Hello, and welcome to another cooking call webinar. My name is Alexei Balaganski. I'm a lead Analyst at co call and our topic for today is the market Ovu for API management and security solutions. So before we begin, let me just give a quick shout out to my colleagues at our call events department, because there will be a really interesting event happening in Berlin. This November, our cybersecurity leadership summit, among other topics we discussed over API security will be definitely present and I will actually be there presenting and moderating the whole thing. So looking forward to seeing you either physically in the, or if you cannot attend in person, join online because our event will be hybrid and attending virtually is actually not that difficult at all. So CEO in the, in November, just as usual, a little bit on housekeeping. So we are controlling the audio feeds for this webinar.
You don't have to worry about it. Everyone is muted except myself. We are recording the webinar, the video, and the slides will be published on our website, probably knowledge on Monday, and everyone will get an email with the link to download them. We'll be showing a quick poll in a minute. So I urge you to give your answer to our question and we will discuss the findings by the end of the webinar. And of course we will have enough time for your questions. And of typically we do it in the end, but this time I encourage you to submit your questions anytime, and I will pick them up during the presentation.
So please activate our poll. Just one question. Does your organization have a clearly established API strategy already? So we'll have about 30 seconds to give you answer or just wait a little bit. Oh, well, well thank you very much for your reply. And I already can see that the results are not particularly encouraging, and again, we will discuss the exact numbers later, but I really hope that this webinar will at least help you a little bit to merge your management and your company in general, to towards finally establishing a proper strategy with regards to your API's internal or external. So without let's just start with the webinar I would generally for today is pretty simple. First, I will talk a little bit about the theory, what APIs are, what happened with them over the last years? And then we transition towards understanding what keeping a core leadership compass is.
What exactly do we measure and how do we evaluate the vendors in the products? And then of course, we will look at the results and the findings, and I will explain who are the leaders and why, what you should be looking for, if you want to apply those findings towards your specific business. And I will give you some summary and maybe a little bit of prediction for the next years. So, first of all, we'll just quickly remind that API simply means application programing interface. And until recently it was just a pretty obscure technical term, only software developers were caring about. And in fact, there were absolutely nothing new about APIs because they appeared almost as soon as the software for programmable computers. Because as soon as you have more than one piece of software running on a single computer, even those two pieces of software have to communicate and they have to communicate in a more or less standard way.
And one of those ideas was that they have to exchange messages and those messages have to have a relatively standardized format so that a software developed by different developer could actually understand what the other piece is asking for in the nineties with the widespread adoption of computer networks, of course, APIs became distributed. So now you could call a different application over the network and then came the internet. So APIs became a useful tool for enterprise architectures where multiple software applications or services would just kind of listen to a common message bar and exchange information over it, talking to each other, sending different business data and so on. And finally, in the low or in the early two thousands, you've got the cloud, approximately 2006, 2006, the first public cloud emerge. And of course, as soon as you have the cloud, you have a standardized interface for software to consume those cloud services.
And of course they were powered by press APIs, press APIs are extremely simple. They do not require the strongly typed and serious considerations for during the design phase. You just create one URL and you can listen to the URL and you read the bits, a different application of sending you and basically your API is done. So recipes were adopted extremely quickly when they be for the next decade. They become of the most DEFAC used standard for exchanging business data. So for some companies like Google or Facebook or apple APIs basically became the primary logistics to deliver their digital goods. And of course of the same applies towards all the major public cloud providers. So nowadays we are talking about API economy, a hugely exclusively growing and booming industry where you turn your valuable data into a product digital product, and you use APIs to deliver the product to a consumer.
So back in 2017, the Phillip magazine has proclaimed 2017, the year of the API economy. And I believe it was only in 2019 or, or something like that where people have finally started to seriously talk about API security. Why simply because they were tired of during hugely publicized and large scale data breaches caused by incorrectly configured or improperly secured APIs. So over that time, we have been absorbing the API management and security industry here at co coal. I believe we started around 2015 where we published the first version of our dealership compass on this topic. And the last one was published of course earlier this year. And believe me a lot has changed while six years or something. And I assure you that a lot more will change over the next years. So I might be even talking about kind of API singularity in the near future, because the way it, the market is developing can lead to potentially absolutely different ways it'll develop in the future.
But again, we will focus on those developments later in this webinar. Well, now we are talking about APIs. We have to remember that an API is not a product in a way that you just sell it once, get paid once and then enjoy your earnings and API evolves and API under undergo a life cycle because you have constantly changing business requirements. You have new technologies, new threats, and we have to design and redesign and update and expand our APIs. We have to invest additional development and testing into it. We have to redeploy and monitor, and of course, secure API, as long as it's been used and sooner or later, maybe years later, it'll be finally retired and replaced with a better, bigger and more interested API, perhaps in this API lifecycle or either complicated living process, which involves multiple stakeholders, not just the developers or operations teams.
