cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

How APIs are changing the landscape for IT security professionals

The careers of IT security professionals in 2022 can be described in a range of different ways, Stephen Gillies, APAC technology evangelist at Fastly, writes.

user iconStephen Gillies
Tue, 31 May 2022
How APIs are changing the landscape for IT security professionals
expand image

There’s the ongoing strong market demand for skills and the prospect of a bigger pay packet if someone is tempted to change jobs. There’s also the constantly evolving threat landscape that creates challenges and adds to already heavy daily workloads.

Amid this environment, security professionals must also stay ahead of advances in the tools and processes they are using to protect their organisation’s IT infrastructure from attack. Things that may have worked in the past are unlikely to be sufficient in the future.

The increasing role of APIs


One of the biggest changes sweeping through the IT security sector is the increasing use of application programming interfaces (APIs) and cloud-based resources. This is forcing many organisations to shift from using legacy web application firewalls (WAFs), built to secure web apps plugged into a database, to newer API-driven forms of protection. WAFs are now located at the edge.

Not only are these newer security tools logic-driven, but web apps are able to plug directly into them. This helps to meet critical business needs for things such as scale, performance, and effective protection.

When talking about the use of APIs in security services, it is important to remember that there is also a human element to consider. Traditionally, security teams have not been part of the software delivery workflow and so it’s unlikely they have been exposed to new technologies in the same way as engineering teams.

For example, security teams may not be familiar with newer API technologies such as GraphQL or understand how existing tools that are built for older implementations, like REST, will be deficient for such technologies.

Also, because security and engineering teams are often siloed, knowledge sharing between these tends to be limited. The solution is to offer a more centralised approach that ensures security teams are integrated into every stage of the software development process.

The risks of moving quickly

In the security landscape, speed of integration is often seen as a higher priority than following proper processes. This can lead to developers neglecting to tell IT teams about every new API they create for various aspects of the security stack.

While this might allow them to skip the approval queue for new tools, it does mean that companies often end up with more than 20 different APIs, each working slightly differently, to provide protection. It also results in a less robust security structure, as attackers will often be able to test each of these APIs individually to see which is most vulnerable.

Clearly there is a need for greater standardisation across the whole stack. However, this needs to be coupled with a comprehensive upgrade of legacy security tools. This is because ​​most security tools were built for monolithic web apps rather than APIs and, as a result, are unable to plug into modern security architectures.

Overcoming the challenge
Even with the most flexible deployment options, security solutions that are unable to plug into automated app development processes will never scale to meet the needs of modern environments.

It is critical that API security tools fit their processes and integrate with the tools that DevOps teams often use, such as Slack.

In addition to integrating with these tools, the next big step forward for web application and API security is to provide full automation across the entire stack. Simply put, all security solutions should have easy-to-use APIs that expose all of the functionality of the system.

This, in turn, will allow security teams to fully understand their security processes and give them the full control they need to be able to effectively manage them. Manual creation of rules and configurations, and rewriting policies when applications are deployed simply can’t keep up with the pace set by fully automated security systems. This step towards the future will also speed up security innovations by phasing out the human element of the equation.

The critical role played by APIs in modern business is going to continue to increase in the years ahead. Security teams need to be sure all APIs are managed and protected to reduce the risk of their organisation falling victim to cyber attacks.

Stephen Gillies is the APAC technology evangelist at Fastly.

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.