Over the years, the landscape of the internet has become more complex, driven by APIs and advances in cloud computing. This has forced security and IT professionals to continuously ask themselves – what are the next steps in security that can be used to drive future developments and make all our lives easier?
Innovation moves fast, so how do humans keep up?
Security changes are coming thick and fast, more so than ever before. The market has moved on from legacy web application firewalls (WAFs) that were built to secure web apps plugged into a database, but which are no longer sufficient, to newer, API-driven forms of protection, and WAFs located at the edge. Not only are these newer security tools logic-driven, but web apps are able to plug directly into them, which helps them to meet all the needs that are asked of them: scale, performance and, above all, effective protection.
When talking about the use of APIs in security services, it is important to note that there also exists a human element to the process. Traditionally, security teams have not been part of the software delivery workflow, so they might not be as exposed to new tech in the same way as the engineering teams that build and operate apps and services. For example, they might not be familiar with newer tech for APIs, like GraphQL, nor understand how existing tools that are built for older implementations, like REST, will be deficient for GraphQL. And because teams are often siloed, knowledge sharing is limited. The solution to this is to offer a more centralised approach that ensures security teams are integrated into every stage of the software development process.
Raising your standards
In the security landscape, speed of integration is often given higher priority than following proper processes. The problem that this can raise is that, in the interest of moving fast, developers may neglect to tell IT teams about every new API they create for various aspects of the security stack. Whilst this allows them to skip the approval queue for new tools, it does mean that companies often end up with upwards of 20 different APIs, each working slightly differently to provide protection. It also results in a less robust security structure, as attackers will often be able to test each of these APIs individually to see which is most vulnerable.
Clearly, what is needed is a greater level of standardisation across the whole stack. This, however, must be coupled with a comprehensive upgrade of legacy security tools, given ??most security tools were built for monolithic web apps, not APIs, and, as a result, are unable to plug into modern security architecture. There exists, therefore, a clear need for businesses to ensure that their security is up to date and that their authentication patterns are properly vetted to ensure security implementation follows the proper rules, across all teams.
Tools don’t talk
We can spend all the time and resources we want enabling tech and security. At the end of the day, they still need to talk to each other and give an end-to-end picture of your traffic and your vulnerabilities.
This is where APIs allow us to streamline processes to increase both the speed of security operations, as well as their efficacy. By allowing apps to talk directly to APIs, security threats can be signalled immediately: a critical step in countering them before they have time to do any damage to key systems. APIs also allow for stronger – and simpler – forms of encryption. You need only look at the strength of WhatsApp’s end-to-end encryption and how rare it is to receive spam messages or cold calls there to understand how strong API-driven security can be.
The next steps for security
Even with the most flexible deployment options in the world, security solutions that are unable to plug into automated app development processes will never scale to meet the needs of modern environments. People still feature in the security picture, so it is critical that API security tools fit their processes and integrate with the tools that DevOps teams often use, such as Slack.
In addition to integrating with DevOps tools, the next big step forward for web application and API security is to provide full automation across the whole stack. Simply put, all security solutions should have easy-to-use APIs that expose all of the functionality of the system. This will allow security teams to get under the hood of their security processes, and give them the full control they need to be able to effectively manage them.
Manual creation of rules and configurations, and the rewriting of policy when applications are deployed simply can’t keep up with the pace set by fully automated security systems. This step towards the future will also speed up security innovations by phasing out the human element of the equation.
How to speed up digital transformation
These security innovations could be implemented easily, but for one roadblock: silos. Nowadays, remote work can lead to greater divides between teams if they aren’t intentional about collaboration, and the same goes for tools.
This is where APIs allow us to build integrated, consolidated tooling that works across teams. Of course, there will always be challenges in their implementation, such as organisations clinging to legacy security tools. But, by prioritising the updating and consolidation of security stacks, the future of online security looks faster, stronger and, above all, driven by APIs.
Sean Leach
Fastly
