DeepSec 2021 Talk: How to Choose your Best API Protection Tool? Comparison of AI Based API Protection Solutions – Vitaly Davidoff

Sanna/ August 26, 2021/ Conference

As the world becomes more and more connected, Application Security becomes an important concern. Especially regarding the Internet of Things (IoT), Application Programming Interface
(API), and Microservices spaces. In addition, the proper access management needs to be seriously addressed to ensure company assets are securely distributed and deployed.

There are many tools on the market providing AI based API protection and anomaly detection but what really works? How to choose the best solution? During my talk, I will share results from the research of reviewing different architecture approaches and AI solutions introduced by different favorite tools on the market, from WAF to workload protection systems.

We asked Vitaly a few more questions about his talk.

1) Please tell us the top facts about your talk.

This talk is a first try to dive deep into AI based API protection systems. We used 6 known vendors to run the evaluation. This research was a trigger for changing features and capabilities in almost all of the evaluated products. Forrester used our research to score API protection tools in 2020.

2) How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

We learned that no guidelines, solution measures, common features and best practices for API protection tools exist. Some of them were mixed with WAF solutions by mistake. We wanted to explain the main features and success criteria for choosing the right tool.

3) Why do you think this is an important topic?

API’s are everywhere now, and as we’ve learned from the last decade, API became a main attack vector for web applications (and not only web, but mobile and industrial systems too). So, API’s protection is a number 1 priority in many organizations. This talk will help to choose the proper solution and safe time (and money) during the evaluation process.

4) Is there something you want everybody to know – some good advice for our readers maybe?

This talk might be very useful even for product managers and security leaders (not for the technical persons only), since I’ll provide success criteria to choose API’s protection tools.

5) A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

Can a Runtime Application Self-Protection (RASP) system be a replacement for API protection tools? The next step will be to integrate different application security solutions in one holistic security platform.


Vitaly has about 15 + years’ experience as a developer and more than 8 years in the application security field. Applications Products Security lead at JFrog TLV Israel. In this position he’s responsible to provide Application Security solutions for many products, including analyzing security risks in multidisciplinary systems according to the customer system characterization, defining required security controls to handle identified security threats, perform code and design reviews, threat modeling and many other activities. He holds CISSP and CSSLP certificates.

Share this Post