It is evident that app and API security have become more specialized. APIs are no longer just URI-based entry points into an application. APIs have grown up and become a separate entity with their own security needs.
Most of these security needs relate to the nature of API interactions. Namely, APIs need to be authorized on a per-transaction basis. This is markedly different than apps, which generally apply authorization on a per-session basis.
The rate of interaction, too, is higher for APIs, as are a number of other characteristics that pose especial challenges for securing APIs.
App APIMessage format fluency HTML, JSON, XML ProtoBuf, JSON, GraphQL, binary, XML, data formatsInteractions Static, infrequent change Dynamic, frequent changeData Structured, transactional Un/structured, streaming, and transactionalUser Human Software, humanUser-agent Browsers, apps Software, device, scripts, apps, browsersAuthentication Session-based Transaction-based (more ZT like)Protocol fluency HTTP/S, QUIC gRPC, WebSockets, HTTP/S, QUIC
A comparison of apps and APIs illustrates differences that have caused a divergence in security needs.
That said, there are security risks common to both apps and APIs that bear consideration when implementing security solutions. For example, the recently updated 2023 API Security Top 10 clearly shows a subset of risks that are shared with applications:
- Weak authentication/authorization controls
- Misconfiguration
- Business logic abuse (credential stuffing, account takeover)
- Server-side request forgery (SSRF)
In addition to these risks, there continues to be a substantial number of attacks targeting availability. That is, DDoS attacks that are common to both apps and APIs, as they generally share the same dependencies on TCP and HTTP, both of which are subject to a variety of attacks designed to disrupt access and availability.
One approach to addressing the challenges of securing apps, APIs, and the infrastructure that support them is to deploy multiple solutions. Bot and fraud defense, DDoS protection, app security and API security. While this certainly addresses the security challenges, it introduces operational challenges and makes more complex many security-related tasks such as policy change management and reacting to threats that impact both apps and APIs. Complexity is not only the enemy of security, but also the enemy of speed.
The speed with which one can react to emerging threats is a top driver for the adoption of Security as a Service according to our annual research. Each solution requiring a patch, update, or the deployment of a new policy to mitigate an emerging threat adds time and increases the possibility of a misconfiguration or mistake. Thus, the time to mitigate a threat increases with complexity—especially if an organization is operating in multiple environments (hybrid IT) and leverages per-environment security solutions. I’m not doing the math to determine if that’s a linear or exponential increase because, honestly, anything that increases the time to respond to an imminent threat is not a good thing.
That’s why a better approach is to combine solutions, thus sharing operational and security management for functions designed to combat threats while allowing for specific security policies to address those protocols and payloads unique to apps and APIs.
This leads to an integrated application and API security strategy, in which common functions are shared with increasing granularity and specificity applied closer to the app or API. Bots are bots, after all, and their impact on the quality of data, cost of delivery, and risk profile for apps and APIs are a shared concern. DDoS is DDoS. Operating twice as many services to address the same problem is inefficient across every measure of the metric.
An integrated application and API security strategy makes good operational, financial, and architectural sense.
About the Author
Related Blog Posts
At the Intersection of Operational Data and Generative AI
Help your organization understand the impact of generative AI (GenAI) on its operational data practices, and learn how to better align GenAI technology adoption timelines with existing budgets, practices, and cultures.
Using AI for IT Automation Security
Learn how artificial intelligence and machine learning aid in mitigating cybersecurity threats to your IT automation processes.
The Commodification of Cloud
Public cloud is no longer the bright new shiny toy, but it paved the way for XaaS, Edge, and a new cycle of innovation.
Most Exciting Tech Trend in 2022: IT/OT Convergence
The line between operation and digital systems continues to blur as homes and businesses increase their reliance on connected devices, accelerating the convergence of IT and OT. While this trend of integration brings excitement, it also presents its own challenges and concerns to be considered.
Adaptive Applications are Data-Driven
There's a big difference between knowing something's wrong and knowing what to do about it. Only after monitoring the right elements can we discern the health of a user experience, deriving from the analysis of those measurements the relationships and patterns that can be inferred. Ultimately, the automation that will give rise to truly adaptive applications is based on measurements and our understanding of them.
Inserting App Services into Shifting App Architectures
Application architectures have evolved several times since the early days of computing, and it is no longer optimal to rely solely on a single, known data path to insert application services. Furthermore, because many of the emerging data paths are not as suitable for a proxy-based platform, we must look to the other potential points of insertion possible to scale and secure modern applications.