The startup API security market is coming into its own. Although this niche is relatively young, startups have raised hundreds of millions, and a couple has reached unicorn status. But, of course, we’re describing the pure plays, not the CDNs. In our case, pure-play is a company focused on API security.
From an analyst perspective, Gartner couples web application security and API protection into WAAP, where Akamai and Imperva lead the pack. However, we’re interested only in API security. And Forrester doesn’t seem to be tracking the segment either.
Also, there is the API Management market where the likes of Kong, Apigee (Google), and Mulesoft (Salesforce) lead the industry, but they are not focused entirely on security. So let’s explore this emerging market.
Three CDNs and Imperva (CDN-lightweight) provide API security but not end-to-end security. In the pure-play API security market, we’ve identified eight startups. We’re sure there are several more pure-plays out there.
Fastly (Signal Sciences)
Coincidently, the two leaders in the segment, Salt Security and Noname Security, also have the coolest names. Both are unicorns that raised north of $200M. What’s more impressive, the company with no name started in 2020.
The table is a snapshot of time. Salt Security is in the best position to go IPO if that’s the plan. They’ve been around since 2016 and hired a CFO who took Monday.com public.
API Security Startup Venture Activity
|Company||Founded||Series A||Series B||Series C||Series D||Total||Valuation|
|Astrix Security||2021||$15M (seed)|
CDN API Security vs. Pure-play API Security
How does CDN API security differ from that offered by pure-play? We don’t know yet. With both sides slinging buzzwords at each other and the market, it isn’t easy to differentiate who does what. However, this is something a little research can solve.
The theme coming from the pure-plays is that traditional WAFs and API gateways fail to protect against targeted API attacks and the OWASP API Security Top 10.
The Salt Security CEO claimed their company could protect against all OWASP API Security Top 10 threats, and traditional security point products cannot.
The OWASP API Security Top 10 describes the ten most prevalent attacks on APIs.
|API Security Top 10||Web Application Security Top 10|
|1. Broken Object Level Authorization|
2. Broken User Authentication
3. Excessive Data Exposure
4. Lack of Resources & Rate Limiting
5. Broken Function Level Authorization
6. Mass Assignment
7. Security Misconfiguration
9. Improper Assets Management
10. Insufficient Logging & Monitoring
|1. Broken Access Control|
2. Cryptographic Failures
4. Insecure Design
5. Security Misconfiguration
6. Vulnerable and Outdated Components
7. Identification and Authentication Failures
8. Software and Data Integrity Failures
9. Security Logging and Monitoring Failures
10. Server-Side Request Forgery (SSRF)
API Security Features
Here is a list of common themes from the pure-play API security camp.
- Discover internal, external, zombie, unknown, and shadow APIs
- Monitor attacker reconnaissance activity
- Stop individual API attacks
- Stop targeted API attacks
- Protect against business logic attacks
- Remove API vulnerabilities during development
- Shift Left Protection: scan and test API security during build (app dev)
- Runtime protection
- Prevent data exfiltration
- Identify misconfigured APIs
- Identify vulnerabilities in APIs and remediate
- ML-based threat protection
- Big data and ML-driven
We’ll dive deeper into the pure-play API security market in the coming weeks. One of the goals is to identify the difference between CDN API security and pure-play API security. Another goal is to learn more about this emerging market in general.