As I talk to customers around the world about securing their applications I've noticed a specific topic keeps coming up more and more often: Securing their APIs - both public and internal varieties. RESTful JSON APIs seem to be the most prevalent these days, but I still hear about SOAP and XML APIs, as well as some customers on the bleeding-edge with GraphQL APIs they want to protect.
Let's talk about the future of application security. For those of us who have been designing network and application security architectures in the past couple decades it's been impossible to notice the pace of change has accelerated in the last few years. Static, legacy architectures are giving way to dynamic, auto-scaled microservices architectures. But can we continue to secure applications developed with CI/CD pipelines using legacy approaches?
We need to face reality - web application protection is incredibly challenging in the agile, cloud-based world in which businesses operate. Many organizations focus their security strategy on the applications themselves - a never-ending pattern of "patch and pray." Trying to successfully guide applications through the barrage of attacks, multiple technologies, and growing sophistication of attackers is like trying to follow an obscure map. You can see your final destination, but there are new obstacles to face every hour. This fact, coupled with the frustration with the limited intelligence of legacy WAFs, has created overburdened security teams and "firewall fatigue."