Proliferating APIs expand attack surface for adversaries

by Howard Smith and Liam Moran

October 26, 2023

Application programming interfaces (APIs) are a critical building block of modern software whose use has surged in recent years, making the importance of APIs for web traffic today hard to overstate. As a result, APIs have become key targets for attackers.

Traditionally, entities have primarily used web application firewalls (WAFs) and API gateways to secure APIs from attackers. But while WAFs and gateways play crucial roles in security architectures, they have limits.

These limits have highlighted the need for new approaches to safeguard against advanced emerging threats and have led to a new generation of API security platforms. Generally, these solutions belong to one of three specialized areas: API security posture, API runtime security and API security testing and secure development. We provide an overview of each of these three areas.

The API security market contains numerous competitors. We briefly profile 10 companies offering these newer API security approaches, usually as part of a broader security or enterprise software platform. We also provide more detailed profiles of six pure-play companies providing API security in the new areas.

Table of contents

Includes discussion of AKAM, AMZN, FFIV, FSLY, FTNT, MSFT, NET, RDWR and nine private companies

• APIs are a critical building block of modern software
• APIs' prevalence and centrality make them key targets for attackers
• Web application firewalls and gateways are the traditional API security solution
• Elevating API security in the modern landscape
• API security posture platforms
• API runtime security platforms
• API security testing and secure development platforms
• API security providers
• Keeping the connectors safe
• Cybersecurity index near one-year high
• Cybersecurity M&A: Notable transactions include Splunk, Imperva and Contxt
• Cybersecurity private placements: Notable transactions include OneTrust and Stamus Networks

APIs are a critical building block of modern software

An application programming interface is a set of defined rules that enable software applications to communicate with each other. APIs process data transfers between systems: Software users request data in one application, which sends the request to an API. The API, in turn, retrieves requested data from another source and returns it to the user. There are many types of APIs, and they are used in many ways across many different data structures.

Web service APIs are common APIs most people use (indirectly) every day. Web service APIs accept hypertext transfer protocol (HTTP) requests, which dictate how information on the web travels. Web service APIs expose the uniform resource identifiers (URIs) that provide access to specific resources in databases. These requests could contain data formatted in XML (extensible markup language, used to store and transfer data in a relatively user-friendly format) or JSON (JavaScript object notation, another easily understandable format often used to send data from a server to a web page). A server might respond with HTML (hypertext markup language, which structures how web content should behave), XML, or JSON data, which web browsers and other applications can process. Other data formats used with web service APIs include SOAP (simple object access protocol, a type of XML protocol used for exchanging structured data), and REST (representational state transfer, an architectural style that defines a set of constraints for creating web services). REST can be used for its own API, also known as a RESTful API.

Other types of APIs include open APIs, which are public APIs accessible to everyone; partner APIs, which can only be accessed by designated developers; internal APIs, also known as private APIs, which are only exposed by internal systems of an organization; and composite APIs, which combine different data and service APIs that perform sequences of tasks.

Request complete report

Request other recent cybersecurity reports

RSA 2023 and Q2 highlights: Key insights and takeaways - July 5, 2023

Public players grew faster again in 2022, but guiding for a slowdown - April 4, 2023

Authentication tech: Secure or user friendly? Increasingly both -?January 13, 2023