1 Introduction / Executive Summary

From what used to be a purely technical concept created to make developers’ lives easier, Application Programming Interfaces (APIs) have evolved into one of the foundations of modern digital business. Today, APIs can be found everywhere — at home and in mobile devices, in corporate networks and in the cloud, even in industrial environments, to say nothing about the Internet of Things (IoT). The emerging era of Generative AI is also entirely dependent on APIs to implement integrations with existing business applications.

Having followed the market for almost a decade, we have long recognized APIs as one of the most important IT trends. Rapidly growing demand for exposing and consuming APIs, which enables organizations to create new business models and connect with partners and customers, has tipped the industry towards adopting lightweight approaches like representational state transfer (REST). APIs are now powering the logistics of delivering digital products to partners and customers. Almost every software product or cloud service now comes with a set of APIs for management, integration, monitoring, or a multitude of other purposes.

This evolution only continues to accelerate. As new digital transformation initiatives across various industries emerge, diverse business models are reshaping the technical requirements for API development and operations dramatically. New standards, technologies, and development methodologies introduced by the need to support numerous use cases have also introduced additional complexity to existing API management platforms.

REST APIs are still commonly used today, but they are increasingly augmented or displaced with a variety of alternative protocols and standards, such as GraphQL or gRPC. In fact, the industry is evolving so fast that API management solutions in their traditional sense, like API gateways, can already be considered IT legacy products. Modern, loosely coupled cloud-native application architectures demand API management solutions that can handle complicated traffic patterns and deal with ephemeral container-based infrastructures.

Figure 1: The API challenges organizations are facing

Unfortunately, many organizations still tend to underestimate the potential security challenges of exposing their APIs without a security strategy and infrastructure in place. Although organizations like OWASP are doing a lot to promote the awareness of critical API risks with projects like the recently updated API Security Top 10, this sometimes has an opposite effect – the public tends to forget about the long tail of other problems they have to deal with beyond this essential but definitely not exhaustive list.

Multiple studies have estimated that APIs are already the biggest attack vector for web applications. However, this claim does not even include numerous other potential attack vectors the unchecked proliferation of APIs can expose, including public clouds, distributed applications and microservices, mobile clients, and so on.

Figure 2: API complexity explosion

In a sense, API security has long become an industry of its own; with the scope of risks and challenges the industry confronts growing exponentially, API security solutions have to expand their coverage and grow in complexity themselves. Providing comprehensive protection against the broad range of API-specific threats and doing it consistently throughout the whole lifecycle of an API is complex. Understanding the business logic behind those APIs and adapting the protection accordingly is even more complicated.

Our approach is to emphasize the growing prevalence of API security solutions over traditional (some might say “old school”) API management products. This report covers the current state of the API security and management market.

1.1 Highlights

• Both API management and API security markets experienced strong growth in recent years, driven by massive increase in API adoption across all industries combined with an ongoing pressure of security and compliance risks that these APIs are exposed to.
• The tempo of API evolution continues to increase, with multiple standards, protocols and architectures emerging, expanding the scope beyond just the traditional REST APIs to include GraphQL, gRPC and even asynchronous protocols, such as Kafka or MQTT, that were previously not even considered APIs.
• API security has long become an industry of its own; with the scope of risks and challenges the industry confronts growing exponentially, API security solutions must expand their coverage and grow in complexity themselves.
• Fueled by widely publicized large-scale data breaches and new compliance regulations in various industries, the overall awareness of API security risks and challenges continues to rise. Pure play API security vendors that reach $1B market valuation are a reality now.
• Market consolidation through acquisitions continues, with not just smaller boutique vendors being incorporated into larger portfolios, but major market leaders as well.
• API discovery and security monitoring solutions continue to be the most popular class of products offered on the API security market, but solutions addressing other phases of the API lifecycle are growing in popularity.
• The notion of “shifting left” can be considered the latest buzzword in the market, with multiple vendors now expanding their portfolios to include API testing solutions. Still, the level of integration of these tools into the existing security and management platforms varies dramatically.
• The Overall Leaders in API Security and Management are (in alphabetical order): 42Crunch, Akamai, Axway, Broadcom, Cequence Security, Curity, Data Theorem, Forum Systems, Google Apigee, Gravitee, Imperva, Noname Security, Red Hat, Salt Security, Sensedia, and WSO2.