cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Australian businesses see API and web security getting harder, not easier

As environments become more digitised, security needs a refresh to keep standards high and threat actors out, writes Derek Rast from Fastly.

user iconDerek Rast
Fri, 27 Aug 2021
Derek Rast
expand image

In a modern Australian enterprise, you will typically find development teams that are under pressure to ship code faster. You’ll also find teams spinning up their own infrastructure in the cloud, on Kubernetes, or on the edge.

Increasingly, the person coding the product is the same person spinning up the infrastructure to host it. The combination of software development and IT operations is known as DevOps. A recent ESG survey conducted found 58 percent of Australian and New Zealand organisations employ DevOps methodologies, and a further 26 per cent plan to do so in the next 12-24 months.

Security needs to be slotted somewhere into this constellation of development and computing approaches. It makes sense, in the first instance, for security processes and controls to be injected into the DevOps approach itself.


This is often termed DevSecOps or similar. But ESG’s research shows only 17 per cent of ANZ organisations have incorporated security into their DevOps processes. That said, interest is high: 24 per cent plan to incorporate security into DevOps and just under 50 per cent are evaluating security use cases that can be incorporated into their DevOps processes.

The ‘Sec’ in DevSecOps typically adds a series of security gates or guardrails for app creation and hosting. It’s attractive in part because it allows the security team to influence the creation of web apps, APIs and other coded products, without having to be physically brought in for review at particular points in the development process.

Traditionally, security teams wielded influence to unilaterally slow – or stop – projects they felt weren’t bulletproof. While they didn’t want to be considered as a “Department of No”, it’s their responsibility to respond when a breach lands on their doorstep, not the folks in DevOps. Therefore, they are keen to make sure security considerations get full vetting before products get pushed out the door.

While DevSecOps adds security up to the point that the code is pushed into production, there is also the critical role of security in the overall IT environment. This includes the ongoing protection of web apps, cloud-based APIs and digital experiences.

The ESG study shows attackers are exploiting gaps in business-as-usual (BAU) defences to slip into large Australian business environments undetected.

9 out of 10 Australian organisations in the ESG study experienced at least 10 attacks on their web applications and APIs in the past year that went undetected by security tools until they had a negative impact of some kind. For a quarter of Australian respondents, the negative impacts included legal problems, compliance issues, a loss of revenue or brand damage. For one in five respondents, the breaches led to downtime and customer experience impacts.

Protective patchwork

APIs and web apps are increasingly targeted by attackers as an entry point into the organisation and a way to steal data. It isn’t necessarily the coding of the apps or APIs that is the problem. Instead, it’s how they are being protected when they are live in production and/or exposed to the public internet.

Our research shows that Australian businesses typically layer multiple web application and API security tools in the hope of creating defence-in-depth protection through several best-of-breed solutions. On average, they spend close to $580,000 annually on this patchwork of incompatible tools, which may number five or more.

Multiple tools that were not designed to work together create problems for development and security teams. Data correlation is difficult, there are multiple 'blind spots', and the amount of alerts generated – and proportion of false positives leads organisations to disable automated threat blocking capabilities within the tools, or in some cases to disable the tools in their entirety.

A new way forward

There are clear best practices that ANZ organisations can follow to reduce their security risk and exposure in a cloud and web-based digital world.

Security needs to live everywhere that apps and APIs reside. Organisations can’t rely on older tools that were not built with the modern decentralised enterprise in mind. In the modern world, you need to secure APIs and apps, whether they reside in the cloud or operate at the edge.

More than three-quarters of ANZ participants in the ESG study also plan to overhaul their security tooling and approach, and move to an evolved and consolidated web application and API security solution from a single vendor, viewing that as an effective, appropriate mid-to-long-term response to the situation.

Derek Rast is the area vice president – Australia and New Zealand, Fastly.

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.