Today at least 90% of developers are using APIs in cloud-native web application development. According to new data collected by Forrester Research and presented in their report, Improve API Performance with a Sound API Security Strategy, 62 percent of IT decision makers believe the value they gain from APIs is worth the adoption process so long as their organizations are reviewing their API security strategies to ensure that security scales with the increased use of APIs in application development. Not surprisingly, organizations are finding out that their traditional security strategies are not sufficient. Forrester Research reports that 97 percent of IT decision makers are using new tools or processes to close the security gap and scale up their API security. What are these decision makers looking to get from their APIs and what does their API security strategy look like to meet the challenges that greater use of APIs creates?
From the business perspective, 55 percent of the IT decision makers surveyed for the Forrester report say that APIs help improve software quality; 47 percent claim APIs enable them to reuse more code; and 46 percent report that APIs help shorten application development cycle times. There are fewer defects per sprint and it’s easier to introduce new features into an application.
What about API security?
Forrester reports companies are adopting multiple tools to ensure the security of their API strategy. Over 20 percent of all respondents are looking to adopt up to nine new tools to scale their API security strategy, the top four are service mesh, API management solutions, API gateways, and application microsegmentation.
Forrester reports that adoption of API security tools varies somewhat across geographies. Service mesh, API management solutions, and API gateways are most popular overall, with respondents in Japan showing a propensity for adopting application microsegmentation and distributed denial-of-service (DDoS) solutions. Japanese decision makers are also showing a higher interest in bot management than counterparts in the UK and US who are less interested in this customer-facing method of API security.
The principal benefit API security offers is classifying data and understanding the API footprint. Most decision makers are focused on scaling security for API adoption (78 percent) with another 70 percent committed to securing APIs like any other internet-connected app. Their chief complaint has been the complexity of their API security tools. Of the benefits they have seen or would expect to see from adopting an API security technology, 71 percent of decision-makers value the ability to classify data transferred over APIs most, followed by the ability to easily meet regulatory and compliance requirements around APIs (66 percent), and the ability to reduce complexities around securing API usage (65 percent). Not only do decision makers expect their API security solution to keep their company’s data safe within their APIs but to also reduce the complexity around API management to compensate for most development teams’ lack of knowledge on APIs. Also, with the safety of data and CX at stake, IT decision makers are ready for tools that provide both robust security and improved visibility.
Forrester offers three API Security recommendations
Make sure your API security solution can discover all the API endpoints.
Scaling capabilities are not the most critical features of an API security strategy, it’s important to remember they cannot secure what they do not know about. You must create an accurate inventory of APIs while being mindful that they can easily be buried inside mobile apps or web apps or even show up as asynchronous JavaScript and XML (AJAX) requests or webhooks. This inventory will not only help you define what you should be protecting, but it will also identify if any APIs have accidentally been deployed into production.
Secure APIs with a plan, not just want.
APIs are not only subject to the same code vulnerabilities as traditional web apps — they have more accessible endpoints, multipartner authors, and complex authentication and authorization — since API calls can come from a wide array of customers, partners, and applications. You must perform the same pre-release testing on API code and create tests that are specifically for identity data flow, trust-level issues, and layer production protections.
Choose carefully when it comes to API security technology.
Given that securing APIs is complex, security professionals will require several tools such as pre-release testing, API management, traffic anomaly detection, service mesh, web application firewalls (WAFs), and bot management. Choose as many tools that work together as possible or you will make an already complex problem unnecessarily difficult. Continue to push on developer and security professionals’ alignment. Security professionals lack knowledge of what data APIs collect, where it is stored, and who has or should have access to it. Without this knowledge, security protections will be the best effort. Only by sharing this data will APIs be secured and thus deployed confidently.
Understand exactly what is involved with API security
Be careful: an API gateway is not a fail proof solution for protecting APIs from complex cybersecurity risks. For more about this critical point, read Lebin Cheng’s recent New Stack piece, Don’t Be Fooled: API Gateways Aren’t a Security Panacea.
You need to protect your APIs with a positive security model that detects vulnerabilities and shields from exploitation. Learn more about Imperva API Security.
To download the full Forrester Research report, Improve API Performance with a Sound API Security Strategy, click here.
Try Imperva for Free
Protect your business for 30 days on Imperva.