The following page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features or functionality remain at the sole discretion of GitLab Inc.
Stage | Secure |
Maturity | Viable |
Content Last Reviewed | 2024-04-24 |
Thank you for visiting this category direction page on API Security Testing at GitLab. This page belongs to the Dynamic Analysis group of the Secure stage and is maintained by John Crowley.
This direction page is a work in progress and everyone can contribute:
API Security encompasses many features that reduce security risks in Application Programming Interfaces (APIs) and protect them from attacks. Modern applications consist of numerous APIs, which make it efficient for software programs to interact with one another. APIs make it easy for developers to build and maintain applications, and they make it easy for machines to share and modify data. APIs frequently transmit sensitive data and expose business logic, making them attractive targets for hackers. Traditional application security techniques should be used in the API development phase, and WAFs and gateways should be used in production, but these methods must also be augmented by additional API-focused security tools and techniques. As API security has historically been the domain of security teams, rather than developers, testing the API in its running state often is overlooked during the development process. Yet, the shift-right methods that many organizations use, including WAFs and gateways, have proven to be insufficient to stop security incidents on their own. It's clear that a shift-everywhere, defense-in-depth approach, which includes identifying and remediating security weaknesses early in the API management lifecycle is critical.
As a category, API Security includes: API Security Testing (dynamic) and API Fuzz Testing for REST, GraphQL, and SOAP APIs. Future capabilities include: API Discovery, API Inventory, API Risk Scoring, API Analysis, ABAC API Service Mesh, OpenAPI Spec Audit, and gRPC support . This feature set will evolve over time to address the most pressing API Security issues.
Our goal is to help customers reduce the security risks and compliance challenges they face while building and maintaining APIs. We do this by focusing on the earliest phases of the API lifecycle including: design, build, and test. By incorporating security testing early in the API lifecycle, we can help organizations become secure by design. Our themes include:
In GitLab 16.10 we collaborated with Vulnerability Research to Comprehensively Review API Security Testing Checks which will enable us to add additional security checks in the near future.
See our prioritized roadmap here.
Our primary focus for FY2025 is on modernizing our core API Security capabilities. The category has not seen much recent investment due to other pressing priorities. Over the next 3 months, we plan to:
With the remainder of the year, our focus is on ensuring customers have full visibility into the APIs in their projects and are able to easily onboard API Security Testing for all supported APIs (REST, GraphQL, SOAP). To accomplish that, we are focused on:
Looking forward, we will continue to focus on features that enable customers to efficiently reduce risk. We want to ensure API security risks are easy to prioritize and remediate, and easy to address earlier in the API management lifecycle. Future capabilities focus on helping teams design and build secure APIs, and perform security testing that is as close to real-world API requests as possible.
BIC (Best In Class) is an indicator of forecasted near-term market performance based on a combination of factors, including analyst views, market news, and feedback from the sales and product teams. It is critical that we understand where GitLab appears in the BIC landscape.
For this product area, these are the capabilities a best-in-class solution should provide:
We have an advantage of being able to provide testing results before the app is deployed into the production environment, by using Review Apps. This means that we can provide API security scan results for every single commit. The easy integration of API security scanning early in the software development life cycle is a unique position that GitLab has in the API Security market. We also have the advantage of being able to provide secure design and build guardrails within our platform as developers and security teams are outlining requirements and developing APIs. Integrating other tools at this stage of the SDLC is typically difficult, at best.
The GitLab API Security features are all packaged as part of the GitLab Ultimate tier. This aligns with our pricing strategy as these features are relevant for executives who are concerned about keeping their organization secured from security weaknesses (CWEs).
API Security is not a standalone market evaluated by analysts, but is included in the analysis of DevSecOps, Application Security, and API Management markets.