Untangling Application Security Challenges in the Era of Multi-Cloud API Sprawl

To help app developers and security teams join forces to successfully address API security challenges, Google Cloud and F5 came together for a special webinar event, Untangling APIs: Addressing Sprawl and Securing Your Digital Ecosystem. The conversation uncovered several relevant and actionable answers to the hard-hitting questions organizations have—or should have—about API sprawl, management, and security.

If you couldn’t attend the live session, don’t worry; you can catch a few of the highlights in this blog post and also access the on-demand recording.

The event, which ActualTech Media’s Jess Steinbach moderated, also included distinguished presenters Joshua Haslett, Strategic Technology Partner Manager at Google Cloud, Ian Dinno, Senior Product Marketing Manager at F5, and David Remington, Director of Product Management at F5. Together, they sat squarely on the API security hot seat to provide attendees with expert advice and practical guidance on adopting a more holistic app and API security strategy across the organization.

One of the main points made during the discussion revolved around finding the right path to a holistic approach, which has become even harder to tackle as the number of APIs utilized throughout an organization’s application ecosystem continues to grow at an unprecedented rate. As highlighted by one of the attendee’s questions, the security, governance, and efficiency challenges introduced by API sprawl are only compounded by the increased adoption of hybrid cloud infrastructure and the slew of microservices that make complex multi-app business processes work.

To address the risks associated with API sprawl—such as data breach, account takeover, and fraud—an organization's application security program must include API protection technologies that deliver continuous discovery and monitoring, runtime protection, and real-time posture management. The program must also be supported by a process that keeps the CI/CD pipeline moving by easily integrating security methodologies and code testing earlier in the software development lifecycle in a way that doesn’t delay releases, negatively impact the user experience, or introduce application downtime.

Chances are, when you think your team has a suitable picture of what APIs are running and where they are running, a new app or API endpoint is added, or updates are made to an existing one. This could be a new third-party service, or multiple new or updated APIs that may not be visible to the teams responsible for security, and that adds new vulnerable entry points and exposure for an organization. It’s a never-ending battle to stay on top of the sprawl, making it even harder for security teams to assess and protect these services individually and as part of a fully functioning application.

Speaking to the increased risk of the threat landscape concerning the expanding complexities of the application infrastructure, Ian and David took a firm position on how AI and machine learning will have significant roles to play in API security, both in the scope and scale of attacks and in the protections required.

Another critical factor that the panel discussed during the webinar is the need to gain visibility into the state of API security. One attendee, for example, described to the panel how they’ve recently begun to see performance issues and other disruptions in some of their systems and applications. However, they couldn’t easily ascertain whether they were seeing signs of API sprawl being exploited by active attacks. This appears to be a common problem that many teams are struggling with.