Improve API Performance With

A Sound API Security Strategy

A FORRESTER CONSULTING THOUGHT LEADERSHIP PAPER COMMISSIONED BY IMPERVA, MARCH 2022

Table Of Contents
3 Executive Summary

4 Key Findings

5 APIs And Security Lead A New Kind Of Push For Digital

Transformation

9 Decision-Makers Focus On Security And Visibility As They

Scale API Adoption

12 Adopt APIs And Security Technology For Better Data,

Quality, And Visibility

15 Key Recommendations

17 Appendix

Project Team:
Madeline Harrell,
Market Impact Consultant
Emily Stutzman,
Associate Market Impact Consultant

Contributing Research:
Forrester’s Infrastructure & Operations
research group

ABOUT FORRESTER CONSULTING

Forrester Consulting provides independent and objective research-based consulting to help leaders succeed in their
organizations. Ranging in scope from a short strategy session to custom projects, Forrester’s Consulting services connect
you directly with research analysts who apply expert insight to your specific business challenges. For more information,
visit forrester.com/consulting.

© Forrester Research, Inc. All rights reserved. Unauthorized reproduction is strictly prohibited. Information is based on the
best available resources. Opinions reflect judgment at the time and are subject to change. Forrester®, Technographics®,
Forrester Wave, RoleView, TechRadar, and Total Economic Impact are trademarks of Forrester Research, Inc. All other
trademarks are the property of their respective companies. [E-53311]

IMPROVE API PERFORMANCE WITH A SOUND API SECURITY STRATEGY 2

Executive Summary
As decision-makers prioritize closer customer relationships or streamlined
internal operations, API adoption in 2022 continues to expand, and so too
must related security functions and processes. With competing or evolving
priorities across teams, companies must find a balance as they expand
adoption of APIs and the security that protects their assets. While line-of-
business (LOB) members are focused on overall employee productivity,
developers want to be sure they have the skills ready to safely implement
valuable APIs. Overall, decision-makers are realizing APIs will improve
internal data quality, improve customer visibility and trust, build a better
product for customers, and streamline internal processes. But before they
reap these benefits, a holistic API security strategy comes first. Continuous
visibility into APIs reduces the complexity of securing them. An API security
technology can reduce complexity around securing APIs, ease compliance,
and enhance the ability to classify API-transferred data, ensuring all key
modes of visibility. To overcome security concerns relating to expanding
the attack surface with more channels for data, the right security solution
can assuage concerns and enable APIs to keep delivering on investments.

In January 2022, Imperva commissioned Forrester Consulting to evaluate

the adoption and use of APIs and API security technology at midsize to
enterprise organizations. Forrester conducted an online survey with 456
development, security, and LOB decision-makers in the US, the UK, and
Japan to explore this topic. We found that decision-makers are aware
of how important API adoption is, but they struggle with the necessary
updates to their security postures in scaling APIs with business growth.

78% of respondents say the adoption of

APIs is important for their company to stay
competitive in the market.

IMPROVE API PERFORMANCE WITH A SOUND API SECURITY STRATEGY 3

Key Findings

Digital transformation continues to evolve, and APIs are the

newest star of the show. Decision-makers from companies
of all sizes are using APIs to improve internal operations, data
knowledge, and quality and to better engage customers and
partners. However, that means security postures must also be
refreshed to keep up. Decision-makers equate an increase in API
use as an increase in the number of vulnerable attack surfaces.
The right security updates can allow companies to mitigate
security risks and reap the benefits of increased API usage.

While increased API adoption is a no-brainer, companies

struggle to get their security ducks in a row to ensure secure
adoption. API decision-makers must focus on security and
visibility as they scale API adoption. The need to increase security
alongside increased API adoption is largely supported throughout
the organization, with developers interested in increasing their
understanding of APIs while also prioritizing API security.