And this lifecycle has to be covered ideally by a unified single API lifecycle management platform, if you will. And this is exactly what we are actually dealing with when we use the term API management. So for a decade, or maybe even more, an API management platform is no longer just a tool to publish and monetize your API. It's a tool to design develop, test, deploy, operate, update secure, and finally retire your API. And that is not really easy. I mentioned earlier, rest APIs were adopted because they were so easy and simple to understand and to start using. But in the end APIs, as product APIs, as logistics tools, there are anything but easy. And of course securing those API is anything but easy because there are so many things we have to be caring about. We have to start with understanding what APIs do you even have and not all of the APIs.
A typical business is using belongs to that business or managed by it. Third party APIs are consumer product APIs, partner, APIs, APIs, which you yourself consume as a user and not as a supplier, they all require your attention. They all have to be understood, analyzed and monitored continuously. Of course, you have to implement proper access control because APIs expose your sensitive data. And if you do not control that access while you will inevitably end up with the data breach and the compliance fine, you have to validate the data incoming and outgoing to protect your API from logic bombs, which might disrupt your business. And of course, to ensure that you do not leak any sensitive data outside of your internal network, you have to protect APIs from other types of threats. You have to secure the data flow into the network, or you have to just stay on top of anything that happens, detect any anomalies, understand what's going on with each and every of the API. And of course, somehow you have to automate everything because it is complicated and everything is covered by API security tools.
And this is of course something which we cover in, in our leadership compass. So I guess I have to explain what a leadership compass is. It's a multi vendor report where we call observe a specific market segment, API management and security. In this particular case, when we identify all the relevant vendors operating in the market, we contact them. We learn about their solutions. We ask very specific technical and business and organizational questions about each solution. We collect all this data, analyze and crunch the data, our produce sophisticated methodology. And finally, we come up with a rating when we explain which solutions we believe are the best, most suitable for your needs, which are maybe niche players deliver in great product, but not yet concurrent market share, which are innovative, which are market giants, because they have somehow managed to gain the presence, maybe even with not that cutting edge solution.
But anyway, that's the whole point. You focus on many difficult, many different aspects of the vendors and their corresponding products. And we tell you the results. So these are the key evaluation criteria we, we have used for our leadership for API management and security. We're looking for eight more or less distinct areas, API of cycle management, how well the solution addresses all the requirements for developers, operators, DevOps, and security people as a single solution to ensure that your API is never left and attended deployment of integration. How well does the solutions support mode architectures microservices hybrid clouds? How well does it integrate with per party tools, both for developers and for security developer Porwal and tools? How well does it cater towards developers? So the people who actually consume the APIs, does it offer great documentation? Does it support localized documentation? For example, does it integrate well with the I C D pipelines and developer automation and so on and so forth identity control, obviously how well does the solution ensure that your data, your APIs are only been accessed by people who are people or machines who are allowed to do it, pay vulnerability management?
How well does the solution understand what are the weaknesses? What are the security holes in the underlying infrastructure and software and what can it do to, to prevent it to practically harden the infrastructure, analytics and security intelligence? How well does the solution offer you the runtime visibility into what's going on with APIs? Is there something wrong going, are there any anomalies to observe, to understand and maybe to respond before it turns into a data reach, integrity and threat protection. This is more towards focusing towards the traditional well application security, how well your API contacted from invalid input data, SQL injection exploits and so on. And finally, scalability and performance. Does the solution have any bottlenecks, cannot scale linearly cannot provide you with a high load and high availability configuration and so on and so forth.
And of course we measure all those values and we produce our, our ratings with five different product oriented categories, where we measure the internal security of the product. So it's not about the actual security in your API functionality, but rather who is watching the Watchman. How can you be sure that your API security solution cannot be circumvented or broken or hacking to functionality, but that's obviously the main dish. How well does the solution serve the actual API management and security deployment? How easy it can can be deployed? Is it delivered as a single integrated platform or a bunch of tools you have to combine yourself? Can it be run from the cloud? Can it be available as a managed software? And so on interoperability, does it work well with third party solutions, usability, how easy it is to well using daily life, both for developers, admins, and security Analyst.
