The use of APIs has skyrocketed over the years and with organizations using so many different types of APIs on a normal basis, API management has become essential for managing the API attack surface. 

Fifty-one percent of respondents said that more than half of their organizations’ development effort is spent on APIs—compared with 40% of respondents in 2020 and 49% last year, according to the 2022 State of the API Report that surveyed 37,332 developers and API professionals and included aggregated data from the Postman API Platform over approximately four weeks in June and July 2022. 

“This year, we found not only are most organizations’ development efforts focused on APIs, but firms that go even further and establish an API-first approach tend to outperform and have a more optimistic business outlook. As organizations navigate an uncertain economy, API-first strategies are becoming the backbone that allows organizations to respond rapidly and seamlessly,” said Abhinav Asthana, co-founder and CEO of Postman. 

Despite two-thirds of C-level executives in the study thinking that the economy is turning sour, the vast majority say that API investment is par for the course and will even grow in the next year. 

This vast expansion has led companies to be more API consumers than producers, which has amped up the need for API management to handle many of the tasks surrounding APIs more than ever before. 

If Plato had to decide what the ultimate Form of API management is, it would probably be something along the lines of a process that oversees all APIs in a secure, scalable environment with tools and services that enable developers to build, deploy, secure and manage APIs. However in practice, this has proven to be very difficult. 

So much so that Gartner research estimates that by 2025, less than half of enterprise APIs will be managed, as explosive growth in APIs surpasses the capabilities of API management tools and “security controls try to apply old paradigms to new problems.”

RELATED CONTENT: A guide to API management tools

Security is a major concern for API management

While on the one hand, API management problems stem from the sprawl of APIs, the other problem is that the platforms that these companies are using were built around the concept of a single gateway, according to Mark O’Neill, a VP analyst and chief of research for software engineering at Gartner. 

“[With a single gateway], you put an API gateway in your architecture, and you try to funnel your API traffic through that gateway and the problem with that architecture is, when organizations have lots of different teams and applications that are producing and consuming APIs, there’s no one place to put the gateway,” O’Neill said. “And of course, if you’re using multiple cloud platforms, it’s even worse. On the one hand, the sprawl, on the other hand, you have many API management products that are outdated in their architecture.”

In its recent Magic Quadrant, Gartner included API management tools that weren’t tied to a particular gateway – to the surprise of some people. 

“The reason for that is because we now see this multi-gateway world being a reality. We hear people talk about what we would call the ‘Bring Your Own Gateway’ model, where you already have a gateway, but you need the API lifecycle management that goes with that,” O’Neill added.

At the same time, some of the traditional API management vendors start to add at least verbal support for other gateways.

All in all, the two things that are essential to managing API security are strong inventory and real-time discovery to gain visibility into APIs. Although there are some specialized security controls, their API discovery features are limited and don’t have the application logic awareness to create relevant security policies, according to Gartner’s research. 

“For APIs, this means that application security teams will deploy perimeter controls with threat inspection capabilities, but will be limited to generic policies and detection signatures,” the research stated.

The API management tools that are so focused on a single gateway actually leave many APIs exposed. 

In a lot of scenarios in a typical modern web application stack where one has their front end using React, Angular, or another frontend framework and a lot of APIs in the backend, there usually isn’t a gateway in between, O’Neill explained. Although it would not make sense to put a heavyweight gateway there, those API’s often are falling victim to attack because people reverse engineer the front end, and they directly access the APIs. In many cases of breaches, affected APIs were not even going through an application firewall.

API management encompasses a wide variety of APIs

There’s a wide range of APIs that companies use to carry out business tasks on a daily basis: internal APIs to represent coarse- and fine-grained service interfaces, data elements, and private and public APIs. Most organizations are also net consumers of APIs, notably third-party APIs – while convenient, these can pose security and dependency issues. 

By 2025, Gartner predicts that the percentage of third-party APIs used in applications will average 30%, up from less than 10% in 2021, complicating dependency management. 