When adopting APIs, implement security for them too. To

develop a holistic and successful API strategy, decision-makers
must be prepared to adopt security technology to keep their
company’s customer and proprietary data secure. The bottom
line is that both internal and public API investments are crucial
to increasing visibility and staying competitive. But while
departmental priorities can vary, the need for parallel investments
in security technology for APIs will enable companies to receive
the full benefits of their API investments.

IMPROVE API PERFORMANCE WITH A SOUND API SECURITY STRATEGY 4

APIs And Security Lead A New Kind
Of Push For Digital Transformation

As decision-makers adapt to global events

and evolving customer priorities, one of their
key priorities are to expand their adoption of
technologies that enable them to meet customer
needs without sacrificing security. Digital
transformation is by no means a new phenomenon,
yet some companies are still behind the curve.
As enterprises look to expand their digital
enablement, they are turning to technologies like
APIs to improve the connection between internal
departments, customers, and partners alike. The
problem? They will need to scale their security
concurrently.

• Digital transformation strategies for 2022 include scaling security

investments alongside new technology to meet customer needs.
Decision-makers are currently lining up heavy investments into
their digital transformation programs; 70% plan to heavily invest
in new technology adoption, while 67% plan to secure their digital
transformation efforts. The specific digital transformation initiatives
for 2022 also line up with security priorities: The highest-ranking
digital transformation initiative is to “improve security (e.g., for API,
endpoint systems, web apps)” at 61%. This is followed by “improve
customer segmentation for sales purposes” at 58% and “improve
customer experience (CX)” at 54%. Likewise, their number-one-
ranked security priority for the next 12 months is to “improve API
security” at 59% (see Figure 1).

• Additionally, 61% of security respondents indicated that improving

API security is a key priority for the next 12 months, while 56% of
application development respondents indicated the same.

• The current state of API adoption. Most companies are at an

intermediate level of API adoption, but what does that look like?

IMPROVE API PERFORMANCE WITH A SOUND API SECURITY STRATEGY 5

Figure 1
“Which of the following are likely to be your organization’s top
initiatives to support digital transformation over the next 12 months?”
(Showing top-3 results)
Rank 1 Rank 2 Rank 3

22% 16% 16%

14%
61% 23% 58% 54%
18%

23%
21% 19%

Improve security (e.g., Improve customer Improve customer

for API, endpoint segmentation for sales experience
systems, Web apps) purposes

“What are your security priorities over the next 12 months?”

Rank 1 Rank 2 Rank 3 Rank 4 Rank 5

Improve API security 16% 11% 11% 9% 11% 59%

Better protect sensitive

company and customer data 13% 12% 12% 11% 11% 59%

Improve threat detection

capabilities 12% 11% 10% 10% 11% 54%

Implementing a Zero Trust

security strategy 11% 14% 11% 11% 9% 54%

Base: 456 development, security, and LOB decision-makers in the US, the UK, and Japan
Source: A commissioned study conducted by Forrester Consulting on behalf of Imperva, January 2022

IMPROVE API PERFORMANCE WITH A SOUND API SECURITY STRATEGY 6

 The average level of digital transformation lines Figure 2
up with API adoption at just over 50% (internal
“How many APIs does your
and external APIs), with expectations for those organization currently have
numbers to increase. Half of our respondents published internally (i.e., to
have between 25 and 250 internally published a gateway)?”
APIs, and over half of respondents expect that (Showing top results)
number to increase over the next year to improve
2%
data analysis (68%), implement new features 500 or more
(68%), and improve response time of applications
8%
(64%). For public APIs, nearly 60% of respondents
250-499
have published between 25 and 500 APIs. Over
25%
the next year, over half of respondents (69%)
100-249
are expecting to: increase their delivery of APIs
for partner/customer integrations (69%); deliver/ 24%
25-99
extend new application capabilities (60%);
and improve service delivery (60%). With this 7%
1-24
widespread increase in public API adoption,
company attack surfaces are also expanding.
“How many APIs has your
This increase in risk ties directly to API security organization publicly
becoming a top priority for respondents in the published (i.e., B2B, open
next 12 months (see Figure 2). web, external parties)?”

