The Future of Appsec is APIs
Summary
In this conversation, Matt Johansen and Brian Joe discuss API security and its evolution from traditional application security.
First and foremost, they define what we mean by “API Security.” This involves a quick history lesson on the rise of microservices and decentralized applications.
They also highlight the challenges and vulnerabilities associated with API security, such as broken authentication and authorization.
We even get into how AI has impacted security testing and the need for innovation in response and enforcement!
Overall, the discussion provides insights into the current state and future of API security. Join us to explore the evolution of web application firewalls (WAFs) and what they can and can not do in the ever-growing world of APIs.
Matt’s favorite takeaway: Traditional WAFs inspected a single request and decided if it was good or bad. Next-gen WAFs added the dimension of looking at attack traffic over time instead of that single request. Impart, and modern API Security solutions are going beyond that 2nd dimension and bringing in a lot more context to make security decisions on API traffic.
Key Takeaways
- API security is the protection of microservices and decentralized applications, ensuring the secure communication between different components.
- API security is an evolution of traditional application security, focusing on the unique challenges and vulnerabilities of APIs.
- Broken authentication and authorization are common vulnerabilities in API security, requiring specific measures to mitigate.
- AI has a significant impact on detection and visibility in security, but there is still room for innovation in response and enforcement.
- The industry terminology for API security varies, including terms like next-gen WAF and RASP, but the focus is on achieving better security outcomes.
- WAFs have evolved from analyzing single requests to considering requests over time, providing better context and visibility for security decisions. API Security tools have evolved even further to include much more context than just “over time” to make more informed security decisions.
- One of the biggest challenges in API security is protecting against authorization exploitation, as traditional WAFs are not effective in addressing this issue.
- Managing and securing a large number of APIs is a common problem for security teams, as visibility and control over these APIs are often lacking.
- Security tools need to align with modern engineering practices, providing engineering teams with the ability to customize and test security policies in a similar way to how they test production code.
Contact us at try.imp.art and remember to follow us on LinkedIn to stay up-to-date with the latest and greatest.