In their approach to application programming interface (API) security, organizations exposing web APIs must balance ease of access with control. Like the bank robber attacking banks because “that’s where the money is,” the use of APIs to provide access to applications and to business-critical data has naturally led to API security incidents. These have occurred particularly in the form of data breaches.
Some of the key challenges organizations currently face include:
- An increase in attacks and data breaches involving poorly protected application programming interfaces (APIs)
- Ineffectiveness of protecting web APIs with traditional application security solutions alone
- New APIs are being added and consumed by organizations on an ongoing basis, meaning that API security is not a one-time exercise.
- Modern application architecture trends — including mobile devices, microservice design patterns, and hybrid on-premises/cloud usage — complicate API security since there is rarely a single “gateway” at which protection can be enforced.
API gateways, combined with web application firewalls and other application security infrastructure where necessary, are used to implement API security. However, a purely edge-based web application security defense strategy is not fully ready for the new challenges posed by APIs. The widespread use of internal APIs, combined with mobile access and increased reliance on cloud APIs, mean that defending from the edge is insufficient. New hybrid approaches highlight the fact that organizations should take a holistic view of API security.
The best practices described in this research explain how an organization should use API security to enable its integration and digital business initiatives.
Interested? Get access to the Gartner API Security Strategy here.