• Of all respondents planning to increase their (Showing top results)

number of publicly published APIs, those in 1%
the UK are set to increase theirs by 28.2% on 500 or more
average. This is 2% more than those in either 6%
Japan or the US, on average. This shows a 250-499
tendency in UK respondents’ strategies to 23%
lean more on connecting with partners and 100-249
customers. For internally published APIs,
30%
the trend is different. UK decision-makers 25-99
have the lowest intent to increase (26.5%
17%
on average), while those in Japan are most 1-24
interested in increasing internal APIs (28.4%).
Base: 456 development, security, and LOB
The US is in the middle at 27.4%. This shows decision-makers in the US, the UK, and Japan
a skew toward enabling internal strategies Source: A commissioned study conducted by
Forrester Consulting on behalf of Imperva,
with APIs. January 2022

IMPROVE API PERFORMANCE WITH A SOUND API SECURITY STRATEGY 7

 ANOTHER KEY PROBLEM: DEPARTMENTAL VISIBILITY

There is a clear disconnect between decision-makers from different

departments on how many public APIs their company has published.
Twenty-nine percent of LOB respondents believe their company has
between 25 to 99 public APIs; 26% of IT/ops/compliance respondents
believe their company has between 1 to 24; while 32% of security and
application developers believe their company has 25 to 99 public APIs.
This indicates a lack of alignment in understanding what APIs they
possess, which signifies a lack of knowledge of what is in those APIs and
how they are being used.

• API adoption is growing with digital transformation investments.

As decision-makers invest in new technology, (i.e., new or increased
API adoption) as part of their digital transformation strategies, they will
be able to meet their goals of improving connection with customers
while improving data ownership and protection. API adoption is
deemed important for connecting with customers (88%), improving
data ownership and management (83%), and connecting with partners
(78%). It also lends a hand to improving internal alignment of teams
(70%). While the benefits for investing in APIs for data visibility and
ownership are clear, along with a myriad of other reasons, decision-
makers are still struggling with the final hurdle of adoption: ensuring
their current investments remain safe as they scale (see Figure 3).

Figure 3
“How important is the adoption of APIs to the following initiatives?”
Showing very important/important responses

88% 83% 78% 70% 61%

Connecting Improving data Connecting with Improving Streamlining
with customers ownership and partners alignment of business
(applications) management internal teams processes

Base: 456 development, security, and LOB decision-makers in the US, the UK, and Japan
Source: A commissioned study conducted by Forrester Consulting on behalf of Imperva, January 2022

IMPROVE API PERFORMANCE WITH A SOUND API SECURITY STRATEGY 8

Decision-Makers Focus On Security And
Visibility As They Scale API Adoption

Seventy-eight percent of respondents say the adoption of APIs is important

for their company to stay competitive in the market, but 70% of all
respondents say that the lack of API security has kept them from increasing
API adoption. Decision-makers know that adopting more APIs for reasons
relating to CX and internal process optimization is key to business success,
but their security fears are getting in the way. In order to secure the future
success of their business, decision-makers must scale security alongside
API adoption. For LOB decision-makers, the implementation of APIs must
also be seamless to avoid breaks in workflows/productivity. Companies
need APIs, but their decision-makers also need to keep the business
up and running. This is underscored by developers’ points of view:
The personnel (developers) that ultimately develop and work
with APIs also agree that they need more knowledge and tools to
effectively and holistically implement a successful API strategy.

• Security is a main organizational and technical concern

when it comes to increasing API adoption. Overall, the
main concerns of decision-makers center around keeping
productivity up and security events due to API adoption at
bay — they are nervous that API adoption will increase attack
surfaces (55%), expose sensitive data to the wrong people
(52%), or disrupt employee workflows (45%). Scaling security
with API adoption is also a main technical challenge.

