From what used to be a purely technical concept created to make developers’ lives easier, Application Programming Interfaces (APIs) have evolved into one of the foundations of modern digital business. Today, APIs can be found everywhere — at home and in mobile devices, in corporate networks and in the cloud, even in industrial environments, to say nothing about the Internet of Things (IoT). The emerging era of Generative AI is also entirely dependent on APIs to implement integrations with existing business applications.
Having followed the market for almost a decade, we have long recognized APIs as one of the most important IT trends. Rapidly growing demand for exposing and consuming APIs, which enables organizations to create new business models and connect with partners and customers, has tipped the industry towards adopting lightweight approaches like representational state transfer (REST). APIs are now powering the logistics of delivering digital products to partners and customers. Almost every software product or cloud service now comes with a set of APIs for management, integration, monitoring, or a multitude of other purposes.
This evolution only continues to accelerate. As new digital transformation initiatives across various industries emerge, diverse business models are reshaping the technical requirements for API development and operations dramatically. New standards, technologies, and development methodologies introduced by the need to support numerous use cases have also introduced additional complexity to existing API management platforms.
REST APIs are still commonly used today, but they are increasingly augmented or displaced with a variety of alternative protocols and standards, such as GraphQL or gRPC. In fact, the industry is evolving so fast that API management solutions in their traditional sense, like API gateways, can already be considered IT legacy products. Modern, loosely coupled cloud-native application architectures demand API management solutions that can handle complicated traffic patterns and deal with ephemeral container-based infrastructures.
Unfortunately, many organizations still tend to underestimate the potential security challenges of exposing their APIs without a security strategy and infrastructure in place. Although organizations like OWASP are doing a lot to promote the awareness of critical API risks with projects like the recently updated API Security Top 10, this sometimes has an opposite effect – the public tends to forget about the long tail of other problems they have to deal with beyond this essential but definitely not exhaustive list.
Multiple studies have estimated that APIs are already the biggest attack vector for web applications. However, this claim does not even include numerous other potential attack vectors the unchecked proliferation of APIs can expose, including public clouds, distributed applications and microservices, mobile clients, and so on.
In a sense, API security has long become an industry of its own; with the scope of risks and challenges the industry confronts growing exponentially, API security solutions have to expand their coverage and grow in complexity themselves. Providing comprehensive protection against the broad range of API-specific threats and doing it consistently throughout the whole lifecycle of an API is complex. Understanding the business logic behind those APIs and adapting the protection accordingly is even more complicated.