Good security has never been more important, yet attack surfaces have ballooned over the past few years. One reason: APIs.
Ten years ago enterprises built monolithic enterprise software applications with a limited number of (relatively) easy-to-secure interfaces. Now, however, developers break applications down into separate services and publish the functionality of their applications as Web APIs (application program interfaces) that access systems of record.
APIs are accessed by a huge variety of client devices - from traditional desktops to mobile devices, smart televisions, games consoles and even nodes in the Internet of Things.
"What we have seen is applications being broken down into micro-services, and when you do that you are creating many more interfaces and exposing those interfaces. So of course the attack surfaces are much larger," said Subra Kumaraswamy, head of product security at Apigee, a California-based API security platform vendor. "Hackers no longer attack one application; they can look at lots of services. So there is a bigger risk that they can get access to data."
There's no doubt APIs present a real security risk, and that hackers steal data by exploiting them. For example, earlier this year hackers stole sensitive tax information from over 100,000 taxpayers using the IRS's "Get Transcript" API -- which was hurriedly shuttered once the breach was discovered.
APIs and 'Looking the Other Way'
APIs present an extra headache to organizations because of their power, Kumaraswamy said. "Before, hackers had to sit behind a console and try different things to find vulnerabilities. But because APIs are programmable, they can program attacks. They can write a system that automates their attacks and tries different things."
APIs have become a significant part of initiatives seen as money-making operations, which has led many organizations to adopt a "look the other way" attitude when it comes to security, he added.
"APIs are often made as part of an initiative like mobile, and businesses measure success by user engagement or user adoption," Kumaraswamy said. "Sometimes that means they don't pay attention to the security aspects of the API. Businesses need more agility, and security sometimes comes second."
Can API Security Products Help?
Some businesses are belatedly waking up to the API security problem, and a growing number of companies like Apigee now offer API security products to help minimize the attack surface presented by APIs. The application services governance and API management market was worth around $618 million in 2014 ($155 million in the cloud), according to Gartner.
The market is still relatively immature, though, and only 5 percent to 10 percent of organizations offering APIs use such products, Kumaraswamy estimates.
So how can an API security product help?
In very general terms, API security platforms can:
- Help expose systems of record and other systems and applications securely through APIs through the consistent application of policies (about authentication, for example)
- Help onboard and manage in-house and third-party developers so they can create applications using those APIs
- Allow you to choose which apps, developers and partners can access which APIs
- Help secure your data in accordance with regulatory and other requirements
Gartner's Paolo Malinverno categorizes the functionality that API security products supply into broad areas:
- Planning and design
- Basic and advanced deployment and running
- Versioning and retirement
Effectively then, they offer API management over the entire lifecycle of an API, from inception to retirement.
All About API Management
In terms of general functionality, many API security products are actually API management products that bring APIs under centralized control and allow security and other policies to be applied to them in a systematic and unified way.
They can also help avoid uncontrolled API sprawl, which results when APIs are created in different parts of the organization by different developer groups, without any consistent approach to security. They can also help prevent APIs from being abandoned and forgotten about rather than retired securely.
"When you have visibility into your APIs throughout your organization, you can then put controls in place," Kumaraswamy said. "You might decide that a certain API should only be exposed to in-house developers, not external, third party ones. If you don't have visibility, you can't see who is accessing what. "
"If you have API sprawl, that is also bad. API management ensures that you have consistency and you don't duplicate stuff," he added. "For example, if you have five departments that use five different authentication methods for your APIs, that's not consistent. A management product lets you enforce two-factor authentication if that's what you want. You can drag and drop a policy and secure all your APIs in one shot."
API Management's Future
At the moment only a minority of companies offer APIs to sensitive information and therefore may need API security products, said Gartner's Paulo Malinverno. But ultimately the rise in popularity of APIs may end up killing the market for these types of API security products, he believes.
"APIs are going to be everywhere. API management still has three or four more years, but eventually it will become part of a bigger product like general application management," he said.
Thus the market will inevitably consolidate further, with independent vendors like Apigee probably being acquired by larger enterprise software vendors, Malinverno said.
It's not over for API security software quite yet, though, and leading enterprise software vendors in the field include both well-known names and smaller API security specialists.
Short List of API Security Products
- Mashery Mashery API Management
- CA Technologies CA API Management
- MuleSoft API Manager
- Axway Axway 5 Suite For API Management
- SAP SAP API Management
- IBM IBM API Management
- Software AG API Management Platform
- 3Scale 3scale API Management Platform
- Akana API Management
- Apigee Apigee Edge
Paul Rubens has been covering enterprise technology for over 20 years. In that time he has written for leading UK and international publications including The Economist, The Times, Financial Times, the BBC, Computing and ServerWatch.ee