The API Iceberg
Application Program Interfaces (APIs) now represent nearly 90% of the web application cyber-attack surface.[1] Many companies are unaware of their API vulnerabilities and are using outdated security tools that leave them exposed to API attacks. Accordingly, new API security companies are emerging with innovative products that offer better protection.
Global Reliance on APIs
Over the past decade, we have seen a global proliferation in the creation, usage and reliance on APIs. APIs have transformed Financial Services, modernizing legacy infrastructure by facilitating connections to new technologies. This has led to the creation of an API economy where businesses depend on a complex network of APIs to carry out critical functions. Companies such as Plaid and Stripe have been at the forefront of building this new economy, enabling FinTechs to connect with legacy banking infrastructure and streamline digital payments. Today, new companies adopt an API-first strategy, where APIs are core to their value proposition, and older companies utilize third parties to connect to modern solutions. The intense competition that exists today has resulted in development teams rushing to deliver functionality, which regularly causes unchecked API security flaws to reach the production environment. Multiple layers of API complexity can result in stacked risk across a company’s infrastructure. Led by GDPR, strict regulatory standards and consequential fines for data breaches are becoming the norm worldwide. Companies can no longer afford cyber vulnerabilities. The propagation of APIs, rapid development cycles, large regulatory fines and API utilization in core business functions is creating the perfect storm in API security. Thus, a new class of API security companies is emerging.
WAFs
Traditionally, Web Application Firewalls (WAFs) have been deployed to protect API endpoints; however, these solutions are becoming negated by new types of attacks and unknown endpoints that leave APIs vulnerable. WAFs predominantly prevent against known attacks, allowing new types of attack to pass through systems unchecked. Unknown endpoint exposure is rising proportionally with the growth of API creation, and complex business logic can result in vulnerabilities being pushed to production by mistake. These unknown endpoints are collectively known as “shadow” APIs, as they exist in the shadow of the main business logic and are unintentionally pushed to production or exposed to the public. WAFs simply aren’t designed to detect or defend these shadow APIs, leaving companies oblivious to their exposure. When the new class of security companies run POCs with potential customers, they frequently catalogue multiple exposed APIs that the customer was not aware of. According to Gartner, APIs now represent nearly 90% of the web application cyber-attack surface. The reduced utility of WAFs against more sophisticated attacks and the accelerating growth of the attack surface has resulted in two new breeds of security startups offering advanced solutions for API security: DevSecOps and Production Monitoring companies.
DevSecOps
There are two stages where API vulnerabilities can be addressed: during development, or continuous integration, and during production, or continuous deployment. DevSecOps solutions aim to expose and resolve API vulnerabilities within the development environment. These companies map API business logic and catalogue each API. They can identify and protect both unknown and unprotected endpoints using a number of approaches, ranging from statistical baselining to API NPL prediction. Additionally, some DevSecOps startups offer automated endpoint or penetration testing, leveraging artificial intelligence to attack and test the APIs for weaknesses. DevSecOps solutions slot into the development process and run parallel to an engineering cycle, allowing developers to check and resolve vulnerabilities on a regular basis within continuous integration cycles. These solutions are integrating with various ticketing products to provide a seamless tracking experience for engineers.
Production Monitoring
Production Monitoring companies offer solutions to identify and rectify vulnerabilities in the production business logic. This category of companies typically uses sniffers to map business logic, often uncovering shadow APIs that the company is not aware of. Production Monitoring security companies offer real-time monitoring by placing a tap on the API traffic, the companies create a baseline of normal usage for each API. Every API is then monitored for anomalous activity, which gets automatically flagged for review. Issues are flagged and sorted based on which OWASP Top 10 threat they pose to a company (Open Web Application Security Protocol). The OWASP Top 10 monitors and ranks cyber threats, and 9 of the 10 threats in 2020 relate to API security. Currently, the leading threat is Broken Object Level Authorization (“BOLA”), which is the primary security flaw new security startups aim to resolve.
Future Market Dynamics
High profile attacks (Venmo, Salesforce, USPS) and potential fines originating from API vulnerabilities are raising demand for new solutions, a trend we expect to continue. With a growing attack surface, the targeting of APIs will increase in frequency. Highly regulated industries such as Financial Services and Healthcare have the most to lose in an attack, with regulatory fines reaching up to 2% of annual revenue within GDPR. According to IBM, the average cost of a data breach in the US is $3.9M, and in Healthcare that average rises to $7.1M per breach. The reputational damage sown by breaches can also have a long-lasting effect on brands. As awareness grows and attacks become more frequent, the adoption of new API security solutions will likely start to consume and potentially replace the $3.7B+ WAF market.[2] Today, companies only see the tip of the iceberg, but emerging security solutions offer visibility well below the surface.
By William Goulding, Senior Investment Analyst Arbor Ventures
[1] Gartner
[2] Verified Market Research
