding in 2020)

• Aiculus(See funding in 2020)

• Akana

• APIsec

• Cequence

• Data Theorem

• Impart Security

• Noname Security

• Salt Security(Series A and Series B funding in 2020)

• Wallarm

• Wib

Product Space Predictions

• More partnerships and acquisitions from API Gateway companies. API Gateways can do some security but are missing many security features past basic authentication. Some platforms like Apigee and Mulesoft are trying to play catch-up, but it’s not the core of their offering. It’s probable to think that these giants could eventually catch up and consume the API Security platform market space, but it’s not at the core of their value propositions. It’s a volume game for API Gateways, with the more players, the better. Look for API Gateway to more formally establish partnerships or acquire API security platforms instead.

• Convergence of APIs and Identities. It will be a natural evolution to consider APIs another type of identity source and to have the kind of interrogation and trust principles as identities (humans, machines, tokens, etc.) do. AAPI is already trying to do this.

• Industry-specific variations will emerge. As with any product, certain industries often have more subtle complexities that require a different lens. The Internet of Medical Things (IoMT) will have a focus here as getting connectivity and availability right from connected microservices in the medical or hospital space will be of the utmost importance.

• API Security platforms will take the offensive. Automate the pentesting of your API platforms and go beyond compliance and standard Web Application Penetration Testing (WAPT) approaches. API Critique is currently doing this.

• Look for Observability players to eclipse this space. Proactively monitoring, synthetically loading, and testing APIs is already something that the AlertSites and DataDogs of the world are doing well with. DataDog also recently acquired Sqreen, an application security company. Moves like this bring security as a component of observability and a more holistic approach to modern application visibility.

Product Space Opportunities

• Help push zero-trust principles into secure API design. Trust is a subjective thing, and APIs must evolve to trust claims from common parties instead of attributes (i.e., keys, tokens, passwords, etc.).

• Design for Internet-Scale and Usage. Security tools are still bolt-ons after the fact and are not designed to be leveraged by people outside of security. Modern teams expect a relationship with their tools that everyone can use. These tools need the ability to integrate, observe, and take action.

• Move the checks to the CI/CD pipeline. Check the API security exposures on every commit just like any other security or observability test.

• Tie in with Third-Party Security providers. Help me make this a part of my company’s inbound/outbound third-party connections. Let’s go beyond the basics of connectivity.

• Apply statistical analysis to your API footprint. With the rate at which APIs are called and consumed, it would be extremely challenging to notice any low and slow attacks or data exfiltration attempts on your API services. Machine learning (ML) and artificial intelligence can come to the rescue here.

• Cloud Security Posture Management (CSPM) and Attack Surface Management (ASM) platforms call this out as a use case. You likely already have the data from what you have visibility into, now help me bring this space into security and compliance as well.

Key Insights

• Securing APIs is hard. You can still do everything right on your infrastructure and still overly expose yourself on the API front.

• API Security platforms are to APIs as Cloud Security Posture Management (CSPM) platforms are to the cloud. Can you operate without an API Security platform? Absolutely. Are the stakes getting higher with serverless applications and the proliferation of multi-cloud solutions? You bet. Consider this kind of solution to help you build it right from the beginning.

• This product market space is growing. The companies operating in this area are not all startups, but some of them have been around for a few years and branching out their offerings. This space is not quite on fire yet but is heating up.

• Bridge the developer divide. Developers often use multiple services and multiple clouds for testing and deployments. This makes using an API Gateway in one cloud not ideal from a security perspective. API Security platforms can be cloud-agnostic and be a unifying force for security teams and developers alike.

• Companies that already have an API gateway in place. Make sure you’re doing the basics of API hygiene to reduce your attack surface: limit HTTP verbs, use tried and tested frameworks, etc). An API Security platform is not the first place we would recommend spending your limited budget.

• Companies who are not doing the basics of application security (SAST, DAST, SCA, etc.) or who are not integrating all they can into the DevSecOps pipeline. These are hugely valuable basics to start with before moving on to a niche product space.

• Companies that do not yet understand where public/open APIs fit into their business model. OpenBanking and OpenAPI movements have driven companies to push APIs as a solution first and then ask what problem it solves later. If you’re here today, focus on basic API security hygiene and AppSec measures first.

Pro Positions

What type/size/stage company should leverage these platforms?

• Startups - This technology is not the highest and best use of your capital at this stage. You're far better off doing other basics of Application Security here. If you are a technology-focused startup and have the basics covered, move to more advanced API authentication components and consider the use of JWTs.

• Small and Medium-sized Businesses (SMBs) - Even at this size, it is still not a great use of your capital. You would be better served by getting a cloud-agnostic API Gateway like Mulesoft or Apigee. Continue also with Application Security basics and Web Application Penetration Testing (WAPT).

• Larger Companies - This would be a good addition to a well-established Application Security program and for an organization that already has a defined API strategy and API gateway architecture in place. In looking at a full security program, is this where I would tell you to spend your money? Still no, and I would recommend a CSPM product first, but if you’ve got the extra cycles or your core services are delivering a modern application stack, it’s worth considering as you evaluate your overall risk picture.

What makes one of these platforms “good?”

• Interoperability in the CI/CD pipeline and code deployment process can make or break a platform like this. It cannot just be something you run in production after the fact.

• Look for a platform that can help you measure your API footprint against conformance standards like OpenAPI specifications.

• These are “teaching platforms” in that they are designed like Application Security tools within the developer IDE to teach good practices from the beginning. Use this as an additive to a well-established AppSec program.

• Maybe the question should be, "Can you build secure APIs without a dedicated API Security platform?".

Out of the Players listed, who are the top to consider?

• Some of these players are more like a scalpel, so focus on the best tools that get you the most coverage of your use cases without overshadowing other security or DevOps domains.

• My top picks for this issue are: Aiculus, 42Crunch, and API Critique were the most interesting companies as a part of this review and would be the ones I’d want to see in live-action first.

References

• OWASP API Security - Top 10 | OWASP

• API Security Articles, News, Vulnerabilities & Best Practices

• em down Critical API security risks: 10 best practices

• What is API security?

• What is API security? How does it fit in your security program?

• How to Control API Security Risks

• What exactly IS an API?. Have you ever heard the word “API”… | by Perry Eising

• The Role of API Gateways in API Security

• The new rules for web app and API security

Thanks for reading this far!

This post is not meant to be a particular endorsement for any one player or company in this product category but is instead intended to be an industry-level primer. At the time of writing this post, I have no active investments in any of the companies mentioned above.

If I missed something (or am just wrong), let me know!

If your company is looking to get more of a highlight, consider sponsoring the newsletter.