API Security Landscape: Approaches and Categories

API security breaches pose a significant risk to all organizations, especially as the deployment and consumption of API-based AI applications grows and with the continued shift of organizations to implement an API-first strategy.

In this API Security market landscape, we outline the different approaches companies are taking to addressing the challenges presented and we look at the product categories emerging and assess the respective merits of each solution.

 

Why do you need a separate API security testing solution from your existing traditional application security testing tech stack?

While there is a broad recognition and understanding of the need for API security, there is a mistaken belief by many that traditional application security testing solutions (SAST & DAST), existing WAF / WAAP tooling and API discovery/behavior monitoring tools can provide complete API security. This has led to the so-called “API Security Gap”, as documented in an earlier post, where these traditional AppSec tools that were built for page-centric applications are not designed to understand the unique behavior and data flows of APIs and are unable to secure object and data-centric APIs.

Below we examine in detail some of these competing technologies and also explore the different approaches these solutions deliver.

What are the different approaches to API Security?

  1. API Security by Design
    In this approach, an API is properly defined and documented in an API contract (using the OpenAPI/Swagger specification). This contract acts as a single source of truth and has many uses, e.g. as the design for the API itself, provide clear specifications for front-end and backend teams,  integration purposes and most importantly, be used for API security testing and protection. More information on why the API contract matters.
    Key benefit: The benefit of adopting this approach is that the API contract becomes the foundation for the entire API security lifecycle.  This ensures that everyone involved in the SDLC (developers, testers, operations, and security teams) works from one authoritative document, eliminating inconsistencies between design, implementation, and documentation.
  2. Pre-Production API Security Testing
    Both the API and API Contract can be tested for conformance in the IDE by the development team and continuous automation of this testing can be enforced in the CI/CD pipeline by security teams. Testing is conducted for the OWASP API Top 10 vulnerabilities such as BOLA/BFLA and injection paths.
    Key benefits:  By identifying and fixing issues earlier, companies reduce the potential for vulnerabilities ever reaching production. Remediating issues in pre-production is significantly cheaper and faster than patching them post-deployment. Developers also get immediate feedback inside their IDE, encouraging secure coding habits, resulting in faster releases of production-ready API-based services.
  3. Runtime API Threat Protection
    Once an API is pushed into production, the API is protected by only permitting requests that are specifically defined in the API contract (API Protection). Any change to the API contract will automatically update the API Protection configuration, affording continuous real-time threat protection. Using API Protection from 42Crunch, security teams can automatically detect and block real-time exploits and abuse such as BOLA/BFLA, token replay, scraping, injection, mass assignment, and misused endpoints. When the contract changes, enforcement updates automatically—delivering continuous, real-time protection without manual tuning. This capability is unique to 42Crunch and enables us to deliver API security at the speed of development without any delays to enforcement.
    Key Benefits: Adopting this approach ensures that your APIs are protected in real time against the OWASP API top 10 risks and many others besides. Suspicious or non-compliant traffic is automatically blocked before it reaches the API backend. Traditional Web Application Firewalls (WAFs) require constant tuning and manual rule updates to handle evolving APIs. 42Crunch’s approach automates this process by regenerating protection rules directly from the API contract and this drastically reduces operational overhead and minimizes false positives/negatives.
  4. API Anomaly detection, API Behavior monitoring and API Discovery
    • API discovery identifies APIs in your estate—including shadow/rogue endpoints—often by analysing network and gateway traffic.
    • API behavior monitoring observes how APIs are used over time to establish a baseline of “normal” requests and responses.
    • API anomaly detection uses statistical models and ML/AI (increasingly including LLMs) to flag deviations from that baseline that may indicate misuse or attack.

    The challenge with these solutions is that they are notoriously difficult to install and often require time to establish baseline of traffic to the API in order to make observations. Furthermore, they need to be reconfigured every time a change to an API is made, which impacts their efficacy and poor user experience.  When these anomaly detection tools actually identify unusual patterns, they typically flag them to a 3rd party SIEM but they lack the  contextual awareness of what the API should expect and are unable to determine what to permit or block. Such systems are always reactive, and cannot block zero day attacks, and oftentimes rely on integrations with third party products, such as API gateways, to actually block traffic.
    For a deeper dive, see our in-depth API security versus Anomaly Detection whitepaper below.

  5. API DAST testing (Dynamic Application Security Testing)
    The answer is in the name. Application security testing. These tools have been successful at testing applications by sending large amounts of prebuilt generic tests to the application. These tools were needed for application testing as there is no recognized specification for the application like there is for APIs. APIs usually have explicit specifications (e.g.,OpenAPI), rich business rules, and context-dependent behavior. Generic black-box probing struggles without that context.
    In our own evaluation against a deliberately vulnerable API, a DAST tool executed 12,000 tests and found none—because it couldn’t infer what the API was supposed to do or validate behavior against the spec. As API security has become an increasing problem, these providers promise to solve API security with the same tool they run application security testing with, but the bottom line is that it doesn’t work. DAST may occasionally catch issues, but it won’t secure your APIs on its own. Effective API security needs context-aware, policy-driven testing and enforcement throughout the lifecycle (design, build, and runtime).
    Read our analysis on the differences between API security testing and DAST 

API Discovery ≠ API Security

There has been a lot of noise and confusion in the market about API discovery, and not being able to protect what you don’t know and the advent of so-called zombie, shadow APIs. 42Crunch recommends maintaining a living, governed API inventory to ensure every API is documented, versioned, and maintained alongside development. But do not confuse API Discovery with API security. If you want to secure and protect your APIs then you need API security testing in the development pipeline and you need real-time API Protection when the APIs are live in production.

