Looking for the Easy Button<\/h4>\n
As a product category, API Security solutions could be classified as residing in the early phases of Geoffrey Moore\u2019s technology adoption lifecycle<\/a>. Many early adopters have chosen to tackle the problem with traffic analysis tools that use AI\/ML to discover known and unknown APIs and identify suspected attacks.<\/p>\n It\u2019s easy to see why these solutions have garnered interest as CISOs come under pressure to do something in light of the ever increasing volume of API breaches that make headlines every week. The idea of deploying something at the perimeter to detect where the weak spots are seems like a reasonable place to start – especially since pushing packets to another security device on the network is quick and easy. Furthermore, most security teams may be hoping that this will become another one of those \u201cset it and forget it\u201d types of tools that, once tuned, will require minimal overhead.<\/p>\n While there\u2019s no doubting the value of runtime monitoring tools when it comes to an API protection program, it seems that many early adopters of this approach have struggled to make meaningful progress.<\/p>\n Based on our discussions with many of these enterprises we have identified three common themes emerging:<\/p>\n At 42Crunch, we\u2019ve been fortunate to work with customers that have chosen to start earlier in the API lifecycle when looking to deploy a security tool. Rather than wait until after the APIs have been deployed, our customers are involving developers as a critical part of resolving the security challenge from the API design time and see 42Crunch as a key enabler for them.<\/p>\nFixing the API Security Problem<\/h4>\n
\n
\n<\/strong>While most of these behavior monitoring tools have a wide range of deployment options, APIs can be scattered across an enterprise\u2019s distributed infrastructure making it extra challenging to get wide standardized coverage across a heterogeneous network environment.<\/span><\/span><\/li>\n
\n<\/strong>Even the most sophisticated detection engines yield a high number of false positives. For SOC teams that already suffer a high degree of alert fatigue, it doesn\u2019t take much for incident responders to lose confidence in a new noisy tool.<\/span><\/span><\/li>\n
\n<\/strong>When the tool detects legitimate API attacks, security teams are ill equipped to take remediative action to fix the root cause. In other words: \u201cthis API is being attacked – now what do I do?\u201d<\/span><\/li>\n<\/ul>\n
![\"Who](\"https:\/\/staging2022.42crunch.com\/wp-content\/uploads\/2022\/05\/Chart-Who-is-responsible-for-API-Security-in-your-organisation-1536x1123-1-300x219.png\")
<\/p>\n![\"42Crunch](\"https:\/\/staging2022.42crunch.com\/wp-content\/uploads\/2023\/08\/YoY-Growth-of-API-Audits-42C-Blog-300x185.png\")
<\/p>\n![\"YoY](\"https:\/\/staging2022.42crunch.com\/wp-content\/uploads\/2023\/08\/YoY-Growth-of-API-Scans-42C-Blog-300x185.png\")
<\/p>\n