SBN

The Truth About API Security Needs | Impart Security

API security is a market that’s gone through many changes recently, from WAFs being a critical line of defense for APIs to becoming almost completely unusable with the sheer volume of APIs being created daily. 

How have perceptions changed in the minds of those in the field?

Market Feedback

I’ve spoken to nearly a hundred security practitioners in the last 2 months and what has become increasingly  clear to me is that the market has become very well educated about the problem of API security. 

In these conversations, most security teams are telling me that API security is an urgent and pressing problem that needs to be solved. 

It’s been very rare for me to hear from someone who is very happy with their current solution.  

What also seems clear to me now is that the initial hype for API security has passed. Teams know they need a solution, and  security teams are starting to realize that the solutions that they’ve implemented over the past few years aren’t solving their problems.

Here’s a snapshot of the feedback we’ve received recently about what’s not working with existing solutions:

Difficulty of Integration implementations

What they’re saying: Many API security solutions have marketed themselves on ease of implementation, and the concept of an agentless, integration focused middleware layer does make sense in theory.  

What we’re hearing: However, we’re hearing that these implementations are actually much harder to set up and maintain than they appear, with some folks telling us that their implementations are taking up to 6 months!  

Common gotchas we’re hearing about include things like TLS encryption handling, version control, and reporting.

Difficulty of Enterprise rollout

What they’re saying: Many API security solutions expound on how convenient enterprise rollout is without going into specifics or argue the advantages of other positive traits over being able to onboard effectively.

What we’re hearing: We’re hearing the current crop of API security solutions is very difficult to roll out enterprise-wide.  Specifically, security practitioners say it is difficult to get multiple dev teams on-boarded into new API security processes and procedures. 

They’ve also told us it’s been difficult to deploy and manage multiple classes of integrations with different levels of features across a large enterprise footprint.

Difficulty under pressure

What they’re saying: Many API security solutions tout their exceptional ability to protect APIs at runtime and during attacks due to their integrations with WAFs and API gateways. 

What we’re hearing: We’re hearing that existing solutions have a hard time holding up when customers’ APIs are under attack.  In particular, folks are telling us how hard it is for security teams to explain to angry executives what is happening when things hit the fan, such as what requests were blocked and why because their integrations don’t provide the visibility or audit trail that can be used to quickly explain attacks in progress. 

Ease of Use matters

In the API security industry, it’s become increasingly clear that success is not solely defined by functional requirements like number of security detections that a tool can identify.

While metrics like the number of API endpoints a solution can discover or the breadth of canned tests it can automatically execute are important, they’re no longer the unique selling points they once were. 

These functional requirements have become features that security teams simply expect all their tools to possess. The actual indicator of a tool’s success is how seamlessly it can be implemented within an organization.  As a result, the industry’s focus has shifted toward non-functional requirements such as performance, reliability, ergonomics, and usability. 

There are a number of examples in SaaS and Security that we can draw from in recent memory:

  • Zoom vs. WebEx: Both platforms offer video conferencing, but Zoom pulled ahead largely because of its user-friendly interface and hassle-free setup process. WebEx was earlier to the market and had robust functionalities, but Zoom made joining a meeting as simple as clicking a link, appealing to users who wanted simplicity and convenience.
  • CrowdStrike vs. Antivirus: CrowdStrike’s Falcon platform focuses on a cloud-native architecture that simplifies deployment and management. Its user interface is intuitive, and it provides real-time, actionable threat intelligence, contrasting sharply with older, more cumbersome antivirus tools that rely on signature-based detection and frequent updates.
  • Wiz vs. other CSPMs: Wiz’s well documented ascent came as a surprise to many, but it’s no secret that the secret to their success comes from tying together multiple aspects of the Cloud Security Posture Management space behind a single platform with a great user experience.

These non-functional factors play an important role, if not the most important role, in the successful implementation of an API security tool within an organization’s ecosystem. 

What good is an API Security solution that only analyzes 50% of your API traffic?  Or what good is an API testing suite that is used by a single developer in an organization of 250? Broad adoption of the tool is largely the driver of success.

What does Good API Security look like?

Success in API Security goes beyond functional requirements.  We must step back, listen to what the total needs are for securing our APIs and create a strategy that will ultimately win against the bad actors out there. 

In our research we’ve found that you need a solution that has all of the functional requirements and is easy. Plain and simple.

Finding a solution with all of the above that can be easily implemented and rolled out across large enterprises thereby reducing the overall work that is needed from security and development teams is key.

To successfully do this, look for solutions that:

  • Easily integrate into your existing tech stack, with multiple deployment options that work with any environment
  • Easily roll out across an enterprise organizationally providing ways to get buy-in and engagement from multiple stakeholders in the organization, from developers to dev-ops teams to security teams 
  • Provides technical implementation easily delivering a single, integrated solution that aggregates, filters, and correlates data across different teams and domains
  • Can withstand high pressure situations, proving efficacy, resilience, and the ability to make quality decisions quickly in the heat of a security incident.

Here at Impart Security, our work is focused strictly on an API security solution that is made to provide you an effortless and seamless way to secure your APIs. If you’d like to learn more about Impart’s integrated API security solution, get started today with a live demo.

*** This is a Security Bloggers Network syndicated blog from Impart Security Blog authored by Impart Security Blog. Read the original post at: https://www.impart.security/blog/the-truth-about-api-security-needs