The 6 essential features of modern web app and API security tools
As online experiences become increasingly powered by APIs, we’re seeing two things happen. First, the user is getting a more exciting and full-featured experience than ever before thanks to highly personalized content, lightning-fast streaming media, and complex logic built at the edge. Second, the technology to provide these experiences is outpacing the tools designed to secure it. If you’re feeling this dichotomy, you’re not alone.
More than half of the respondents in “Reaching the Tipping Point of Web Application and API Security,” a report we produced in partnership with Enterprise Strategy Group (ESG) Research, say most or all of their applications will use APIs in the next two years — despite the fact that they believe web application and API security is more difficult today than it was two years ago in part because of these shifts to public cloud and API-centric applications.
The takeaway here is that modern applications need modern security tools that include flexible deployment, DevOps support, and strong API protection. To deliver on these outcomes, modern web application and API (WAAP) security solutions must have a broad range of features and capabilities. Below, we’ve identified the six most important characteristics of modern web app and API security tools.
1. Visibility and protection
As the market has moved from web application firewalls to web application and API protection, it should be obvious that APIs are increasingly the focus of security strategies. As a result, visibility into the APIs being used, the traffic flowing to them, and the associated response of these endpoints are all critical for unified solutions. This includes support for new API technologies such as GraphQL.
2. Coverage for different architectures
To protect legacy, container-based, and serverless applications across both on-premises and cloud infrastructure, modern solutions must provide deployment flexibility. The ability to integrate with load balancers and API gateways when possible, run as reverse proxy, deploy in Kubernetes, or as software-as-a-service (SaaS) delivers choice and consistency regardless of the type of application being protected.
3. Integration with DevOps tools
No matter how flexible the deployment options are, solutions that don’t plug directly into the CI/CD process to ensure security as applications are pushed to production cannot scale to meet the needs of modern environments. Given the important role application teams play with regards to security, it is critical that web application and API security tools fit their processes and integrate with the tools that DevOps teams often use, such as Slack, PagerDuty, Jira, and others.
4. Automation and orchestration
In addition to integrating with DevOps tools, web application and API security solutions must provide automation and allow for orchestration across the entire application infrastructure. Manual creation of rules and configurations and rewriting of policy when applications are deployed can’t keep up with the pace of innovation. WAAP solutions truly built for rapid release cycles empower incident response workflows by automating the flow of security events based on granular event classification and context, enabling the WAAP to send indicators to the right teams in real time.
5. Continuous updates
The dynamic threat landscape makes manually updating, testing, and deploying rulesets a Sisyphean task. Tools that remove this requirement by automating updates can help deliver the operational benefits users expect when moving to a unified solution.
6. Behavioral-based blocking
Relatedly, signature-based detection is less effective when attackers are constantly changing tactics and contributes to proliferation of false positives, which account for nearly half of all alerts, according to our research. Identifying the intent behind the request as opposed to waiting for the request itself to be recognized as malicious is important but must be done without generating false positives or increasing false negatives.
It can seem daunting to take on the task of researching new tools and then updating your stack. But the reality of the situation is that the temporary effort it’ll take to modernize your security tooling is well worth eliminating the risk you take by using legacy or immature tools.
Check out a few tips on how to get started updating and consolidating your processes and security stacks. And for more information on this pressing topic, download the complete report.