API-based technology provides a better user experience, thanks to its ability to provide more functionality than ever before. However, we also see that these technological advances outpace those in cybersecurity. As such, Sean Leach, Fastly’s Chief Product Architect, discusses must-have features when it comes to web applications and API security tools.
About the Author
Sean Leach is the lead product architect at Fastly.
It has become clear that to keep up with application progress, security tools need to be more advanced, with solutions that include flexible deployment, DevOps support, and strong API protection. This is a problem faced by many companies. In the recent research report, “Reaching the Web Application and API Security Tipping Point,” we found that more than half of respondents said that most, if not all, of their applications will use API over the next two years. And this despite the fact that they think web application and API security is more complicated today than it was two years ago, in part because of these shifts to public cloud and API-centric applications.
In order to provide modern and effective security solutions for web applications and APIs (WAAP), they must incorporate a wide range of features and capabilities. I’ve pulled out six features that I believe are “must haves” for any successful web application and API security tool:
1. Visibility is key
As the market moves from legacy web application firewalls to modern web application and API protection, APIs are increasingly at the center of security strategies. Therefore, visibility into the APIs being used, the traffic flowing through them, and the associated response from those endpoints are all essential for unified solutions. This includes support for new API technologies such as GraphQL.
2. Integrate different architectures
To protect legacy, container-based, and serverless applications across on-premises and cloud infrastructure, modern solutions must provide deployment flexibility. Simply put, modern security systems must be able to provide protection at both ends of the spectrum. There’s no point in sticking with only the latest technology in an app if the security provided leaves easily exploitable holes in older technology. Given the sheer number of ways they can be deployed, as well as their relative simplicity, APIs are the obvious architectural solution to this need for flexibility, providing choice and consistency regardless of the type of application being protected.
No matter how flexible the deployment options, if the solutions offered are not able to connect directly to pre-existing automated delivery processes, they will never be able to scale to meet the needs of modern environments. Given the important role that application teams play in security, it is essential that web application and API security tools adapt to their processes and integrate with the tools used by DevOps teams.
4. Automation of the entire infrastructure
Manual creation of rules and configurations often cannot keep pace with innovation. WAAP tools provide a large part of the solution here. These are highly specialized security tools that sit on the public side of an application and scan all incoming traffic to assess threats. It may seem like a simple task, but by automating their operations based on contextual markers that they can learn to recognize, we can enable WAAP to send indicators to the right parts of the security team in real time.
5. Non-stop updates
The dynamic threat landscape makes manually updating, testing, and deploying rulesets a daunting task. Tools that automate updates remove this requirement and help provide the operational benefits users expect when moving to a unified solution.
6. Blocking based on malicious intent
Similarly, signature-based detection is less effective when attackers constantly change tactics. This contributes to false positives, which account for almost half of all alerts, according to our research. Automated identification of the intent behind the request, as opposed to simply applying static predefined rules, is important, but should be done without increasing false negatives.
Moving to new security solutions can be a daunting process, but recovering from a major security breach is even harder. Investing time in this project can lead to bigger changes in your business, helping you make your applications and APIs more secure and move towards consolidated security tools. For more information on updating and consolidating your process and security stacks, check out this blog or download our recent report here.