In today’s contemporary society, applications are critical for doing business. They are also the weakest links in the security chain of many organizations. Many APIs, by design, continue to expose the personally identifiable information of customers, employees and contractors.
OWASP (Open Web Application Security Project) notes on its API Security Project homepage: “By nature, APIs expose application logic and sensitive data such as Personally Identifiable Information (PII) and because of this have increasingly become a target for attackers. Without secure APIs, rapid innovation would be impossible.”
On its homepage, OWASP identifies 10 typical problems, including:
- Broken object- and function-level authorization and user authentication
- Excessive data exposure
- Lack of resources and rate limiting
- Security misconfiguration
- Injection flaws
- Improper assets management
- Insufficient logging and monitoring
From the above, there is no doubt that web app and API security are long overdue for a security overhaul. The relevant question is: where do we begin, and where should we go from there?
As a company whose cloud platform was built to give developers the tools to build apps that are secure, innovative as well as safe, Fastly has put a lot of thought into the way forward.
Fastly’s lead product architect, Sean Leach, identified some challenges in a recent blog post and opined some design solutions.
“…most web app and API security tools were designed for a very different era,” he wrote. “A time before developers and security practitioners worked together, before applications were globally distributed and API-based. But attackers are developers too, and the limitations of legacy solutions did not bog them down.” In response, he said, it’s time for a change.
Sean Leach outlined the company’s new rules for web application and API security, which he believes will respect the way we build modern applications:
- Rule 1: Tools must fight intent, not specific threats
- Rule 2: There is no security without usability
- Rule 3: Real-time attacks require real-time reactions
- Rule 4: Dev, sec, or ops, everyone must think like an engineer
“It’s not enough to ship software quickly. We must ship high-quality software securely,” he said. “We’ll be focused on building web application and API security solutions that live up to the rules we outlined today. We’re in this together.”
- Crypto is Cybercrime’s Currency of Choice - June 26, 2022
- Web App & API Security Needs an Overhaul: Here’s How - June 26, 2022
- Google Issues Warning on State of the Art Predator Spyware - June 1, 2022