“The first thing you should do is get visibility of your APIs and understand the attack surface by discovering all your APIs,” O’Neill said. 

Then there are really two choices, O’Neill explained. One is to put API gateways everywhere and the API management vendors are adapting to this by adding the functionality where they can have distributed API management. The other approach is to tell developers that they’re free to use the API gateway that comes with the platform that they’re building the APIs on, whether that’s the Amazon API Gateway, Azure API Gateway, etc. 

“The developers are happy to use the API management that comes with the platform. But of course, the problem then is, you need to have a way to do the overall management of the APIs and to have a consistent way that you’re doing security and consistent design for those APIs,” O’Neill explained. 

Another challenge with API management is that getting higher-ups on board to invest in API security can be a hard sell for software engineering leaders. Many organizations continue to believe that general-purpose API management tools sufficiently address API security. By the time the security team gets funding and builds an RFP for a product, hundreds of APIs might already be in production, Gartner’s research continued.

The lackadaisical security surrounding APIs are also ironically the strength of APIs that led them to be so popular in the first place according to O’Neill. 

“So it’s like a Greek or Roman tragedy in that APIs are designed to enable quick and easy access to data or access to application functionality. But from a security point of view, of course, those are concerns. If you’re making it easy to access your data and application functionality, then the worry is you’re making it easy for malicious entities to access your data and your applications,” O’Neill said. 

Not just a developers’ game

The 2022 State of the API Report found that there was an almost even split with developer and non-developer roles as to who worked with APIs in an organization.

Full stack developers were the largest single group at 25% of respondents, down slightly from last year’s 27%. Backend developers showed a bit stronger representation at 19%, compared with 17% in 2021. Meanwhile, the non-developers included CEOs, business analysts, customer success staff, and more. 

“Historically, it has been development teams – either the developers themselves would make the choices regarding API management, or the organization has had an API Center of Excellence, an overall API platform team, or sometimes that would be part of it a digital team that managed the APIs,” O’Neill said.  

More recently, security teams have realized that APIs are a major point of weakness and  vulnerability.

“They are telling us that they want to take control of API security. They don’t trust that either the developers or the API teams, such as API Centers of Excellence, are strong enough on security, to protect APIs,” O’Neill said. “So we’ll see this trend where security teams want to educate themselves about API security and take control of that in the same way that they’re protecting web, mobile and other types of applications.”

Integration is key 

The biggest factor in companies deciding whether to consume or produce APIs, according to the 2022 State of the API report, is how well they integrate with internal apps and systems.  This corresponds to the report’s finding that the number of integrated APIs across enterprise teams has jumped twentyfold. 

“As more companies recognize APIs as the building blocks of modern software, API tools and services are evolving to meet their needs. These offerings span the API lifecycle, including design, testing, and security. They also include repositories for source code, API gateways, application performance monitoring, and CI/CD—all of which must integrate with API platforms to achieve optimal results,” the report stated. 

Integrating APIs can be tricky as users must first define inputs and outputs, and may also have to configure the authentication settings. It can also be a barrier to entry for non-technical users. 

Demands for API integration in highly regulated industries have had a big impact in driving the usage of APIs, according to O’Neill. 

“The most famous instance is around open banking. So it started in the UK and Europe and then in many other parts of the world there have been open banking regulations. Number one, that required banks to have APIs and then of course being banks they’re naturally concerned about security,” O’Neill said. “But then also, many of the regulations have quite complex requirements for how the access to the APIs is managed. Open banking is all about putting the customer in charge of how their banking information is accessed. That brings in the standards like OAuth and OpenID Connect, so it drives the usage of API management products that support those.” 

In the healthcare industry, the United States requires healthcare payers and providers to have API-based integrations as well. This is another field where there is a big focus around security, particularly related to privacy where APIs are being used to access customer information.

“Open banking and healthcare regulations continue to move around the world and become more mature. And that’s been a big driver of API management,” O’Neill said.