BLOG

Why most API Security solutions have not delivered on the hype

Discovering your APIs does not secure your APIs

Over the past few months, we’ve heard countless variations of the following from customers and prospects – “We brought a vendor in last year that told us they could discover all of our rogue APIs, tell us where our sensitive data was flowing, and find where and how our APIs are being attacked. We’re now 10 months in and we’ve deployed across only 10% of our APIs, we’re being inundated with false positives, and we feel no closer to addressing the core issue – that we have vulnerable APIs.”

Looking for the Easy Button

As a product category, API Security solutions could be classified as residing in the early phases of Geoffrey Moore’s technology adoption lifecycle. Many early adopters have chosen to tackle the problem with traffic analysis tools that use AI/ML to discover known and unknown APIs and identify suspected attacks.

It’s easy to see why these solutions have garnered interest as CISOs come under pressure to do something in light of the ever increasing volume of API breaches that make headlines every week. The idea of deploying something at the perimeter to detect where the weak spots are seems like a reasonable place to start – especially since pushing packets to another security device on the network is quick and easy. Furthermore, most security teams may be hoping that this will become another one of those “set it and forget it” types of tools that, once tuned, will require minimal overhead.

While there’s no doubting the value of runtime monitoring tools when it comes to an API protection program, it seems that many early adopters of this approach have struggled to make meaningful progress.

Fixing the API Security Problem

Based on our discussions with many of these enterprises we have identified three common themes emerging:

  • Heterogeneous Networks
    While most of these behavior monitoring tools have a wide range of deployment options, APIs can be scattered across an enterprise’s distributed infrastructure making it extra challenging to get wide standardized coverage across a heterogeneous network environment.
  • False Positives
    Even the most sophisticated detection engines yield a high number of false positives. For SOC teams that already suffer a high degree of alert fatigue, it doesn’t take much for incident responders to lose confidence in a new noisy tool.
  • Lack of Remediation
    When the tool detects legitimate API attacks, security teams are ill equipped to take remediative action to fix the root cause. In other words: “this API is being attacked – now what do I do?”

At 42Crunch, we’ve been fortunate to work with customers that have chosen to start earlier in the API lifecycle when looking to deploy a security tool. Rather than wait until after the APIs have been deployed, our customers are involving developers as a critical part of resolving the security challenge from the API design time and see 42Crunch as a key enabler for them.

A recent 42Crunch poll of 243 engineers from development and application security teams at large enterprises across North America and EMEA provides support for this trend.

Who is primarily responsible for implementing API Security in your organisation - 42Crunch Poll

Through the use of our IDE extensions and CI/CD automation, enterprises use our tools to run security tests across tens of thousands of APIs every day. Furthermore, our micro-firewall service provides runtime threat protection in production. Additionally, we’re proud to say that the public community of API developers using our free IDE extension has surged to nearly 1 million strong which validates our ease of adoption.

Charts below depict the increasing rate of adoption of the 42Crunch API security testing services for both API Audit and API Scan over the past 18 months by enterprises and governments globally.

42Crunch Y0Y% Growth of API Audits

YoY % Growth of 42Crunch API Security Scans

As our customers have increased their usage of our platform consistently over time and worked with us to develop new capabilities, we’ve never been more confident that we’re on the right track in this rapidly evolving world of API security. In the words of Robert Frost, these customers took the road less travelled – and it’s made all the difference. If you’re interested in learning more, we’d love to talk.

Latest Resources

WEBINAR

Top Things You Need to Know About API Security

Two of the API security industry’s leading experts, Dr Philippe de Ryck and Isabelle Mauny, guide you through some real-world cases of API security attacks and also share some best practices for securing your APIs.

NEWS

VicOne Partners with 42Crunch to Deliver Uniquely Comprehensive Security Across SDV and Connected-Vehicle Ecosystem

By Newsdesk | May 29, 2024

Collaboration pairs leaders in API and automotive cybersecurity to enable broad protection as attacks on automotive APIs climb within and among vehicle, cloud and mobile  DALLAS and TOKYO, May 29, 2024—VicOne, an automotive cybersecurity solutions leader, today announced a partnership with 42Crunch  to enhance the security of application programming […]

DataSheet

APIs are the core building block of every enterprise’s digital strategy, yet they are also the number one attack surface for hackers. 42Crunch makes developers’ and security practitioners' lives easier by protecting APIs, with a platform that automates security into the API development pipeline and gives full oversight of security policy enforcement at every stage of the API lifecycle.

WEBINAR

Top Things You Need to Know About API Security

Two of the API security industry’s leading experts, Dr Philippe de Ryck and Isabelle Mauny, guide you through some real-world cases of API security attacks and also share some best practices for securing your APIs.

NEWS

VicOne Partners with 42Crunch to Deliver Uniquely Comprehensive Security Across SDV and Connected-Vehicle Ecosystem

By Newsdesk | May 29, 2024

Collaboration pairs leaders in API and automotive cybersecurity to enable broad protection as attacks on automotive APIs climb within and among vehicle, cloud and mobile  DALLAS and TOKYO, May 29, 2024—VicOne, an automotive cybersecurity solutions leader, today announced a partnership with 42Crunch  to enhance the security of application programming […]

DataSheet

Datasheet Cover Images P1-02

Product Datasheet Addressing API Security Challenges

APIs are the core building block of every enterprise’s digital strategy, yet they are also the number one attack surface for hackers. 42Crunch makes developers’ and security practitioners' lives easier by protecting APIs, with a platform that automates security into the API development pipeline and gives full oversight of security policy enforcement at every stage of the API lifecycle.

Ready to Learn More?

Developer-first solution for delivering API security as code.