42Crunch is the only API security provider capable of who can deliver API security at the speed of API development.  API-first security testing and runtime protection that keep pace with modern release cycles. Get full visibility of your API inventory and the controls to secure it—without slowing delivery.

Download our white paper on Building a Future-Proof API Inventory

 

Who are the leading API security vendors?

As mentioned above there are different approaches to API security so we have divided vendors into separate categories to assist you in your understanding of the different solutions.

  1. Who are the leading security by design API security vendors?
    These are vendors that embody “security-by-design” for APIs, by plugging into the IDE and CI/CD pipeline and enforcing policy against the API contract. There are some vendors who offer either API linting and governance to assist with optimizing API contract design, but lack the security capabilities or offer DAST testing and integrate with another provider for API discovery. 42Crunch is the only API security vendor that delivers on this full SDLC API security protection
    • 42Crunch – OpenAPI-driven auditing (300+ checks), API vulnerability and conformance scanning, CI/CD gates, and contract-aware runtime protection; built to shift security left and keep it enforced at runtime.
    • Snyk (API & Web) – Developer-centric DAST integrated into pipelines and recent integration with Akamai to discover API schemas.
    • SmartBear (SwaggerHub + Spectral) – Linting and governance baked into API design
  2. Who are the top API security DAST vendors?
    These are the traditional application security testing providers that are trying to expand their reach to include API security testing by using existing application security testing tooling. Remember that DAST can help find issues on running APIs, but on its own it’s not “API security.” For best results, pair DAST with context-aware checks in CI/CD pipelines and with runtime protection. Some of the better known vendors of DAST are listed below.
    • Imperva - Educates on SAST/IAST/DAST concepts but emphasizes runtime protection (RASP/WAAP) rather than a dedicated DAST scanner.
    • Blackduck - Offers “Continuous Dynamic” DAST services to identify web app vulnerabilities at scale.
    • Snyk - Provides DAST for web apps and single page apps, bolstered by capabilities acquired via Probely and new AI-driven testing.
    • Wallarm - Positions DAST/security testing integrated into CI/CD to automatically test apps for weaknesses.
    • Veracode - Delivers enterprise DAST for web apps with external attack-surface visibility.
    • Checkmarx - Markets Checkmarx DAST with authentication support and unified platform management.
    • Stackhawk - Developer-centric DAST for web apps, built to run in CI/CD for fast find-and-fix workflow.
  3. Who are the Top API Security anomaly detection and Behavior monitoring vendors?
    A lot of vendors, either API security specialists or traditional Web application firewall vendors, are staking a claim to identify abnormal behavior by analysing API traffic. There has been a certain amount of M&A activity in this space recently, which has led to some of the more traditional WAF vendors adding on API discovery and behavior monitoring to their service offerings. This has added to the confusion and uncertainty in this particular category of the market.
    • Traceable.ai (now part of Harness)
    • Salt Security
    • Cequence
    • Akamai (acquisition of Noname Security)
    • Imperva / F5 (acquisition of WIB)
    • Wallarm

API Security Landscape - Comparative Whitepapers

Below we examine in detail some of these competing technologies and how 42Crunch’s API security-by-design presents enterprises with an optimum approach to solving the challenges.

How is API security different from behavioural monitoring and Anomaly detection?

Vendors such as Traceable.ai, Salt Security, Noname, and Cequence offer machine learning (ML) and anomaly detection technologies that promise to identify abnormal behavior in API traffic. Behavioral analytics systems are notoriously difficult to install and maintain, require time to establish a baseline of “normal” behavior, time to retrain after API changes, and often suffer from generating false positives and blind spots due the dynamic nature of APIs. In fast-paced, large scale API environments, relying on traffic patterns alone adds noise, delays response, and undermines confidence in automated defenses.

In this paper we advance why a “Secure-by-Design” approach, widely endorsed by global cybersecurity agencies, is proving to be the essential best practice approach to securing APIs

Download

How is API security different from SAST and DAST?

In traditional application security, broad test coverage is often achieved by running large suites of generic attack payloads. But in API security testing, relevance is more important than volume, and in fact irrelevant tests often do more harm than good. DAST tools operate without awareness of an API’s structure, data model, security requirements, or intent. Instead, generic security rules come pre-built with the tool, inherently lacking context or relevance to the APIs under test.

By contrast, 42Crunch offers security teams API contract testing, which offers a more accurate, scalable, and effective approach. Learn how contract-based API security testing works, why it’s better suited to today’s API threat landscape, and how it enables more reliable security outcomes with less noise and effort.

Download

How to build an API Inventory?

A living, governed API inventory is the foundation of secure, well-managed, and scalable API operations. With 42Crunch, API contracts become a natural part of development, created, updated, and maintained alongside API code without disrupting workflows. Stored in source control, these contracts form a single source of truth that is accurate, shareable, and under the team’s control, avoiding vendor lock-in while enabling collaboration across development, security, and operations

API discovery should be treated as a short-term clean-up operation to bring existing unmanaged or undocumented APIs under governance. By keeping the process simple, talking to teams, retrieving evidence from sources such as API gateways, Postman collections, traffic logs, or device logs, and converting it into standardized API records, organizations can quickly capture and standardize legacy APIs without ongoing operational overhead.

Building the inventory on open, standardized formats ensures it can be leveraged by multiple tools and processes, including automated documentation, mock generation, functional and security testing, governance enforcement, and runtime protection. Storing contracts in version control alongside the API code maintains alignment with development, supports cross-team collaboration, and avoids the drawbacks of proprietary inventory products, such as lock-in, siloing, and limited integration

Download

Secure Your APIs Today

#1 API security platform

Free Trial