top of page
  • Writer's pictureDaria Chadwick

11 API Security Experts Share Their Thoughts on the Present & Future of API Security

Changes in the world of API Security are coming and the question is... are you ready for them?

The growth of APIs and the uptick in APIs attacks are very much the focus of application and security leaders in 2022. But it seems there is so much more that is happening as we build on top of existing approaches and tools that are narrower in focus. As API Security reveals itself as much a business-critical problem as it is a technical one, organizations have a number of challenges to account for.

We recently asked thought leaders in the API protection space to share the insights and challenges they see coming up in 2022, and their solutions/suggestions to take advantage of upcoming trends and changes. Here are their answers:

What's Happening Today

"We made a prediction a few years ago that, by 2022, API attacks would become the most frequent attack vector for enterprise web applications. That is playing out now." - Mark O'Neill, Gartner

"The most surprising thing we found is the pervasiveness of the [API Security] problem coupled with the inability to address the problem within organizations." - Nathanael Coffing, Cloudentity

"Some investigations reveal the average web application or API has nearly 27 serious vulnerabilities. Organizations can have hundreds or even tens of thousands of applications. It’s no wonder then that some of the biggest brand names have been subject to API-related security breaches." - Jonathan Reed

“We estimate that the number of public and private APIs today is approaching 200 million, and by 2031 that number could be in the billions... we’ve merely scratched the surface in terms of the anticipated global economic impact of APIs.” - Rajesh Narayanan, Senior Director, F5




“One of the biggest security challenges we are seeing today is that technologies are rapidly evolving to better serve the growing demand for digital experiences, but the security offerings that protect those technologies are not experiencing that same level of transformation -- and often erode the benefits of modern technology stacks." - Kelly Shortridge, Fastly

“The responsibility for protecting enterprise assets, data, and users from cyber threats no longer falls solely on the security organization, even as the threat landscape becomes increasingly complex. Application security in particular, is a team sport that requires input and cross-functional collaboration across many parts of an organization.” - John Grady, ESG

"If data is the new oil, then APIs could, unfortunately, become the new plastic, with byproducts wreaking havoc on the ecosystem.” - Rajesh Narayanan, F5

"In a similar way organizations had to get their hands around their data, the API Security world needs to get a handle on API sprawl, incorporate better security practices around APIs pre and post-deployment, and reduce risk from APIs over time." - Daria Chadwick, ReactFirst

What To Do About It

"Across the board, major app sec tooling has to expand to cover APIs." - Sandy Carielli, Forrester Research

"Businesses should look to change their culture rather than try to buy their way to security with tools. What your company considers to be a secure system today may be proved insecure tomorrow. So companies should treat security issues not as a problem to be solved once, but as one that requires continuous fixing, monitoring, and improvements. They need to become resilient operations that always consider security." - Martin Knobloch, CyberRes

"Future risks can't be addressed until you've addressed past risks." - Martin Knobloch, CyberRes

"We live in a highly distributed, perimeter-less world. Apps are now agglomerations of microservices, running on data centers around the world and operated by companies that practice varying degrees of security hygiene. This means security teams need to be able to look beyond the entry point and go deep within applications to make sure every API is safe to use and is being used as intended." - Tom Gillis, VMWare



“There are natural gaps in API-related data that teams need to be made aware of. It's essential that organizations provide the ability for API owners to input missing information directly into the system to help fill those gaps in real-time." - Phil Meredith, ReactFirst

“Modern businesses require uniform tools and approaches that can minimize vulnerabilities between their public cloud infrastructure, microservices-based architecture, and legacy applications, while supporting a variety of personas.” - John Grady, ESG

“The average global data breach costs around $4.24 million. Financial losses aside, organizations need to factor in the potential loss of productivity, reputation damage, decreased customer loyalties, legal liability, and business continuity problems from exploited APIs." - Daria Chadwick, ReactFirst

"While effective at preventing attacks, we anticipate that perimeter tools will stop being the ultimate gold standard of API security in 2022 as new technologies come into vogue and as organizations begin incorporating comprehensive security programs to boost their security levels." - Daria Chadwick, ReactFirst

"One of the top contributors to API-related risks is the complexity of component-driven application development. Many organizations have trouble diagnosing or monitoring API security issues because of data lineage gaps. Another common problem is inconsistent policies in place for API security management. Eighty-five percent of the respondents in Cloudentity's survey report having a decentralized level of API policy management in their organization." - Nathanael Coffing, Cloudentity

"It's very difficult to create a coordinated response to an API vulnerability issue. Organization's need a single pane of glass to look into all APIs, the health of those APIs, and the risk they pose to the organization. In addition, there are natural gaps in API-related data that teams need to be made aware of. It's essential that organizations provide the ability for API owners to input missing information directly into that centralized system to help fill those gaps in real-time." - Phil Meredith, ReactFirst


Introducing ReactFirst: an award-winning, comprehensive API threat remediation solution that goes beyond technology to help minimize the threat caused by API security vulnerabilities.

ReactFirst helps bring together a combination of capabilities - a program, technology, and team of experts - to appropriately address the risk caused by API vulnerabilities. Instead of merely identifying problems, it tracks the organization's ability to resolve them, providing a command and control structure that delivers the necessary insights and accountability to see each vulnerability move through the remediation process.

This program is backed by executive sponsorship, supported by cross-industry experts, and enabled by state-of-the-art technology. ReactFirst works as the perfect accompaniment to your existing API strategy, providing the transparency, oversight, and control into the API Remediation process your organization needs as the risk around API vulnerabilities grows.

Talk to us to see if the ReactFirst is a fit for you, and whether it help boost your API Remediation efforts into one you can trust:


bottom of page