• Fears around expanding attack surfaces or data exposure are

the number one concern across the business, except for LOB
leaders. LOB leaders are most concerned about keeping employees
productive and tackling the misalignment of internal leadership
on goals or adoption. It seems IT decision-makers (ITDMs) have
some work to do in educating their LOB peers on the most likely
challenges and benefits of furthering their API adoption. Fifty-
nine percent of IT/ops/compliance respondents indicated they are
concerned about the growing attack surface and securing company
data, while LOB reported at 49%.

IMPROVE API PERFORMANCE WITH A SOUND API SECURITY STRATEGY 9

• Developers agree: Companies need help with Figure 4
their API adoption plans. Developers are on
“What are your company’s
the same page with their larger organizations; main organizational
their top-ranked challenge in increasing API challenges in increasing
adoption is an increased risk of unnecessary adoption of APIs?”
exposures to sensitive data, as well as a clear (Showing top-3 answers)
lack of API security knowledge and long mean
time to repair. Along with security scalability Fear around expanding
55% our attack surface/
concerns, decision-makers are challenged securing our data
with the integration into existing systems
(60%), enabling proper API authentication and
authorization (55%), and the heavy reliance Fear of exposing sensitive
52%
data to the wrong people
on IT resources with little bandwidth (50%).
Fifty-eight percent report that their security
teams face difficulty in managing identity and Desire to refrain from
45% disrupting employee
access management for APIs. Authentication workflows
and authorization can be helped by securing
APIs as part of a larger Zero Trust strategy,
“What are your company’s
but it seems their IT resources are already main technical challenges in
strained. Decision-makers could benefit from increasing adoption of APIs?”
leaning on third-party resources to address (Showing top-4 answers)
the knowledge gap of how to implement and
62%
maintain the security of their growing number
Scaling security as we increase
of APIs. This is bolstered by the security team’s API adoption
lack of knowledge of their own company’s
60%
data. The main challenges security teams
Integration with existing systems
face when it comes to their company’s APIs
are related to knowing what data they collect,
55%
where it is stored, and who has or should have Enabling proper API
access to it. Sixty-three percent report difficulty authentication and authorization
with assessing and classifying sensitive data 50%
shared across APIs (see Figure 4). Heavy reliance on IT resources with
little bandwidth
• While decision-makers increase API
Base: 456 development, security, and LOB
adoption, it is worth noting that the need decision-makers in the US, the UK, and Japan
to scale security is the largest challenge Source: A commissioned study conducted by
Forrester Consulting on behalf of Imperva,
overall. As they increase API adoption, January 2022

IMPROVE API PERFORMANCE WITH A SOUND API SECURITY STRATEGY 10

 the security department is the least concerned with scaling
security. They know what they need to cover to scale,
but other groups lack the knowledge and therefore are
concerned with scaling APIs.

• Visibility is key to assuaging security fears when adopting

third-party APIs. Before decision-makers invest in a third-
party API strategy, they want better insight into the strategies
of those vendors, especially when it comes to security. Their
key challenge is that they lack visibility into the overall security
strategies of these third-party companies (63%). This is the only
challenge that beats the two cost-related challenges — the cost
to run third-party APIs (57%) and the cost to develop third-party
APIs (54%). Concerns around these companies’ built-in security
(49%) and the difficulty of ensuring code quality (39%) are the
challenges with the least amount of respondents’ agreement
(see Figure 5). Decision-makers are more confident in the quality
and security tools that come from third-party API companies,
but they are most interested in knowing how the proverbial
proprietary sausage is made.

Figure 5
“What main challenges does your company face with third-party APIs?”

63% 57% 54% 49% 39%

We lack visibility There is a high There is a high Their built-in It is difficult to

into their security cost to run third- cost to develop security is not be sure of code
strategy as a party APIs. third-party APIs. secure enough quality of third-
whole. for our products/ party APIs.
sensitive data.

