Article by Fastly technology evangelist for APAC Stephen Gillies.
It’s broadly accepted that the pandemic gave digital transformation a significant speed boost: a McKinsey survey found organisations in Asia Pacific are now four years ahead of where they would have been if past adoption rates continued unchanged.
The pace of change is made possible by the breakdown of internal barriers to innovation and newer application architectures.
New applications make liberal use of APIs to stitch different capabilities together or allow internal systems to interconnect with third-party cloud or as-a-service applications.
In fact, today, it’s easy to build and secure API-based web and mobile applications without expending much effort. Written and deployed correctly, APIs ensure users can only access the applications for which they have been pre-approved.
With the rise of low-code and no-code platforms, sophisticated apps go from prototypes to production in days or weeks.
Recent research by Google found 58% of developers use APIs to speed up application development. Most are doing this for web apps (57%) or mobile apps (56%).
Reliance on APIs will only continue to increase; another recent survey found that ‘61% of developers used more APIs in 2020 than in 2019, and 71% plan to use even more this year.’
By powering their apps with APIs, organisations can react much faster to changing conditions. They can also quickly launch new digital capabilities to seize on an opportunity or improve customer-facing experience.
But when apps are composed of many different internal and third-party APIs, it only takes the compromise of one API to diminish the potential impact of what the entire API set out to achieve.
It’s critical to note that it should not discourage API usage. It’s a ‘cost of doing business’ in the current age of digital transformation. That said, organisations need to do their homework — assessing the risk that each API brings, and ensuring their security policies, auditing and vulnerability checking extends to those APIs.
New apps, new rules
Most web application and API security tools were designed before apps were globally distributed and API-based.
With the growing number of API-based applications in production and emerging, the rules for web application and API security need to be redesigned to respect the way these modern applications are built, and the potential attacks they may face.
Security tooling should consider the unique properties of API traffic when monitoring for threats, provide full observability, and help speed up reaction time — whether that reaction is human-assisted or automated.
For threat response that requires human assistance, redesigned tools simply need to be more usable.
A security solution should have a single, intuitive, easy-to-use interface that allows control and visibility of the entire solution. Observability should be all-encompassing and integrated to provide complete visibility into the state of the system at a glance. And importantly, these solutions should be usable for both security and non-security teams.
Modern security tools must also match modern application design. Too often, toolsets are simply packaged and sold together by a provider but not actually capable of technical integration. Even if a system only forces users to switch between tabs to navigate solutions, valuable seconds and integrated visibility is still lost while under attack. This approach weakens overall security posture by creating gaps in performance and visibility.
Ideally, though, the tooling should handle much of the detection and response to threats by itself. The new rules of web application and API security demand a shift toward a more intelligent model that examines not just the signature of the traffic but also its intent or behaviour. This means considering factors like the speed of the request, time of day, and user log-in status.
Meanwhile, builders should demand that tools can be run in both monitoring and blocking mode. Tools that can only run in monitoring mode for fear of false positives reinforce a broken system: the damage is done by the time the team can respond. Ultimately, teams need a foundation of tooling that can confidently block threats as they happen, not diagnose the problem after the breach.
With modern SaaS-based web applications and API security solutions, it is possible to ship high-quality software securely and to participate in the growth of API-powered digital transformation.
Written and deployed correctly, APIs act like a fortified gate by only allowing traffic that meets strict criteria. They also ensure users can only gain access to the applications and data for which they have been pre-approved.