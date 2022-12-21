API security leader. CEO and cofounder of Salt Security.

getty

This year has been a wild ride in API security. Just in 2022, we’ve seen immense growth in the API security space. At the same time, among established security companies, more than a dozen have rolled out API security solutions, including behemoths such as Google. The number of API security companies totals more than 27 and keeps growing, according to Richard Stiennon, founder of industry analyst firm IT-Harvest.

All this activity and investment makes sense, given that CISOs say APIs are the IT component most needing security improvement. Perhaps that’s due to the staggering costs of API breaches. To cover costs associated due to its recent API breach, Australian telecommunications provider Optus has set aside $140 million, which doesn’t begin to cover the costs of brand reputational damage. As cited in a ThreatX blog post, “According to Gartner, by 2023, over 50% of B2B transactions will be performed through real-time APIs.”

Clearly, the API security market is here. We have progressed dramatically from just five years ago when “API security” didn’t exist as a recognized technology segment. When we here at Salt first raised the need for cataloging APIs and defending against attacks, we were the only ones talking about “API discovery” and “runtime protection for APIs.” And with all this growth, it’s still true that this journey has really just begun.

But even a young market provides interesting learnings. The journey from nothing to Gartner validation doesn’t happen overnight nor in a vacuum. How did we get here?

One Thing Leads To Another

Technology advancements tend to beget other technology requirements. Cloud computing changed the playing field for APIs, making them a central component for modern architectures. Cloud computing catalyzed the digital revolution, allowing us to move from simplistic, single-page applications to the sophisticated web and mobile-based applications we use today. At the same time, we started using cloud-native development like containers and Kubernetes to build apps, and these microservices, along with the cloud, mean companies now create more and more APIs—and update those APIs—on a regular basis.

The issue of API security became evident to me while I was doing service within the Israel Defense Forces (IDF), where I led the development of cybersecurity products and solutions within an elite cybersecurity unit charged with protecting civilian and military systems. It was there, several years ago, that I first saw the security challenges that APIs create.

With more business services translated into APIs, APIs became a much more attractive target for bad actors. Attackers know that lucrative data can be pulled through APIs. Given the rapid pace of development today, bad actors also realize a growing number of APIs means a growing number of vulnerabilities waiting to be exploited.

What Worked Before Doesn’t Work Now

Moreover, today’s API attacks differ from traditional “one and done” attacks, such as a SQL injection. Because every API has its own unique business logic, attackers must probe and prod APIs—over and over again—to uncover vulnerabilities to exploit. Attacks can take days and weeks to unfold.

“Traditional” solutions can recognize and stop a traditional attack. But to address API attacks, businesses need additional context to identify the signs of a bad actor performing reconnaissance. They must identify what normal behavior looks like so as to spot anomalies that signal the presence of an attacker.

You Don’t Know What You Don’t Know

For a market to take hold, buyers must recognize and understand they have a problem and believe they need—or will soon need—a better solution. Making this mental leap requires a considerable amount of education.

Nowadays, the need for API security has become well known. But only a few years ago—before Covid-19 and the sharp upturn in digitalization transformation initiatives—this recognition had not taken hold. As a co-founder for the first entrant to the API security market, I knew that evangelizing the problem and need would be critical. Organizations must learn that a problem exists and that it poses a substantial business risk. Focusing on the education phase is critical for any founder developing a new technology category.

To characterize the problem, evangelize its seriousness and give the industry a common vocabulary, we worked closely with OWASP to build its inaugural OWASP API Security Top 10 list. This organization pioneered the OWASP Top 10 list—a hallmark set of the top application attacks in the industry. Organizations have relied on that original OWASP list for more than a decade to build their security framework. This new list, focused on API threats, documented the common API attacks.

To extend market awareness, we also invested in building a research arm focused on API security issues within our company. We hired experienced security researchers to populate Salt Labs, dedicated to investigating and publishing detailed information on API vulnerabilities and risk mitigation.

Separating The Signal From The Noise

As a founder, you also need to teach people what “good” looks like for a technology. You need to highlight the particular issues driving the need for your technology and what criteria should be provided within any solution. Founders must understand the buyer’s need and map features to it, highlight customer references and create test plans for organizations to follow.

In the case of the growing API security market, the OWASP API Security Top 10 list was critical to outline the top API security threats facing organizations and identify security requirements. The vulnerabilities in this list still represent more than 60% of API threats.

As a founder in API security, I have seen firsthand how the landscape has changed. Watching it and being part of the transformation has been incredible. But the journey still has a long way to go, and, personally, I can’t wait to see how it unfolds.

