A new breed of application program interface (API) management providers are looking to fill the security gaps where traditional vendors fall short. These API security startups showed up in full force at this month’s API World in California. They are quickly growing in popularity, among both enterprise customers and API technology partnerships.
One such company is little-known Cequence, whose AI-based security solution combats automated (bot) attacks on public-facing applications. These analyse traffic through machine learning in order to establish legitimate from automated threats. The company recently played a critical role in the discovery of vulnerabilities in Cisco WebEx and Zoom. All had video conferencing platforms in which hackers gained access to meetings that were established without security precautions.
These kinds of attacks have traditional API management vendors like IBM, Google, and Microsoft nervous. They have been prompted to establish partnerships with API security vendors such as 42Crunch and Ping Identity. Traditional API management technology is built on gateway solutions which provide access control and management around API activities. These solutions maintain important governance and policy functionality, however, they are not widely viewed as having best-of-breed API security capabilities. Developers are inclined to find ways of bypassing API gateways during the app development process in order to obtain the latest innovative app platforms and OSS technologies. API management providers are quickly realizing they need to up their game in security. Pure-play partnerships provide a quick fix to this new dilemma.
This relatively new lineup of API security startups includes 42Crunch, Cequence, Data Theorem, Shape Security, Signal Sciences, PerimeterX, Imperva, and Salt Security, among others. They are imposing a disruptive threat to the API management space currently dominated by vendors including Google Apigee, IBM, Microsoft, Salesforce MuleSoft, and Red Hat.
Simplicity through automation
API security offerings simplify security requirements through automation, which is critical to developers tasked with creating APIs for distributed apps. Developers are playing a larger role in the security process, as some security pure-plays provide solutions designed as ‘security-as-code’ With these, the security capabilities are built into applications earlier in the app development process. This is important because next-generation architectures demand security participation beyond traditional operations. They require security teams to involve app developers and architects who are well equipped to recognize new types of vulnerabilities. There is also greater interest in segmenting and monitoring the new app architecture. This allows enterprises have a better understanding of not only security vulnerabilities, but also how their infrastructure is being used.