And then we have four further ratings, which focused on the vendor in general. First of all, innovation means how well does the vendor can react to change requirements? How quickly cannot react. And for example, release new features when the market demands though, when is a new API format or an authentication standard or whatever, other like new compliance framework, how quickly can you be assure that you get those features delivered to you, or whether the vendor can offer you something, which you did not even know you need, but it's something so amazing that you will just pay for it immediately. Market position means, well, how well established is the vendor in the market? How much, how many units can it sell? So to say, how many customers, how many industries, partners and so on are served ecosystem? Well, I mean, how present in the company worldwide? Does it have partnerships with ISVs and resellers? How well is the, the support system developing so on and so forth? And finally, how much money does the company even have? Can you be sure that it won't be sold or just ceased to be used to exist next year?
And with that regard, basically boil all those ratings down to four different numbers. Product leadership is an integrated rating, which matters. Everything relates relationship to the product, visual fulfillment and co functional criteria, market leadership measures. How well established is the vendor on the market. Innovation again is the rating which, which every company gets for innovativeness, if you will. And finally, the overall leadership is all three combined in a single number. So with that regard, I would say you could probably compare to similar reports published by our or competitors, if you will, a much, much larger Analyst houses, but I would proudly proclaim that our leadership give you gives you many more numbers to consider when you are looking for specific features, capabilities, or understanding how well a particular solution would fit your business needs. And let's just quickly switch to our, the list of vendors recovering this leadership compass.
As I mentioned earlier, the first edition we published on this topic was six years ago. And back then we only helped one single company that would proclaim themselves to be an API security vendor. Now we have the third edition published earlier this year. And as you can see, have many more vendors in general, and I would say at least half of those are dedicated security vendors. Of course you would jeopardize a lot of large companies like Google and Broadcom and redhead and perhaps ping. And WSO two, those companies are well known outside of API management and security markets, and they are large veteran players and many markets. And of course we have perhaps even tiny, but highly innovative startups, like 40 to crunch or sequence or ity, or maybe even sold security, which is still a startup, even though they are pretty successful in the market.
So we have a very healthy mix of different vendors, different sizes and senses, which I believe shows that the market is actually developing. And we have lot of interesting things to observe. And besides the companies which participated in our rating, we also had to mention at least in passing some other companies, which decided not to participate, but still every major cloud so was provided, for example, has their own API management solution is some built insecurity tool. So we have to mention them as well. And if you're interested, you can follow up and really interesting for example, and very well source solutions for you to come consider. But let's just jump into the overall leadership. This is probably the primary you will all be interested in. We measured all those vendors of the solutions, large and small, broad, and focused and unsurprisingly among the leaders among the over leaders, you would have primarily those large well established companies like Google is the epi G API management platform.
And Broadcom is a layer seven brand red hat, which was formally known as three scale, but now offers a much broader solution incorporating all the aspects of a proper enterprise integration platform. We have a couple of interesting newcomers, for example, in Porwal again, it's a very large and established security vendor, primarily known for the web application and database security tools, but now they are also working in this market and they are also recognized as leaders, companies like forum systems and solve security and 40 to crunch are tightly specialized in API security. And they have to emphasize in very different aspects of API security. For example, 42 crunch focuses specifically on design phase security. How do you create an API specification even before you write, before you start writing any code, how do you ensure that your API is secure by design? If you need this, you go to them, salt security, for example, focuses on runtime monitoring and analytics, identifying anomalist and potential threats, and quickly to them. As I mentioned, they are also a startup, but they are kind of that unicorn type startup extremely popular in this market and forum system is that the very first API security vendor, if you will, they are focusing on traditionally highly regulated industries like go governments and financial and banks. And if you need the tightest, the fireball gateway style protection for your highly sensitive API, which is where you go.
So as you can see among overall leaders, we have a really not just, we are not comparing apple to oranges. We like comparing bicycles to, to trucks. So while overall leadership is really important for you to understand who is doing well on the market, if you need to focus on specific capabilities, you have to go deeper. And before we go deeper, let's just quickly have a look at our product leaders. Again, you can see the same usual suspect to large established Twitter players who can cover all aspects of API management and security to a certain extent, as well as those highly specialized, but highly qualified and polished security solutions. I just talked about, including, for example, such really specific tool solutions like cloud security and analog, which only focus on managing access to APIs, but they're doing it really well. And if you only focus on those aspects, you have to look specifically for those types of solutions.
Innovation, innovation leadership is an interesting category because it doesn't so much measure what you already have, but rather what can you deliver if needed? And here we see that's actually the majority of the vendors we cover are highly innovative. We chose, I believe that the market is still rapidly evolving and changing and there's nowhere near the maturity. So we have a lot of companies offering really interesting, really new really trailblazing capabilities, even though some of them only focus on the very narrow area area. And maybe in a few years, they will be acquired by large vendors and the technologies integrated into bigger platforms for the moment. This is a really fascinating market to follow. If you are interested in innovation. And finally we have the market leaders again, Google right head Broadcom, no surprises here. Those are all huge companies with lots of money. There's lots of partners and customers around the world they can deliver and they deliver.
