Top features for effective web app and API security tools

Representational image of data security
(Image credit: Kingston)

API powered technology is providing a greater user experience, thanks to its ability to provide more functionality than ever before. However, we are also finding these advances in technology are outpacing those in the cybersecurity (opens in new tab) space. As such, Fastly’s Sean Leach, Chief Product Architect discusses the must-have features when it comes to web app (opens in new tab) and API security (opens in new tab) tools.

About the author

Sean Leach is Chief Product Architect at Fastly (opens in new tab).

It has become apparent that, in order to keep up with the advances in applications (opens in new tab), security tools need to be more advanced, with solutions that include flexible deployment, DevOps support, and strong API protection. It is an issue faced by many enterprises. In the recent research report, “Reaching the Tipping Point of Web Application and API Security,” we found that more than half of respondents said that most, if not all, of their applications will use APIs in the next two years. This is even despite the fact they believe web application and API security is more complicated today than it was two years ago, in part because of these shifts to public cloud (opens in new tab) and API-centric applications.

In order to deliver effective modern web application and API (WAAP) security solutions, they must incorporate an extensive range of features and capabilities. I’ve pulled out six characteristics that I believe are ‘must-haves’ for any successful web app and API security tool:

1. Visibility is key

As the market moves from legacy web application firewalls (opens in new tab) to modern web application and API protection, APIs are increasingly the focus of security strategies. As a result, visibility into the APIs being used, the traffic flowing to them, and the associated response of these endpoints are all critical for unified solutions. This includes support for new API technologies such as GraphQL.

2. Incorporate different architectures

To protect legacy, container-based, and serverless applications across both on-premises and cloud infrastructure, modern solutions must provide deployment flexibility. Simply put, modern security systems need to be able to provide protection at both ends of the spectrum. It is no good catering solely to an application’s most up-to-date technology if the security provided leaves easily exploitable holes in older tech. Given the vast number of ways they can be deployed, alongside their relative simplicity, APIs are the obvious architectural solution to this need for flexibility, delivering choice and consistency regardless of the type of application being protected.

3. Seamless integration with DevOps processes and tools

No matter how flexible the deployment options are, if the solutions offered are not able to plug directly into pre-existing automated delivery processes, they will never be able to scale to meet the needs of modern environments. Given the important role application teams play with regards to security, it is critical that web application and API security tools fit their processes and integrate with the tools that DevOps teams use.

4. Automation across the infrastructure

Manual creation of rules and configurations often cannot keep up with the pace of innovation. WAAP tools provide a huge slice of the solution here. These are highly specialized security tools that sit on the public side of an application and analyze all incoming traffic to assess threats. This may sound like a simple task, but by automating their operations based on contextual markers they can learn to recognize, we can allow the WAAP to send indicators to the right parts of the security team in real time.

5. Non-stop updates

The dynamic threat landscape makes manually updating, testing, and deploying rulesets a daunting task. Tools that automate updates remove this requirement and help deliver the operational benefits users expect when moving to a unified solution.

6. Blocking based on malicious intent

Relatedly, signature-based detection is less effective when attackers are constantly changing tactics. This contributes to false positives, which account for nearly half of all alerts, according to our research. An automated identification of the intent behind the request, as opposed to just applying static predefined rules, is important, but must be done without increasing false negatives.

Moving forward

Switching to new security solutions can be a daunting process, but it’s even harder to recover from a major security breach. Investing the time in this project can lead to greater change in your businesses, helping you to make your apps and APIs more secure and move towards consolidated security tooling. For more information on how to get started updating and consolidating your process and security stacks, check out this blog or to download our recent report here.

Sean Leach is Chief Product Architect at Fastly. He has over 20 years experience in building and scaling the technology and product around large scale, mission critical infrastructure.