Base: 456 development, security, and LOB decision-makers in the US, the UK, and Japan
Source: A commissioned study conducted by Forrester Consulting on behalf of Imperva, January 2022

IMPROVE API PERFORMANCE WITH A SOUND API SECURITY STRATEGY 11

Adopt APIs And Security Technology For
Better Data, Visibility, And Quality

Sixty-two percent of respondents say the value Figure 6

they gain from APIs is worth the adoption, as long “What main challenges does
as security scales with it. Ninety-seven percent your company face with third-
are scaling their API security strategy with new party APIs?”
tools or processes. (Showing top-3 results)
• APIs provide technical benefits to the IT Improve quality
55%
and development teams. APIs provide of software

improved quality of software (55%), increased Increased reuse of

47%
reuse of code via APIs (47%), and shortened code via APIs
development cycle times (46%). APIs are
Shorten development
shown to improve the efficiency of developers, 46%
cycle times
while also improving the quality of their
output. “Which of the following business
benefits has your company seen
• LOB teams are primarily focused on APIs
or would expect to see from
improving the quality of their software (59% using APIs?”
of LOB teams vs. 54% of all respondents).
(Showing top-4 results)
Meanwhile, to ease the burden on their
Rank 1 Rank 3 Rank 5
overstretched IT departments, IT/ops/
Rank 2 Rank 4
compliance personnel are expecting
APIs to increase the reuse of code as 16% 12% 12% 12% 11% 64%
the number one benefit. They are also Ability to scale with our company’s needs

expecting a reduced number of defects per 11% 13% 14% 12% 9% 59%
sprint (49% vs. 41%) and the ability to easily Increased adoption of new services
(i.e. mobile)
introduce new features (48% vs. 41%).
13% 12% 11% 11% 59%11%
• APIs win with the right security strategy. The Improve developer productivity/efficiency
biggest business benefit that decision-makers
13% 11% 11% 13% 11% 58%
have seen from using APIs is the ability to
Improved visibility into data for all
scale with their company’s needs (64%). This business units
is followed by an increased adoption of new Base: 456 development, security, and LOB
services (59%), improved developer efficiency decision-makers in the US, the UK, and Japan
Source: A commissioned study conducted by
(59%), and improved visibility into data for all Forrester Consulting on behalf of Imperva,
business units (58%) (see Figure 6). January 2022

IMPROVE API PERFORMANCE WITH A SOUND API SECURITY STRATEGY 12

 With these benefits, API adoption is expected to continue increasing,
and companies are adopting multiple tools to ensure the security of
their API strategy. While over 20% of all respondents are looking to
adopt up to nine new tools to scale their API security strategy, the top
four are service mesh, API management solutions, API gateways, and
application microsegmentation.

• Adoption of API security tools varies somewhat across geographies.

Meanwhile, service mesh, API management solutions, and API
gateways are most popular overall, with decision-makers in Japan
showing a propensity for application microsegmentation (36% vs.
30% overall) and distributed denial-of-service (DDoS) solutions (28%
vs. 22% overall). They are also showing a higher interest in bot
management (21% vs. 17% overall), while those in the UK and US are
less interested in this customer-facing method of API security. This
highlights the continued wariness that decision-makers in Japan
have around externally facing APIs.

• Security tools help classify data and understand the

API footprint. Decision-makers are mainly focused on:
1) scaling security for API adoption (78%) and 2) securing
APIs like any other internet-connected app (70%). However,
they need to see less complexity from their security tools.
Of the benefits they have seen or would expect to see
from adopting an API security technology, decision-makers
lead with the ability to classify data transferred over APIs
(71%), the ability to easily meet regulatory and compliance
requirements around APIs (66%), and the ability to reduce
complexities around securing API usage (65%). Decision-
makers are looking to API security technologies to not
only keep their company’s data safe within their APIs but
to also reduce the complexity around API management.
With the development team’s lack of knowledge on APIs,
and with the safety of data and CX at stake, decision-
makers are ready for tools that provide robust security,
improved visibility (i.e., who has access to it), and reduced
complexity around securing their APIs (see Figure 7).