And of course, companies like pink in per and x-ray again, they are pretty big outside of API security, but they're getting into this market as well. And on this slide, I don't think we, we have to focus on it a lot, but you can see that for each vendor, we provided a quick overview, how well, how high they ask for, for this, for every, all those nine different ratings, you can see most of the windows that should do very well in all areas. Yes, some are, are pretty small, so they are not yet strong, positive in the market share or financial stability, but they're getting there, just give them some time startups. And of course, for every vendor, we also provide spider chart. This is a further, highly detailed diagram. It shows how well the product first on specific areas of API management and security we discussed earlier. So if you only need of course, ideal vendor, like this is this chart on the slide is for our, our leader, Google. They do well in almost every aspect, perhaps outside of API vulnerability and security management.
If you are looking for the best of breed security tool, for example, it doesn't have to be specifically, you have other windows who have very high spikes in specific areas like security, intelligence, or threat protection that might be lacking in other areas like API cycle management, specialized security tool will definitely lack in those. It does not mean that they are somehow worse or less recommended by keeping a call. They're all still great. And really you should look for that into all of those. And finally, as a summary, I guess we should talk a little bit about the further development. So what we observed currently and what we predict for the nearest future within the API management and security, first of all, whole markets continues to evolve. There is no maturity inside, and it's not a bad thing actually because well, API economies continues to grow.
API threat landscapes, continue to evolve, and the market has to react every day. So it's, there is no stop to this evolution. The temp is further increasing. Now the rest APIs alone are no longer sufficient. We have microservices, we have new completely differently functioning, API protocols like GraphQL and so on where traditional security solutions and management solutions just don't work anymore. For example, if you are using GraphQL to perform some complicated queries through a single interface, you cannot apply traditional access control to that interface, and you cannot monetize it per transaction cause different transactions, for example, can produce vastly different payloads. So the solutions they have to evolve, they have to expand their scope and support all those new developments. Finally, I would say within the last couple of years, the awareness about API security is growing, starting to grow because of compliance regulations like GDPR, because of those large scale data breaches with likes of Facebook and Instagram, Twitter, and us post and so on. So even smaller companies finally realize that API security API risks are real in the API. Security is desperately needed and COVID of course has also increased this demand.
API management on its own quickly is quickly becoming a commodity. Like nobody cares anymore about the solutions that just lets you publish an API endpoint and collect money for it. API management and dimension is now much more than just that it has to address the whole API lifecycle. It has to incorporate new stakeholders outside of develop the developer community. And for some vendors like for example, red hat and Google, this is already a reality. They already offer their API management solutions is a part of a larger integration platform. And this is the term you really have to look up and to understand it's something which you already need. As well.
As I mentioned earlier, realtime monitoring is no longer works. Just like in every other area of cybersecurity, you cannot just reactively respond to every attack on your API. You have to make your APIs ally haven't. You have to shift left that you have to collaborate with the developers to make security an integral part of that early stages of the API life cycle. And finally, APIs are just another type of infrastructure like the cloud and the network and database. And so on. Maybe you just have to reconsider your approach towards data security completely. Maybe you should not even think about securing the APIs. Maybe you should secure your data regardless of the path a user or a machine or a service actually gets access to the data. And again, there are some really interesting developments with the likes of in Porwal. For example, will offer you an integrated platform which combines traditional application security and data security and API security that with some really interesting holistic and visibility among those something to look forward towards.
And finally, I have a few recommendations for you to read, of course, the leadership itself, as I mentioned, the buyers, which will explain you more, their customers perspective, how do you actually choose the right API security and management solution and a few advisory notes, white papers we have available on our website and with that, thank you very much. And first of all, you can now submit your questions. If you have any. And that Paul we had in the beginning, 83% of you have told that you still do not have any API strategy. Well, that's really too bad. I was really hoping that in 2021 little bit more companies would already at least start thinking about APIs moment. Remember that a strategy doesn't even have to mean that you have already figured everything out. At least you have to think about API security as a strategic development for the near future. And if you don't have that strategy yet, or you have to start preferably yesterday, but at least today, cause remember with all those developments like working from home hybrid cloud, the increased diversity and scale of public and business APIs, I mean
You to, you have to think about it because if you don't, even if, if, if your company doesn't even plan to publish your own APIs as products consider the fact that an American casino was hacked through an API of a pump in a fish tank, this is the potential problem. You can have potential if you can have with API security, if you neglect it, think about it. And again, thank you very much and see you in our, for the webinars.
