DZone Research: API Concerns
Concerns about the current state of API management revolve around security and consolidation of third-party tools.
Join the DZone community and get the full member experience.Join For Free
To gather insights on the current and future state of API management, we talked to 17 executives who are using APIs in their own organization, as well as helping clients use APIs to accelerate their digital transformation and the development of quality applications. We asked them "Do you have any concerns regarding the current state of API management?"
Here's what they told us:
- Lack of focus on security. A lot of customers used a WAF or CDN for security. Couldn’t stop automation. API management platforms are good at scaling APIs but not good at stopping automated attacks.
- Challenges are surfacing for clients. T-Mobile, Under Armor breaches, can be directed to poor security quality of APIs. Ultimately make sure the data is secure and not being leaked. The API requires credentials and identity to access the data. Look at the chain of custody starting with the data, identity to access the device and then the device on which the application is running ties together by APIs. APIs are the glue and important for integrating things together. All need to be certified to be secure.
- New challenges around serverless backed APIs change the paradigm. Different than containers. Leverage tools from AWS like API gateway. There's room for improvement. See how that evolves over time. Better support for serverless. Consolidation of third-party tools will continue.
- We are in a state where API management is maturing, and the concept of exposure and governance is becoming more mature and going mainstream. There is turbulence around paradigm change. Things are always most turbulent at the boundaries. Organizations adopting architectural design patterns will be turbulent — want to adopt versus not.
- A lot of consolidation of tools. There are interest and money with new features. Will this come at the expense of the end-user experience? Bait and switch strategy. Will move from the core value of the tool to generate more revenue without regard to building and testing. This can hurt innovation. We’ve seen this with databases. 2) People place a lot of importance on the developer portal aspect of API management. The amount of offering is great for public APIs but not needed for developers. The vast majority of APIs are private. Have portals tailored to people with a majority of private APIs?
- The API Management industry is moving in two opposing but equally concerning directions. First, there has been a consolidation of the industry into a small group of large cloud providers, which creates a trend toward single-cloud lock-in. In reality, most large enterprises have a multi-cloud or hybrid strategy that includes multiple public clouds and on-premises application deployments and need a more open posture when it comes to adopting something as critical to their business as API Management. Second, as more startups spring into the void left by consolidation, these vendors are often focused solely on one aspect of the API lifecycle — testing or monitoring, for instance. If an enterprise wants to adopt these technologies, they end up having to cobble together a custom framework of disparate services to provide everything needed for full lifecycle API Management. If any one portion of that pipeline is disrupted, or if one of these small vendors goes out of business or gets acquired, the customer could be left with an incomplete solution. Modern enterprises need end-to-end solutions that don’t lock them into a single deployment pattern or architectural style, yet still, provide a complete offering.
- It depends on your perspective. As a vendor, I’m concerned about the basic capabilities being commoditized. We need a different vision for what API management means in 2018 and beyond.
- There is a lot of crap in the ecosystem, mistakes people make. The same is true of API development. Consumption provides the best marketplace. It varies which APIs you can trust based on the underlying system supporting them. It’s difficult to determine if you can trust a small player. Be careful how you are sharing PII. Given that most apps are a patchwork of APIs stitched together you are at the mercy of someone else. As people are developing new APIs there is a false illusion whatever is working in the cloud will work on the edge. APIs need to be rearchitected with respect to the edge.
- From a market perspective, there is not a concern, but a significant opportunity for many years to come tied to current trends like blockchain, AI/ML, autonomous capabilities for API management. An automated platform so customers can scale up applications and APIs for their needs. 2) How can you harvest community delivered APIs to deliver best practices in an automated fashion? 3) Hyperscale with the mobile phone, orders of magnitude of data, autonomous capabilities.Absolutely. It’s wide open to all kinds of malware. Take security for granted have to know how to code. Must be familiar with the computer language.
- No, it’s very new in a good way. In two years every customer will have a checklist.
- No, but a long way to go in what API management can offer to the customer with automation and make it seamless. Do a better job of automating processes.
- Need to know what is being integrated. Need to know from a resource perspective is this a viable integration if it’s only being used once a year. Monitor APIs for use and effectiveness. Sophisticated integration tools can help you do that. On the worry side regulatory issues, should you be integrating certain data? You need to actually monitor all of the integrations that are happening in your environment — is it essential to know what kind of data is being passed.
- Absolutely, people start with bad assumptions.
- Many enterprises feel they are too constrained by their current legacy stack to move towards a more open, cloud-native, and microservices-based architecture. This challenge limits the company’s ability to take advantage of new technologies that can create new business value. We enable fully on-prem, hybrid, or cloud-native data, systems, and services to be connected via APIs securely and at scale. Enterprises don’t have to rip and replace. By simply adopting an API-led integration strategy and decomposing the application monolith into microservices one piece at a time, enterprises can achieve the agility and cloud-readiness they desire, which will help them achieve their business goals.
- It’s difficult to address the concerns about the current state of API management because APIs are part of a bigger picture. We have to look at everything holistically and see where API management fits into a particular solution. API management is a piece of a puzzle — a piece of a larger solution. API management is part of all the things that we do, and we use it as a tool in our tool belt. It is a gateway — a good front door for exposing API functionality to first and third-party applications.
- Some people think APIs are now fully understood and democratized. I think we are only entering the industrial age of APIs. Companies are not attempting to manage dozens of APIs anymore, but rather hundreds of APIs. We even see needs for thousands of APIs in a single organization with the explosion of microservices, serverless functions, and digital experience channels.
Here's who we talked to:
- Maxime Prades, Vice President of Product, Algolia
- Jaime Ryan, Senior Director, Product Management & Strategy API Management, CA Technologies
- Ross Garrett, VP Marketing, Cloud Elements
- OJ Ngo, CTO, DH2i
- Reid Tatoris, Vice President Product Outreach and Marketing, Distil Networks
- Oren Novotny, Chief Architect, DevOps and Modern Software, Digital Innovation, Insight
- Raj Sabhlok, CEO, ManageEngine
- Keith Casey, API Problem Solver, Okta
- Vikas Anand, Vice President Product Development, Oracle
- Mike LaFleur, Global Director Solution Architecture, Provenir
- Steve Willmott, Senior Director and Head of API Infrastructure, Red Hat
- Keshav Vasudevan, Product Marketing Manager, SmartBear
- Chris McFadden, V.P. of Operations, SparkPost
- Jerome Louvel, VP of Product Management, Talend
- Derek Birdsong, Product Marketing Manager, Connected Intelligence Cloud, TIBCO
- Setu Kulkarni, Vice-President of Product and Corporate Strategy, WhiteHat Security
- Roman Shaposhnik, Co-founder VP Product Strategy, and Vijay Tapaskar, Co-founder VP Engineering and Ops, Zededa
Opinions expressed by DZone contributors are their own.