1 Introduction / Executive Summary
From what used to be a purely technical concept created to make developers' lives easier, Application Programming Interfaces (APIs) have evolved into one of the foundations of modern digital business. Today, APIs can be found everywhere – at homes and in mobile devices, in corporate networks and in the cloud, even in industrial environments, to say nothing about the Internet of Things.
As companies are struggling to maintain their business agility, to react to the ever-changing market demands and technology landscapes, the need to deliver a new application or service to customers as quickly as possible often trumps all other considerations. Rapidly growing demand for exposing and consuming APIs, which enables organizations to create new business models and connect with partners and customers, has tipped the industry towards adopting lightweight RESTful APIs, which are commonly used today.
The rapid adoption of REST APIs also coincided with the exponential growth of cloud computing and mobile device proliferation, where they were the perfect medium to enable integrations between these heterogeneous systems and facilitate data exchange on a massive scale. In a world where digital information is one of the "crown jewels" of many modern businesses (and even the primary source of revenue for some), APIs are now powering the logistics of delivering digital products to partners and customers. Almost every software product or cloud service now comes with a set of APIs for management, integration, monitoring, or a multitude of other purposes.
When the previous edition of our Leadership Compass was published in 2019, our research indicated the growing awareness of the critical role of security in API management solutions, representing a massive change since our first edition back in 2015. Fast forward 18 months and we can clearly see that the tempo of the API market evolution is only increasing.
Perhaps the most notable trend is the rapid expansion of the scope of both modern API management and API security solutions. Nowadays, API gateways for publishing REST API endpoints can certainly already be considered "legacy products". New API technologies, like GraphQL or gRPC, have grown from research projects into widely adopted solutions for specific use cases, where they provide much better flexibility or performance than REST APIs. Modern loosely coupled cloud-native application architectures demand API management solutions that can handle complicated traffic patterns and deal with ephemeral container-based infrastructures.
These trends not only reshape the basic capabilities of modern API management platforms (for example, enforcing API quotas with rate limiting simply does not work for GraphQL APIs, where requests to the same endpoint can vary in size and complexity), they redefine the scope of API security solutions as well. In a sense, we can already observe the same developments within API security that we've seen on a larger scale for cybersecurity as a whole: with too many different types of infrastructure that need protecting, the overall complexity of security solutions grows exponentially.
Some vendors are already promoting alternative approaches towards API security, which are more data-centric and proactive in nature than traditional infrastructure monitoring and security analytics. This might sound controversial, but one potential scenario for the future development of the API security market is that it will evolve into multiple specialized types of security capabilities which will be integrated with other existing areas of cybersecurity – for example, into XDR security analytics platforms or integrated data protection or application security solutions.
Because of these ongoing developments, some of the ratings presented in this Leadership Compass might deviate somewhat from the previous edition. This by no means indicates that some of the solutions covered in our rating have suddenly become less functionally capable – it is the market that has evolved, and some of the existing capabilities simply no longer align with the modern requirements. We will, of course, continue to follow the latest developments in the field of API security in our future publications as well.
In the meantime, our general recommendation for customers remains the same: both API management and API security should not be considered as standalone, isolated components of your IT infrastructures. On the contrary, choosing the right product should be a part of a comprehensive strategy that covers such aspects as application development and operations, data protection, and regulatory compliance.
Only by combining proactive application security measures for developers with continuous activity monitoring and deep API-specific threat analysis for operations teams and smart, risk-based, and actionable automation for security analysts one can ensure consistent management, governance, and security of corporate APIs and thus the continuity of business processes depending on them.
1.1 Highlights
- Both API management and API security market segments continue to evolve and grow, driven by a massive increase in API adoption, as well as by an ongoing pressure of security and compliance risks APIs are exposed to.
- The tempo of the API evolution continues to increase, with multiple new standards, protocols and architectures emerging, expanding the scope for API management solutions beyond just the traditional REST APIs.
- Fueled by widely publicized large-scale data breaches and new compliance regulations in various industries, the overall awareness of API security risks and challenges continues to rise.
- With standard API management capabilities quickly becoming a commodity, vendors specializing in these solutions are focusing on increasing their functional coverage to address new business requirements, involve new stakeholders, and improve productivity for developers.
- Some vendors no longer consider API management a standalone market, offering these functions as a part of larger enterprise integration platforms.
- API discovery and security monitoring solutions continue to be the most popular class of products offered on the API security market, but solutions addressing other phases of the API lifecycle are growing in popularity.
- The market consolidation trend continues, with larger established vendors acquiring small innovative startups, integrating their technologies into more comprehensive, unified security platforms.
- The notion of data-centric security that incorporates API security as one of the major layers in an integrated, layered architecture is emerging, with several vendors already offering such integrated platforms.
- The overall leaders in the API management and security market are (in alphabetical order): 42Crunch, Axway, Broadcom, Curity, Forum Systems, Google Apigee, Imperva, Red Hat, Sensedia, and WSO2.