Web App and API Security Needs to Be Modernized: Here’s How

Applications are critical for doing business. They are also the weakest links in many an organization’s security chain. Many APIs continue to expose the personally identifiable information of customers, employees and contractors.

As OWASP (Open Web Application Security Project) notes on its API Security Project homepage: “By nature, APIs expose application logic and sensitive data such as Personally Identifiable Information (PII) and because of this have increasingly become a target for attackers. Without secure APIs, rapid innovation would be impossible.”

OWASP cites 10 common problems on the API Security Project homepage, including:

  • Broken object- and function-level authorization and user authentication
  • Excessive data exposure
  • Lack of resources and rate limiting
  • Security misconfiguration
  • Injection flaws
  • Improper assets management
  • Insufficient logging and monitoring

Clearly, web app and API security is overdue for a security overhaul. The question is where to begin and where to go from there?

As a company whose edge cloud platform is designed to give developers the tools to build apps that are as secure as they are fast and groundbreaking, Fastly has put a lot of thought into the path forward.

Sean Leach, Fastly’s chief product architect, identified the challenges in a recent blog post.

“The truth is, most web app and API security tools were designed for a very different era,” he wrote. “A time before developers and security practitioners worked together, before applications were globally distributed and API-based. But attackers are developers too, and they aren’t bogged down by the limitations of legacy solutions.” In response, he said, it’s time for a change.

To that end, he outlined the company’s new rules for web application and API security, which he believes will respect the way modern applications are built:

  • Rule 1: Tools must fight intent, not specific threats 
  • Rule 2: There is no security without usability 
  • Rule 3: Real-time attacks require real-time reactions   
  • Rule 4: Dev, sec, or ops, everyone must think like an engineer 

“It’s not enough to ship software quickly. We must ship high-quality software securely,” he said. “For our part, we’ll be focused on building web application and API security solutions that live up to the rules we outlined today. We’re in this together.”

Sean recently joined Application Security Weekly to offer a deeper dive into the new rules. The episode was sponsored by Fastly.

To learn more, watch the interview on Application Security Weekly here or visit https://securityweekly.com/fastly for more information.