API-based technology provides a better user experience, thanks to its ability to provide more functionality than ever before. However, we are also seeing that these technological advancements overtake those in cybersecurity. As such, Sean Leach, Chief Product Architect for Fastly, discusses must-have features in web application security tools and APIs.
About the Author
Sean Leach is Chief Product Architect at Quickly.
It has become evident that in order to keep up with application advancements, security tools need to be more advanced, with solutions that include flexible deployment, DevOps support, and strong API protection. This is a problem that many businesses face. In the recent research report ‘Reaching the Tipping Point of Web Application and API Security’, we found that over half of those surveyed said that most, if not all, of their applications would use APIs. over the next two years. This is despite the fact that they believe web application and API security is more complicated today than it was two years ago, in part because of these changes to the public cloud and applications. API-centric.
In order to deliver modern and effective Web Application and API Security (WAAP) solutions, they must integrate a wide range of features and capabilities. I’ve extracted six features that I think are “must-haves” for any successful web application and API security tool:
1. Visibility is the key
As the market shifts from legacy web application firewalls to protecting modern web applications and APIs, APIs are increasingly at the center of security strategies. Therefore, visibility into the APIs being used, the traffic flowing through them, and the associated response from those endpoints are all critical for unified solutions. This includes support for new API technologies such as GraphQL.
2. Integrate different architectures
To protect legacy, container-based, and serverless applications on on-premises and cloud infrastructure, modern solutions must provide deployment flexibility. Simply put, modern security systems must be able to provide protection at both ends of the spectrum. There is no point in settling for the most recent technology in an application if the security provided leaves easily exploitable loopholes in older technologies. Given the large number of ways in which they can be deployed, along with their relative simplicity, APIs are the obvious architectural solution to this need for flexibility, providing choice and consistency regardless of the type of application to be protected.
No matter how flexible the deployment options are, if the proposed solutions cannot connect directly to pre-existing automated delivery processes, they will never be able to scale to meet the needs of modern environments. Given the important role that application teams play in security, it is critical that web application and API security tools match their processes and integrate with the tools used by DevOps teams.
4. Automation across the entire infrastructure
Manually creating rules and configurations often cannot keep pace with innovation. WAAP tools provide much of the solution here. These are highly specialized security tools that sit on the public side of an application and analyze all incoming traffic to assess threats. It might seem like a simple task, but by automating their operations based on contextual markers that they can learn to recognize, we can enable WAAP to send flags to the right parts of the security team in real time.
5. Non-stop updates
The dynamic threat landscape makes manually updating, testing and deploying rule sets a daunting task. Tools that automate updates remove this requirement and help deliver the operational benefits that users expect when moving to a unified solution.
6. Blocking based on malicious intent
Likewise, signature-based detection is less effective when attackers constantly change tactics. This contributes to false positives, which make up almost half of all alerts, according to our research. Automated identification of the intent behind the request, as opposed to simply applying static predefined rules, is important, but should be done without increasing false negatives.
Switching to new security solutions can be a daunting process, but recovering from a major security breach is even more difficult. Investing time in this project can lead to greater change in your businesses, helping you make your applications and APIs more secure and evolve into consolidated security tools. For more information on updating and consolidating your processes and security stacks, check out this blog or download our recent report here.