IMPROVE API PERFORMANCE WITH A SOUND API SECURITY STRATEGY 13

Figure 7
“What benefits have you seen/would you expect to see from adopting
an API security technology?”
(Showing top-5 results)
Rank 1 Rank 2 Rank 3 Rank 4 Rank 5

Ability to classify data

71% transferred over APIs

Ability to easily meet regulatory

and compliance requirements 66%
around APIs

Ability to reduce complexity

65%
around securing API usage

Ability to identify and catalog

APIs and endpoints 62%

Ability to assess/determine
61% sensitivity of data transferred
over APIs

Base: 456 development, security, and LOB decision-makers in the US, the UK, and Japan
Source: A commissioned study conducted by Forrester Consulting on behalf of Imperva, January 2022

IMPROVE API PERFORMANCE WITH A SOUND API SECURITY STRATEGY 14

 Key Recommendations
APIs undeniably play a key role for customer and partner engagement both
inside and outside of organizations. Unfortunately, API security has not kept
pace in a world without perimeters. Do not let the fear of API insecurity keep
your company from embracing APIs. Forrester’s in-depth survey of LOB
decision-makers, developers, and security professionals about API security
yielded several important recommendations:

Discover all the API endpoints.

Even though the survey indicated that security professionals were the least
concerned about scaling security, they cannot secure what they do not know
about. Create an accurate inventory of APIs as they can be buried inside
mobile apps or web apps or even show up as asynchronous JavaScript and
XML (AJAX) requests or webhooks. This inventory will not only help you
define what you should be protecting, but it will also identify if any APIs have
accidentally been deployed into production.

Secure APIs with a plan, not just desire.

Although developers and security professionals agree on the critical priority

of securing APIs, security does not happen based on desire alone. APIs are
not only subject to the same code vulnerabilities as traditional web apps —
they have more accessible endpoints, multipartner authors, and complex
authentication and authorization — since API calls can come from a wide
array of customers, partners, and applications. Perform the same prerelease
testing on API code and create tests that are specifically for identity data
flow, trust-level issues, and layer production protections.

IMPROVE API PERFORMANCE WITH A SOUND API SECURITY STRATEGY 15

 Choose carefully when it comes to API security technology.

Given that securing APIs is complex, security professionals will require

several tools such as prerelease testing, API management, traffic anomaly
detection, service mesh, web application firewalls (WAFs), and bot
management. Choose as many tools that work together as possible or you
will make an already complex problem unnecessarily difficult.

Continue to push on developer and security professionals’ alignment.

Security professionals lack knowledge of what data APIs collect, where it is

stored, and who has or should have access to it. Without this knowledge,
security protections will be the best effort. Only by sharing this data will APIs
be secured and thus deployed confidently.

IMPROVE API PERFORMANCE WITH A SOUND API SECURITY STRATEGY 16

Appendix

Appendix A: Methodology
In this study, Forrester conducted an online survey with 456 development, security, and LOB decision-
makers in the US, the UK, and Japan to explore this topic. Survey participants included decision-makers
in IT and LOB roles with influence over API solutions and strategies. Respondents were offered a small
incentive as a thank you for time spent on the survey. The study began in December 2021 and was
completed in January 2022.

Appendix B: Demographics/Data

GEOGRAPHY COMPANY REVENUE

North America 33% >$5B 5%
UK 34% $1B-$4.9B 39%
Japan 32% $500M to $999M 42%
$100M to $499M 14%

COMPANY SIZE (NUMBER OF INDUSTRY (TOP 5)

EMPLOYEES) Healthcare 13%
>20,000+ 5% Banking 12%
5,000-19,999 22% Insurance 11%
1000-4,999 36%
Financial services 11%
500-999 27%
Retail/e-commerce 10%
100 to 499 10%

RESPONDENT LEVEL RESPONDENT DEPARTMENT

C-level 12% IT 10%
Vice president 36% Product management 6%
Director 23% Operations 6%
Manager 26% Compliance/governance 6%
Full-time practitioner 2% Marketing 5%

IMPROVE API PERFORMANCE WITH A SOUND API SECURITY STRATEGY 17