Speed vs. Security: Protecting Modern Apps and APIs at the Pace of Modern Business

Dor Zakai Thumbnail
Dor Zakai
Published February 19, 2021

The pace of modern business is driving a wedge between the way applications are developed and how they are protected. By harnessing modern infrastructure and applications, companies can better compete and adapt faster. However, they could also be jeopardizing security.

From monolithic apps to microservices

Today, 98% of organizations depend on applications to run or support their business. According to our most recent survey of the NGINX open-source community, the number of those apps built with microservices grew from 40% in 2019 to 60% in 2020, with 54% of businesses using microservices in some or all of their apps. By 2022, it’s expected that 90% of all new apps will feature microservices architectures. These trends not only highlight the importance of modern applications to businesses, but also the value of achieving speed and agility when it comes to their deployment. 

Increasing numbers of organizations are likely moving the same way, migrating from the monolithic apps of old to cloud-native technologies while also implementing DevOps principles. And with good reason.

Customers, partners, and employees don’t just demand more from your technology-driven services—they expect it. Markets don’t wait for companies to adapt. They simply forget about them.

This is why businesses are being forced to take action, ensuring their applications offer the best possible experience. But delivering these experiences requires a different approach to application development. It calls for a faster, more iterative approach that provides the flexibility businesses need to remain competitive.

DevOps, microservices, and containers can all help to deliver this much sought-after application agility, overhauling old-fashioned approaches in favor of modern delivery methods. But what about other key considerations like protecting those apps? Can security policies handle the pace?

A new front line in the battle against breaches

Hackers launch an average of 2,244 attacks per day. That’s one every 39 seconds. And a single successful malicious act is all that’s required to wreak financial and reputational havoc on a business, or even destroy it entirely. It might sound drastic, but these are the odds organizations face today. The average cost of a data breach in 2020 weighed in at $3.86 million per company. And, on average, only 5% of apps in an organisation’s portfolio tend to be properly protected.

Even more worrying is how much more sophisticated and wide-ranging the attacks are. Hackers no longer only target code. With 40% of attacks on web applications coming through APIs, a number that is expected to grow to 90% in 2021, higher walls simply don’t provide the required protection in modern environments. Couple this increased threat level with faster and more frequent release cycles, where security flaws can easily slip through the net, and it can quickly become a recipe for disaster.

Balancing security needs with delivery speed

No organization wants to restrict agility or limit innovation. Likewise, companies aren’t willing to put their data, or that of their customers, at risk. Nevertheless, as the demands of modern business increase, and modern application development is required to maintain a competitive edge, businesses are being forced to choose between the two. Either you go to market fast and are potentially exposed, or you operate slowly and securely. It shouldn’t be this way.

Where once security policies were applied during the final stages of a release, the speed of deployments today makes it almost impossible. Given that there are an estimated 500 software developers for every security professional, the odds are not stacked in favor of app protection.

Therefore, the ability to provide robust, consistent security across application architectures and infrastructure is hampered, with the blame falling at no particular door. Business leaders understand the importance of security but also the need to get their apps to market fast. DevOps teams often resent the slowing of deployment by SecOps. Meanwhile, SecOps frequently lament the lack of security controls provided by DevOps. In fact, 48% of technical professionals see security as a major block to delivering software quickly.

Searching for security simplicity

It’s clear that, for businesses to drive innovation and remain agile, the effectiveness of DevOps automation and its ‘build once, run anywhere’ simplicity is crucial. What if a ‘build once, adhere anywhere’ approach could be applied to security policies? For an agile and secure way forward, businesses must find a way to integrate security into the lifecycle of an application, not apply it at the end of development or attempt to fix it with add-ons. Security and app development mustn’t simply co-exist but become one.

The best of both worlds

So, is there a way to achieve the utopia of DevSecOps? What would it mean for protection and release velocity if you could implement SecOps application security policies into DevOps without friction?

The first change required is mindset. Old-fashioned thinking has no place in a modern application development environment. All parties should embrace the idea of securing apps, not see it as a hurdle to overcome. All teams should be pulling in the same direction, working toward a common goal of safe, high-quality applications delivered at speed.

Integrated security needs to become a standard part of the development process. The speed required for it to do so can be delivered in a number of ways, key among them being policy automation. What’s also required is a lightweight security solution that overcomes the limitations of ‘checkbox’ web application firewalls. It must address the real security challenges facing modern DevOps environments by delivering high-performance, scalable security with consistent controls for web applications, microservices, containers, and APIs. It should trigger fewer false positives and, crucially, it must be faster than other solutions. Such a solution should be CI/CD-friendly, centrally managing and automating approved security controls, to remove workflow bottlenecks and support ‘shift left’ Dev initiatives. It should also be supported by an experienced organization and improve visibility while optimizing performance.

If the above can be achieved, the friction between DevOps and SecOps can be removed, and the fight between rapid deployment and security becomes a forgotten issue. By combining the right tools with a truly collaborative development culture, it is more possible than ever before to deliver powerful, consistent protection that matches the pace of modern app development.