This article is part of a VB special issue. Read the full series here: The CIO agenda: The 2023 roadmap for IT leaders.
APIs are the cornerstones of digital business, and they define the future of enterprise integration. By enabling different systems and software to communicate with each other, APIs allow enterprises to create new digital initiatives and transform themselves. Gartner reports that 98% of enterprises use or are planning to use internal APIs, up from 88% in 2019. By 2025, less than 50% of enterprise APIs will be managed, as explosive growth in APIs surpasses the capabilities of API management tools.
The rapid pace of innovation in API technology, products, platforms and security is redefining what tech stacks will look like for years to come. CIOs and devops leaders say that the leading factor in deciding whether to consume and produce an API is how well it integrates with internal apps and systems. This high priority placed on integration shows that enterprises now consider APIs essential to their infrastructure. CIOs are using these technologies to create new digital-first business initiatives that attract, sell and serve entirely new customers.
Security must be at the center of API integration
Security is core to APIs’ current and future contributions to enterprise integration. The Twitter data breach is a cautionary example of why getting API security right at the platform level is critical for protecting customers’ data.
Enterprises are also suffering from API sprawl. Without enough controls to discover, track and manage APIs, they leave open entry points for attackers to take control of code and apps and potentially gain access to networks. API breaches have become so severe that they are delaying new product launches. Nearly every devops leader (95%) says their teams have suffered an API security incident in the last 12 months.
API protection and security innovations help to harden web APIs against exploits, abuse, unauthorized access and denial of service attacks. These solutions often protect internally developed APIs that are publicly available and connected to enterprise applications. They work by examining the content and parameters of APIs, managing traffic and, at a minimum, analyzing traffic for unusual activity.
Gartner’s PaaS security reference architecture shows the central role of API discovery and protection, along with API security tooling, in securing the PaaS and IaaS levels of an enterprise’s tech stacks. Source: SALT Security, API Security Tipping Point – Gartner just “Created the Category” blog post, August 31, 2021
“API security, like application security overall, must be addressed at every stage of the SDLC [software development life cycle],” Sandy Carielli, principal analyst at Forrester, told VentureBeat in an interview. “As organizations develop and deploy APIs, they must define and build APIs securely, put proper authentication and authorization controls in place (this is a common issue in API-related breaches), and analyze API traffic [so as] to only allow calls in line with the API definitions.”
Carielli continued, “A common issue with organizations is inventory. Owing to the sheer number of APIs in place and the tendency to deploy rogue APIs (or deploy and forget), many security teams are not fully aware of what APIs might be allowing external calls into their environment. API discovery has become table stakes for a lot of API security offerings for just this reason.”
CIOs need to partner with CISOs and start by taking a least privileged access approach that aligns with their zero-trust framework and helps to prevent sprawl. This approach should be integrated into devops and CI/CD processes, rather than treated as a separate entity. “When considering API strategy, work with the dev team to understand the overall API strategy first,” Carielli said. “Get API discovery in place. Understand how existing appsec tools are or are not supporting API use cases. You will likely find overlaps and gaps. But it’s important to assess your environment for what you already have in place before running out to buy a bunch of new tools.”
API protection rules should be flexible and able to change based on the specific needs of the API. One-size-fits-all approaches like static rate limits or IP allow/block lists are ineffective in production environments or when the API is being used at a large scale. A system that can adapt to the API’s usage patterns, and implement protection measures accordingly, is essential.
Graph APIs are defining the future of enterprise integration
A graph API is a way for a developer to access and manipulate data organized into a graph structure, which includes both objects and the relationships between them. Graph APIs are different from REST APIs, which represent data as isolated resources without relationships.
GraphQL is one way to define a graph API. It lets devops teams and developers query and change the data by following and filtering the connections between objects. Some graph APIs, such as the Facebook Graph API, provide a unified interface for accessing multiple data sources and APIs. GraphQL’s adoption has soared from 6% of developers in 2016 to 47% in 2020, according to the State of GraphQL 2022 survey.
Graph APIs are becoming more popular because they allow developers to quickly access data as they build modern front-end enterprise applications. GraphQL federation is also gaining traction. Here, larger enterprises including Airbnb and Netflix use devops teams and platform providers to combine multiple independently managed subgraphs into a larger graph schema.
Graph APIs also enable organizations to model, expose and use the valuable metadata associated with the relationships between data entities.
One key factor contributing to graph APIs’ growth is that they enable developers to easily access data independently, without assistance.
Graph APIs also allow API users to specify the exact data they want to be returned in the API response; this provides more flexibility and control than REST APIs, which follow a more rigid structure.
In addition, several companies offer graph APIs that allow for data access across a range of different applications. Examples include Microsoft’s Microsoft Graph API, which can be used to access various Microsoft applications such as Azure AD and Exchange Online; and SAP’s SAP Graph API, which provides access to various SAP applications, including SuccessFactors and S4/HANA. There is a growing trend for API management products to support GraphQL.
API life cycle management is table stakes
API life cycle management platforms are indispensable for enterprise devops teams that need to manage and govern APIs at scale — and these APIs are essential for building multi-experience applications and enabling digital transformation. API life cycle management allows for increased reliance on API products to generate new revenue streams.
All API life cycle management platforms also provide security measures to protect against API breaches and the associated business risks. The API management market is projected to grow by $6.7 billion between 2021 and 2026, attaining a 20.6% compound annual growth rate (CAGR).
One factor contributing to API life cycle management’s central role in defining the future of enterprise integration is that API adoption is skyrocketing in enterprises, growing over 200% as CIOs implement them to connect systems, applications, devices and other businesses. Another is that enterprises’ large-sale adoption of cloud-native architectures, particularly in microservices, service mesh and serverless computing, is leading to increased use of APIs in devops and across software engineering. These approaches rely heavily on APIs to facilitate communication and integration between different components and services.
Two API innovations to watch in 2023
One key API innovation to watch this year is event-driven APIs. These are proving effective in enabling faster response to streaming analytics, which many enterprises use to create new business models and digital transformation projects. Event-driven APIs also enable push notifications, which are more efficient and cost-effective in terms of time and networking resources than polling.
The OpenAPI Specification (OAS) version 3, introduced in 2017, has become a widely accepted standard for publishing APIs. It includes a feature called callbacks for describing event-driven APIs. OAS version 3.1, released in February 2021, added support for webhooks, a popular method for implementing event-driven APIs accessible via the internet. However, it’s important to note that while webhooks can be used to implement event-driven APIs, they only support a one-to-one communication pattern rather than the many-to-many pattern possible with event-driven architecture (EDA).
A second API innovation to watch this year is API security testing, which is gaining rapid adoption for identifying vulnerabilities in APIs. It involves checking for general application vulnerabilities, such as injection attacks, as well as API-specific issues, such as broken object-level authorization. API-based discovery technologies are used to identify unknown APIs exposed to the outside world.
VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.
Securing a dynamic future for APIs and enterprise integration