It's Not Your Imagination: API and Web Security Is Getting Harder

With today's pace of rapid change, security must live everywhere that apps and APIs reside, and organizations can no longer rely on tools that weren't built with the decentralized enterprise in mind.

Zane Lackey, Co-Founder and CSO of Signal Sciences

August 17, 2021

4 Min Read
Dark Reading logo in a gray background | Dark Reading

We're living in a very different technology world. Change is happening so fast that enterprises often find themselves in a more challenging security position than they were in just a few years ago. Nobody is to blame, but the fact is that the traditional tools we use often cause more problems than they solve.

The advent of the modern, decentralized enterprise requires a modern, consolidated approach to Web application and API security. But as the findings in a recent Enterprise Strategy Group (ESG) customer survey make clear, that change has been difficult. In fact, ESG — which surveyed 500 organizations in North America, Europe, and Asia-Pacific and Japan — presents an enterprise landscape that is rapidly modernizing while security lags.

Think about this: Three-quarters of respondents said they use at least five different Web application and API tools — and many use far more than that. On average, respondents reported spending an average of $2.6 million annually on 11 different tools for Web app and API security. Sadly, that is just a waste of money.

Tool Sprawl
The hope was that the deployment of multiple tools would buy improved protection. But at the end of the day, enterprises are often seeing just the opposite. Not only are organizations hard-pressed to adequately coordinate tasks between application and security owners, they also struggle with a lack of API protection, poor visibility, and difficulty correlating data across multiple tools.

Some highlights from the recent ESG study:

  • Respondents reported an average of 53 alerts per day from their Web application and API security tools.

  • With nearly half of all alerts tracking as false positives, nine in ten respondents reported this as a problem.

  • 75% of respondents indicated their organization spends equal or more time on false positives as on actual attacks.

  • 82% of respondents said their organizations had suffered successful attacks against their Web applications and APIs in the previous year.

  • 64% expect most or all of their applications to use APIs but increasingly worry about vulnerabilities, malware, and data exfiltration targeting these endpoints.

That doesn't constitute progress. That's a wake-up call for a course correction.

The Long, Winding Road
This problem is years in the making. Businesses added a patchwork of security tools, ostensibly to better protect their Web applications and APIs. But this older generation of legacy tools now often counts as technical debt in many environments.

Modern security tools must plug effectively into a modern tech stack and then work with the rest of the DevOps toolchain so anyone in the organization can interact with the data that gets generated, offering real value out of the products.

In years past, security teams wielded the influence to unilaterally slow — or stop — projects they felt weren't bulletproof. While they operate in a more intricate organizational universe, they are just asking to ensure security considerations get full vetting before products are pushed out the door.

In the modern enterprise, different teams spin up their own infrastructure in the cloud, Kubernetes, serverless, or on the edge. It's a new reality where you must be able to slot in security technologies with an architecture that works within a constellation of computing approaches. These days, your security stack must plug into your Slack or your Teams as well as your SIEM app so the broader technology organization can self-serve and get value without needing to know the tool inside-out.

Rethinking Your Tools Strategy
As enterprises undergo the process of digital transformation, they'll be forced to deal with this soon. The rate of change is increasing exponentially with the introduction of new technologies. And the pace is not slowing down.

Security needs to live everywhere that apps and APIs reside, and organizations can't rely on older tools that were not built with the decentralized enterprise in mind. In the modern world, you need to secure APIs and apps, whether they reside in the cloud or operate at the edge.

Practitioners need technologies that plug into the rest of the development toolchain. Your architecture must be able to work not only with any legacy apps, but with any of the more modern APIs and apps in your shop. Don't think you can get by with an architecture that only meets today's development plans. Those going through digital transformation find their architecture must adapt as the organization evolves.

More than anything, what organizations that successfully navigate digital transformation find is security needs to lead the way in enabling the shift rather than trying to slow it down.

About the Author

Zane Lackey

Co-Founder and CSO of Signal Sciences

Zane Lackey is the co-founder and CSO at Signal Sciences, now part of Fastly, where he serves as the global head of security product strategy. Lackey is author of Building a Modern Security Program (O'Reilly Media). He serves on multiple advisory boards, including the National Technology Security Coalition, the Internet Bug Bounty Program, and the US State Department-backed Open Technology Fund. Prior to co-founding Signal Sciences, Zane led a security team at the forefront of DevOps as CISO of Etsy.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights