API Management & Security Market: Challenges, Solutions, Future Trends
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
API Management & Security Market: Challenges, Solutions, Future Trends
API Management & Security Market: Challenges, Solutions, Future Trends
Looking at the title of the presentation, I would say it's a little bit quick bitty. I was not the person that came up with the title. So if you are expecting an easy answer to that question, I don't have it. Unfortunately, what I do have is if you are useful recommendations on how to even approach API security, for lack of better word holistically, to understand its true scope and complexity, and of course, how to find the right tools to solve those challenges.
So our gender basically focuses on first of all, kind of ING and maybe answering the question, like why are we even using APIs nowadays? And what for are understanding why API security has become so complicated then kind of looking at the leadership compass we have recently published and leadership compass, just remind you is our company Cole's way to assess the whole segment of our security market, for example, or any other market. In this particular case, our leadership compass will start to API management and security.
And again, I would like to emphasize that to me, management and security of APIs are no longer two separate disciplines. They're basically two sides of the same coin as we maintain this title. Mostly for historical reasons, it might change in the future just like the whole industry might change in the future. And I will be talking about that as well. And finally, yeah, what we'll be talking about future and how to start preparing to it today.
So what is API in case somebody has forgot on never bothered to check API means application programing interface, and it all started like 60 years ago with a simple idea that applications have to communicate in an easy and standardized way. And from there it could have picked up the momentum when computer networks appeared or APIs helped communicate between network node and to build service oriented architectures within large enterprises with emergence of the cloud APIs have been used as a vehicle to perform data exchange between providers, applications, businesses.
And finally, I believe it was in 2017 when Forbes very well known journal decided they have, they have to proclaim that year, the year of API economy. Basically this is what was the time when businesses started making a lot of money with APIs and everyone was started noticing the trend companies like Google, Facebook, Amazon, and a lot of other in financial healthcare retail or other industries basically turned APIs into their product. So they start owning money, not with physical goods, but with APIs.
And unfortunately it was not until 2019 when a relatively small company called keeping a coal decided to proclaim that year, the year of API security. Why? Because we have been following this topic, as I mentioned for quite a few years, I believe almost for 10 years now. And when I started looking at this market, well, there were no API security vendors at all. I think the first one I've met in person was one company, which for marketing reason, I wrote that name. But back then it was like the only company in the world that officially called themself, an API security vendor.
In 2015, we published our first release of that leadership compass in August, 2021. We published the third one and we had 30 vendors in that leadership compass, basically all of them claiming to have at least some substantial API security capabilities. So obviously the market is developing rapidly and I believe it's developing so rapidly that we have kind of a singularity in the future because it can continue growing into separate, totally different directions, which would definitely influence the way we have to plan for that singularity in the future. Yeah.
So what are APIs used for in the era before cloud? As I mentioned, they were just basically tools for programmers to make software development easier with E on the cloud and whatever web 2.0, just that profitable digital economy APIs became a massive vehicle. Domestic means to perform digital logistics, to move data, to move products based on data between companies, between businesses and just recently API, basically everywhere they power our mobile phones, our home tools, smart devices, fridges, washing machines, TVs, whatever they of course power the internet of things.
Any cloud is basically Linux machines connected with APIs with a billion interface on top. So yes, kind of APIs are a big deal nowadays. They're so big. In fact that API first has become the fundamental strategy. Everything now has an API and whole industries now depend on having an API. And in fact, the recent surveys show that 90% of all web traffic is in fact API traffic. And this is not even counting the non web traffic because you can disagree on what exactly defines an API.
For example, all those IOT protocols like MQTT, they're technically non web protocols, but they're just as much APIs as anything else. And finally, only 6% of alled companies have actually told that they had no API security issues whatsoever. The majority did. And even those 6% substantial part probably just never knew they had an API security issue. And in fact, what we see now that API is a definition evolves as well for 10 years or so. We were basically talking about APIs and meaning the restful APIs easy, no fast, no security built in thing to connect any loosely coupled applications.
Nowadays we have, as I mentioned, MQTT, we have craft QL. We have RPC, we have other emerging standards, which are very much incompatible with each other. They imply totally different programming models, totally different security models. So basically API management is becoming complicated. It's becoming disjointed fragmented and the same applies to API security. What do we do?
Where, where do we continue from here? Well, the most important thing, and I think it was already discussed in the previous presentation to understand that API management is actually not about managing APIs anymore. API management is just a vehicle to make your business digital. It's the set of technologies, processes, and business requirements that enable you to earn money with data.
And, and this is exactly how you have to understand it, how you have to view it. It's a continuously changing environment. It's a circle of process where you continue to design develop, test change, redesign redeveloper test and redeploy your APIs. And of course there are always new threats emerging and you have to continue to fight no threats. Usually quite a lot of people are when we talk about API security with them, they start with this USP API, top 10. It's basically highly publicized list of the most critical security issues.
Most companies face when exposing the APIs, we cannot, we absolutely cannot disagree. This list is extremely important and this list does indeed outline the most critical technology problems with APIs.
However, the scope of API security is by no means limited to this list. And in fact, when you even start thinking about API security, you have to start much less technical and from a much higher strategic or overview, if you will, your questions about API security have to be like, do I even know how many APIs I have? Like how do I balance the requirements of my business units to publish that API as fast as possible versus the requirements of my it department to ensure GDPR compliance. And finally, how do I even teach my developers to think about API security at all?
And in fact, this is the picture we've been recently using in our leadership compass. For example, just kind of a rough overview of what you actually have to think about when you talk, when you think about API security, you always start with discovering classification. So you have to know what you have, even if it's even those APIs aren't even yours at all, maybe third party or external, you have to ensure proper access control and governance. Of course you have to ensure that the data that flows through API is valid. It doesn't incorporate neurological bombs or SQL injections or whatever.
You have to protect your APIs from threats, obviously malware, DDoS bots. You have to ensure that the data is confidential. So the traffic is always encrypted. And of course you have to know what's going on. So you have to apply some kind of monitoring anomal detection and incident response. And with that kind of, I would like to talk a little bit more about technicalities, meaning what we have covered in our leadership compass.
Usually we identify up to eight specific technological areas where we have to basically think what is relevant or from our point of view, like which capabilities we believe are relevant for API security. Unfortunately, as you can see, there are actually many more, which we have omitted, right? Kind of to encapsulate into this eight, but basically it all starts with API lifecycle management.
Meaning you have to understand your API from the moment before inception, the planning stage that open API schemer, which if the be was talking about, and you continue through, or vulnerability management, deployment analytics, or developer tools, threat protection, and so on are all the way to the moment when you have to actually retire the API and replace it with a new one. And of course as the last, but by no means, least one is ensuring continuous availability at scale and performance.
In scale, as usual, we cover four separate categories of leadership and our leadership campuses, as opposed to some other competing research format. We do try to identify which companies actually manage to CRA the most capabilities into their solutions versus the companies which are, might, might not be as efficient in technology, but in marketing and sales. So they would be the market leaders. And finally, we always love to highlight innovation leaders.
They might be small agile startups with just one single idea, but this idea is so great to probably influence the future development of the market in the next five or 10 years. And of course, overall leadership is just a weighted combination of three, and these are the companies we have covered in our 18. As I mentioned, we had a total of 30 companies, 19 of those actually ended up in our final rating. And as you can see, there are some massive veteran vendors like Google with APG solution or red hat, three scale or Broadcom, which now owns layer seven brand.
And those are companies we've been doing API management for probably 20 years or something like that. And of course we, we were looking at them holistically, how they do management and security works. Some companies which actually technically have nothing to do with API security at all, for example, security or cloud entity, or even ping, you would probably recognize them as companies focusing on access management.
But as you can realize that of access management, it's probably like there is number one of having API security, because if you don't care who can access your API, why bother with the rest? And finally, we have a number of those startups. I mentioned, including of course the 42 crunch, which you have just seen in the previous presentation, as well as some other companies like salt or spherical defense or traceable, or even in which of course is by no means the startup, but they are only kind of getting into the whole API security market since probably a year or something like that.
Some other companies were either unavailable for comment, or we just had to mention them anyway, even though all of the four major cloud service providers, for example, I listed here would never bother participating in an API security analysis report. They all have API management and security tools in place, and those are available as kind of a commodity, which you get almost for free. So for some companies, even those capabilities might be good enough. So as I mentioned in total, we have 30 companies and without further ado here are the overall leaders.
And again, the most interesting thing I can observe here myself, yeah. That we have a mix of leaders obviously far in front of the P are Google and Broadcom, which are basically the biggest providers of API management platforms with pretty substantial security capabilities.
But behind them, we have, again, companies like forum systems, which is only doing API security and it's been doing it for over 20 years and it's been doing it the way with hardware appliances, but they kind of, they are an example for windows solving one problem only, but solving it so well that it over recognition, self recognition and behind them, we can see companies like for crunch. Again, they're only solving one problem within this broad scope of API security, but they're doing it so well.
And in so innovative way, if you will, because the whole idea of proactive API security is really kind of only get interaction now. And they were one of the first pioneers in that area. So you can see even acuity, which is technically again, kind of not an API security vendor at all, scored high enough to be recognized as a leader product leaders.
I don't have to kind of go through each of the vendors specifically, but I want to mention that we primarily recognized as leaders are those large vendors with highly integrated API management or other API lifecycle management platforms, or those highly specialized specialized, but sophisticated and innovative security vendors, innovation leaders, again, kind of, we were looking for some groundbreaking technologies or innovative approaches or specific architectures, or even kind of a simply simple and kind of easily consumable way to package an existing solution.
Something which nobody else has. And again, we really don't have time to go through all the details. The report is of course, available for all the interested people and we are always available for questions, but, and of course, market leaders probably no surprises here. Google is the leader, redhead, Broadcom, all the large vendors are up there.
You could probably think that, see that some of those leaders do not directly correspond to the quality of the API security portfolios, which is fine, I guess, because they can compensate for the lack of some specialized features, which just kind of strong coverage in other areas as well, rating the glance don't have to stop at all.
Just kind of to show you that we provide quite a lot of tiny details to consider, to understand how specific capabilities and specific vendors fit into your requirements into your industry, geography, business code, whatever one key message we always communicated to leadership compass does not give you a one size fits all answer, which vendor is the best you can. You have always, you always have to look into specific capabilities and how they map to your requirements.
And finally, just an example of all those eight functional areas we have identified and how for every vendor, we provide some of a spider diagram showing how well that vendor addresses those capabilities, which is just example for the market leader, but even, I mean the overall leader, but as you can see, even the best one, doesn't actually have hundred percent coverage in all areas. Finally, what about the future? The future is dark.
As I mentioned, could have, there are some major trends and challenges we observe at the moment which can significantly change the course of this market development. First of all, as I mentioned, API itself is evolving that are totally new types of APIs, which simply cannot be covered by existing solutions, basic monitoring and reactive response alone just doesn't work anymore. And I think it was addressed for other markets as well.
In, in early presentations, you cannot keep up with the threats because you have to run as fast as possible just to stay where you are and you want to get somewhere. You have to run to fast twice as fast. This all leads to cost and complexity increasing in a way that you just can no longer maintain the desired level of security at the scale you have, especially in the cloud. Excuse me. So how do you even start to addressing all those challenges?
Well, first of all, you have to give into the idea of API security by design. You have to start securing your APIs before you start developing your APIs. All those open API schemes are just one step, but it all, again, it all starts at the design stage. You have to secure the entire life cycle. Shifting left is great, but you have to shift right middle up, down in all the other directions as well. You have to be proactive. You have to be automated because if there is always a human involved in every decision, it doesn't scale. Humans have to define policies, not make made decisions.
And finally, there is no solution from one hand, you cannot just go and buy one stop turnkey solution for everything you have to design your own API security fabric. And this is where we can help you with our guidance, the research and other publications, which for example, here, besides the leadership compass itself, I would like to mention the buyers compass, which helps you to ask the right questions to the vendor. And of course, some white papers in other publications. Thank.