Summary Bullets:

• A new API lifecycle management approach is founded on emerging security innovations, including AI.
• Pure-play API security providers threaten to outshine API management leaders through best-of-breed security.

This month’s API World in San Jose conveyed one dominant theme throughout keynotes, sessions, and the show floor: API security.

Alongside the usual suspects of leading API management providers, including IBM, Axway, and Akana, were a heap of API security providers, clearly generating a large amount of buzz among attendees. I recall a number of them attending API World last year, but the dominant theme of 2018 was Istio and other service mesh technologies, critical in helping move microservices-based apps into production. Following a year’s progress in digital transformations and the rollout of new app development architectures – including microservices and serverless computing – and the realization of all those unsecured APIs at the heart of DevOps-backed projects, unsurprisingly, security was the new belle of the ball.

At the heart of digital transformations are APIs. Traditional API management technology is typically built on gateway solutions which provide visibility and management around API activities. While these solutions maintain important governance and policy functionality, they are not widely viewed as having best-of-breed API security capabilities for various reasons. These include the interest in obtaining the latest innovative app platforms and OSS technologies, which means that enterprise developers often find ways of bypassing API gateways during the app development process.

Considering APIs are often at the foundation of large-scale transactional systems, housing data which enables financial transactions, API management providers are upping their game in security, and that’s happening initially through pure-play partnerships.

Innovative technologies, such as AI/machine learning are coming into play for analyzing traffic to monitor for anomalies such as automated attacks. Developers are beginning to play a larger role in API security, as some security pure-plays provide solutions that are designed as security-as-code, where capabilities are built into applications earlier in the app development process.

New types of API security offerings are significant for their ability to simplify security requirements through automation, which is critical to developers tasked with creating APIs for distributed apps. Next-generation architectures, which create distributed applications, require security participation beyond operations and security teams so that app developers and architects can help address new types of vulnerabilities. There is also greater interest in segmenting and monitoring the new app architecture (e.g., access control, authentication, metering, and throttling) so that enterprises have a better understanding of, not only security vulnerabilities, but also how their infrastructure is being used.

GlobalData sheds light on key API management trends, while profiling participants, spanning leaders to lesser-known up-and-comers, including 42Crunch, Cequence Security, and Data Theorem, in a new Advisory Report.