Is the API security market finally maturing?

By Andy Mills, VP of EMEA for Cequence Security.

  • Thursday, 9th May 2024 Posted 6 months ago in by Phil Alsop

As with any nascent technology, the channel needed to understand the need for Application Programming Interface (API) security before it could get behind it. While security vendors attempted to seed the market ahead of the curve several years ago, this saw them peak too early. Channel resellers were being told budget was allocated to web application firewalls (WAFs), not API defence, with the two being seen as interchangeable. This caused the channel to question whether they really needed to offer API threat detection and mitigation at all.

But fast forward to now and API traffic has become the dominant form of communication, comprising 71% of all internet traffic in 2023. The WAFs which were being used to defend them have been revealed to be too rigid, using signature-based rather than behaviour-based analysis causing them to struggle to find and block attacks that appear legitimate. Similarly, API gateways, which offer some rudimentary protection such as rate limiting and IP block lists, primarily perform a management function. Both struggle to address the visibility, inventory tracking, risk assessment, and threat prevention requirements needed to adequately protect APIs.

API attack paths have also grown in number and sophistication, leading the OWASP API Security Project to revise its API Security Top 10 of attack types in 2023. It was a step deemed necessary due to APIs having created a massive attack surface and the fact that attackers are now combining attack types to achieve their aims. For instance, whereas before an attacker might have discovered an API that was unmonitored and resorted to business logic abuse, they’re now using that API to return user information and then craft a bot driven attack to leverage this access, effectively combining three of the tactics, techniques and procedures (TTPs) identified in the OWASP list (API9, API1 and API6).

A widening attack surface

Digital ecosystems, increasingly reliant upon this API infrastructure for service delivery, are now finding themselves under attack. In the retail space alone, we observed that bot attacks against APIs increased by 50% during the second half of 2023. In January 2024 there was found to have been a 20% year-on-year increase, with 1 in 4.6 organisations targeted every week. 

So, what does this mean for the channel? Principally that demand is increasing and that markets such as retail, telecoms and finance, which have been the brunt of most attacks, are much more receptive to the idea of dedicated API security. There’s now been a seachange in the levels of awareness in the market which is now all too painfully aware of the need for API security, and the channel is beginning to take notice. 

Those who’ve been watching the space will have noticed that some of the big players have been quietly adding API to their security portfolio. Notable examples include the acquisition of API security start-up Wib by F5 in February, and Akamai announced the release of API Security in August 2023 and is eyeing NoName to boot.

Understanding API security

So, do resellers, SI’s and VARs now need to look at API security with fresh eyes? It’s certainly now a key addition to the portfolio for those involved in the provision of security, cloud and digital transformation services. Many of these will already have related offerings in the form of WAFand DDoS protection and bot protection, making API security a natural bedfellow. In fact, API security should ideally be considered hand-in-hand with bot mitigation because so many of the multi-faceted attacks are automated. Having the capability to provide a solution that defends against both shows the provider has an understanding of the unique challenges associated with API protection. However, such solutions have limitations that attackers have learnt to exploit.

The majority utilise IP address blocking but adversaries have now figured out how to get past this by rotating through IP addresses. Whether the attack is low and slow or high volume, the solution will look to block IP addresses from which an attack originates but the adversary then simply switches to another IP address and continues the attack. In effect, the adversary stays one step ahead of and outpaces or even overwhelms the defence. It’s relatively easy to overload a WAF which typically has a limited capacity to cache IP addresses. We’ve seen instances where an adversary has overwhelmed the system by cycling through over 2million IP addresses in 24 hours. 

It's also important to realise that APIs have some unique characteristics that determine how they are secured. API exploitation can be due to the API going unmonitored, because it hasn’t been correctly decommissioned or due to a lack of authentication controls. But equally the API be securely coded and monitored and still be compromised due to business logic abuse. This effectively sees the API’s functionality subverted, and it can only be detected using an API security solution that utilises continual monitoring, behaviour-based analysis and TTP fingerprinting. It's for these reasons that API security is a very different beast.

Compliance as a driver

Crucially, we’re now at the stage where the market is set to burgeon further due to another driver: compliance mandates. GDPR already refers to the need to ensure the confidentiality, integrity, availability and resilience of processing systems and services. In effect, this means any unmonitored APIs involved in data processing would be considered in breach. However, other standards are also now being revised to single out API security.

The latest iteration of the Payment Card Industry Data Security Standard (PCI DSS) version 4, for instance, which is set to become mandatory for most merchants and processors from April 2024 now refers to API security in requirement 6 (Develop and Maintain Secure Systems and Software). When it comes to attacks, section 6.2.4 states the need to mitigate attempts to bypass application features and functionalities through the manipulation of APIs.  

With both attacks and compliance ramping up, it’s small wonder that the latest Global Market Insights report released in April 2024 predicts these drivers will boost demand and see the API security market surpass $11bn by 2032, making it a compelling offering for the channel. With even the behemoths looking to get in on the action, it’s clear that we’re only at the start of that growth curve. 

There will, of course, inevitably be some contraction in the space due to this M&A activity, which makes it vital that channel partners look for vendors who can go the distance. Key considerations include whether the proposition aligns with emerging compliance and security demands in terms of TTPs, whether they have a strong presence in those markets that are experiencing attacks (i.e. retail, telecoms and finance) and if their solution is comprehensive enough to offer unified API protection that covers the entire API lifecycle. Look to see how innovative their product line-up is. Does it offer other capabilities such as bot mitigation or shift-left testing to improve API security pre-production? And how high a priority is given to channel partnerships. Performing these evaluations will enable those channel providers who want to take advantage of a now receptive market to get in and maximise returns with the right partner.

By Kashif Nazir, Technical Manager at Cloudhouse.
By Terry Storrar, Managing Director at Leaseweb UK.
By Manuel Sanchez, Information Security and Compliance Specialist, iManage.
By Peter Hayles, Product Marketing Manager at Western Digital.
By Richard Eglon, CMO, Nebula Global Services.
Anita Mavridis, VP of Product at Zivver, and Sue Musumeci, Director of Quality & Clinical Informatics at Chronic Care Staffing, explore practical...
By Graham Jarvis, Freelance Business and Technology Journalist, Lead Journalist – Business and Technology, Trudy Darwin Communications.
By Krishna Sai, Senior VP of Technology and Engineering.