We are excited to be named as a sample vendor for API threat protection in the Gartner® Hype Cycle™ for APIs, 2022 report*. This report provides a detailed view into the scale of API problems across all areas of API security and the need to secure this growing landscape as APIs continue to integrate deeper within businesses today. In addition, this comprehensive Gartner API security report covers the latest innovations and insights around:

  • API threat protection
  • The business impact of an API breach
  • Response to the OWASP API Top 10 
  • Visibility and security best practices

While there is currently no Gartner® Magic Quadrant™ for API security, this Gartner® Hype Cycle™ for APIs gives valuable insight into wider issues in the world of APIs.

 

What is API threat protection?

While some refer to it as API security, Gartner defines API threat protection as follows ...

“API threat protection is the defense of web APIs from exploits, abuse, access violations and denial of service (DoS) attacks. It is required both for external and internal APIs. API gateways, web application and API protection (WAAP), and specialist API security tools provide API threat protection through a combination of content inspection of API parameters and payloads, traffic management, and traffic analysis for anomaly detection.” [1] 

As we continue to see increasing breaches in the news, our customers are coming to us with API threat protection as a priority for their API security roadmap. Security teams lack visibility into their APIs, the scope of risk, and whether or not they are compromised already, leaving a major blind spot. 

Why is API threat protection essential?

Three quotes from the report help explain why APIs threat protection is essential:

 

  1. “APIs are easy to expose, but difficult to defend.”[1]
    As the network of connected applications continues to grow, so does the attack surface of exposed APIs. Traditional security tools are not enough to protect from API threats, leaving businesses vulnerable to today’s increasing number of API security attacks.

  2. “Many API security issues are related to business logic.” [1]
    Automation around business logic protection is a major challenge for security teams today. These tools require understanding how APIs are used within the organization to detect behavioral anomalies across a rapidly evolving business landscape. 
Why are API threats a growing concern? 

APIs are the connective tissue for digital transformation and are crucial to advancing business. Business innovation is driving the exponential growth of APIs, but proper security is lagging. 

As per Gartner, 

“Because APIs are typically used for access to data or application functionality, often linked to systems of record, the impact of an API breach can be substantial.” [1] 

 

Why is API threat protection such a challenge?

To understand API behaviors, security teams must first have a clear view of their API inventory and keep track of changes within their API landscape. Unfortunately, security teams often lack the internal resources and expertise to support visibility into APIs dispersed across multiple platforms and SaaS services. Moreover, the global shortage of security talent is even more significant in the API security space causing gaps in resources across all industries. 

 

As per Gartner, 

“Whereas the security team, under a CISO, typically manages a WAF, API gateways are managed by API platform teams. This can lead to API threat protection being neglected due to a lack of expertise and a focus on delivery rather than security.” [1] 

 

Why do API threats require a different approach to security?

In the past, security teams focused on keeping the bad guys out, using tools to protect their database from attackers looking to break in and steal data. They acted as a doorman to the network, controlling who came in and out. 

Now, APIs send data back and forth freely across an interconnected network of business and internal APIs. Attackers merely sit on public API traffic and wait. Common vulnerabilities like weak API keys and authentication methods give bad actors an easy way into an entire network of business, customer, and partner APIs and data flowing between them.

 

As per Gartner, 

“APIs are easily and intentionally programmable, so a vulnerability can leak large volumes of data. The challenge of distinguishing malicious access from valid access further complicates the task of securing APIs.” [1] 

 

Healthcare and banking APIs are prime targets and share PII and financial information that put businesses and their customers at risk. Sensitive data breached through an API vulnerability will likely require the company to comply with privacy regulations and report the incident.

With the increasing risk of insider threats, security teams can no longer assume authenticated traffic is safe. Instead, they have to take a different approach, acting as the security guard from the inside and watching for suspicious activity. 

Without visibility into API inventory and behaviors, security teams are blind to threats blending into the background of authenticated users. As a result, bad actors can remain undetected as they roam freely through the shared APIs network, putting even more data at risk. 

How can Neosec help?

Neosec helps overcome obstacles around API threat hunting, using best practices to deliver the visibility, resources, and expertise for a behavioral analytics approach to API threat detection and response. 

With Neosec’s ShadowHunt Managed API Threat Hunting service, our experts act as an extension of your team to provide API security expertise and advanced tools to keep up with API threats. 

 

Download Report

 

 

 


 

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

*Hype Cycle is a registered trademark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved.


[1] Gartner, Hype Cycle for APIs, 2022, Mark O'Neill, John Santoro, 10 August 10, 2022.

 

FEATURED RESOURCE

Innovation Insight for API Protection by Gartner

Learn the fundamentals of API security. Made for security leaders and practitioners to increase their foundational knowledge about API security and best practices.

DOWNLOAD NOW
Neosec-Blog-Sidebar-Gartner-Innovation-Insights-2a

Gartner provides a view into the scale of API security problems. Learn More.

Newsletter