Securing Apps and APIs Everywhere: Why and How
F5 helps businesses digitize all aspects of their operations by utilizing adaptive applications to better serve customers and achieve greater productivity through innovative products and services. But these applications—how they are built, the infrastructures they run on, and the data that fuels them—are ever-evolving, adapting, and changing. As a result, they open a range of potential new vulnerabilities, expand your attack surface, and present new security requirements that your teams need help solving.
So, as we at F5 enable adaptive applications for our customers’ success, we must Secure Apps & APIs Everywhere. This is foundational to F5’s application security strategy (and the focus of this blog).
More apps = more complex security
By the end of the decade, the mobile application market alone will grow by nearly 175%, from $206.7B in 2022 to $565.4B (USD).
With the growth in apps and continued digital investment in all areas of business, there are ample opportunities to improve efficiencies, develop greater differentiation, and strengthen customer relationships.
But there are also downsides—it’s one thing to build an app, it’s another thing entirely to scale it to meet the growing needs of a successful digitized business and its ecosystem.
Here’s a simple example: Remember when auto insurance companies’ apps allowed you to simply see your account details and pay your bill? Fast forward to today and many allow you to take photos, submit claims, and manage the front end of the claims process, including interactions with third parties such as repair shops.
When you begin to consider the magnitude and complexity of this type of digital environment—the volume of APIs and microservices necessary to make this environment function seamlessly and delight customers—the magnitude and complexity of the app security challenge begins to emerge. As businesses modernize and double-down on new digital investments, security leaders are grappling with how to stay secure and compliant.
So much has changed…and it’s so much harder to secure it.
In recent years, we’ve seen a shift in how apps are built, deployed, and managed.
Business apps were once monolithic—a single, unique, well-guarded code base. Today apps are jigsaw puzzles, built of modular chunks such as microservices and containers. Some apps only exist as on-demand, ephemeral components.
Enterprise compute once happened in data centers and maybe with one cloud provider. Today most organizations have multiple apps running in multiple clouds. Modern organizations have the luxury of leveraging multiple cloud providers, applying specific workloads to specific platforms that excel in that function.
Communications protocols were once predictable and straightforward. IT and security teams could focus on IP, ensuring routing, segmentation, and ports were all in order and aligned. Contemporary communications are occurring at the API level (across and even within apps), a phenomenon that most organizations’ security strategies have yet to even address.
Meanwhile, legacy apps and infrastructure still exist. In many cases, they remain mission-critical and still need to be carefully maintained and secured. In fact, most businesses currently operate both legacy and modern apps across hybrid, multi-cloud environments, yet every business wants their security policies applied universally.
A case in point: Log4j
When the Apache Log4j/Log4Shell vulnerability began to make headlines during the 2021 winter holiday season, many assumed that IT and SecOps teams would commence a mad scramble to patch and respond. The drill was expected to last a few weeks, or maybe even months (as has happened so many times previously), and the story would eventually go away.
However, it soon became apparent that many organizations were struggling to just determine where or if the utility was present in their technology stack (or in that of their suppliers and data partners). Today Log4j exploits persist and the attacks keep coming. In fact, The U.S. Department of Homeland Security's Cyber Safety Review Board (CSRB) recently concluded that the Apache Log4j vulnerability could remain a significant risk to organizations for the next decade or longer.
It leads one to wonder if Log4j is just an outlier, a once-in-a-generation event? Or is it indicative of more Log4j-like incidents to come? If so, what lessons should organizations and vendors be applying as they look forward?
Complexity is still the enemy
If the adage that ‘complexity is the enemy of security’ is still true, then today the enemy is doing quite well. As enterprises attempt to secure more apps and APIs across increasingly disparate environments and platforms, there are more tools and interfaces required to keep track of them, leaving security professionals struggling to keep up. The same job now takes more time and expends more resources, with potentially greater risk for human error.
And if just meeting internal security needs weren’t enough, there are the looming demands of regulators, audits, and oversight from business partners, which create an ever-evolving and increasingly difficult data privacy and compliance landscape.
How F5 can help
F5’s core security strategy—Securing Apps & APIs Everywhere—is aimed at helping digitized organizations secure apps and APIs from the full spectrum of cyber threats and digital fraud.
Our focus is summarized in these three pillars:
1. Consistently secure both legacy and modern apps…wherever they reside. In the cloud, data center, or edge, you need consistent policy and control throughout. F5 offers a fabric for application security that breaks down siloes and bridges legacy and modern app architectures.
You gain the flexibility to deploy apps wherever you need to (without the restrictions or inconsistencies that normally come with distributed environments) with consistent policy and enforcement.
2. Protect modern apps and their APIs at the speed of digital business. As apps and APIs are developed and deployed in dynamic, agile DevOps environments, F5 can help ensure that proper controls are automatically deployed, monitored, and adapted, irrespective of when personnel may otherwise think to ‘add’ security.
Your teams can achieve faster dev cycles, stronger protection, and simplified compliance for new apps and digitization projects, as well as real-time threat detection and remediation for cloud-native workloads and infrastructure.
Security teams gain peace of mind knowing that as DevOps teams optimize and upgrade apps ever faster, their risk-assessed security policy always remains in effect.
3. Continuously scale defenses with AI/data and connected intelligence. F5’s span of visibility is unique because we can see customers' transactions and interactions with apps, the functions of the apps themselves, and the infrastructure they reside on and communicate across.
F5’s massive data collection with AI + human context and oversight together help determine the best course of action each time anomalies, vulnerabilities, and exploits are uncovered. You can scale your defenses while turbo-charging productivity through fewer false positives.
In practice, F5’s products and services help organizations across the world prevent active exploits of their apps. We mitigate bots, the OWASP Top 10, and many other types of attacks. We discover and control APIs. We protect the underlying application infrastructure. And we help stop fraud and malicious takeover of end-customer accounts. In short, we have a breadth of use cases we can help you address and protect.
In the coming weeks, we’ll be communicating and sharing more about how we deliver on these use cases, the benefits our customers are realizing, and why we believe securing your apps and APIs will be compulsory as the app-driven digital world continually evolves.