ThreatX - Blog

APIs have altered the attack surface of modern applications and exposed new gaps in security in the process. In the old days, virtually all application traffic passed through the web front-end of an application, and unsurprisingly that is where security efforts were focused. APIs have quickly and thoroughly eroded this basic assumption.

Web security is not a new concept. From the dawn of the Internet, cyber criminals have been experimenting with and mastering ways to exploit the data housed within online properties. And as businesses increasingly transition online, the volume of attacks has skyrocketed. According to a recent study,* the number of new vulnerabilities per month exceeded 17,000 in 2018. That’s nearly a 23% increase from 2017. From 10-person startups to thousand-person enterprises, cyber threats are an equally legitimate concern (or at least they should be). Arm yourself with the tools you need to protect your business from malicious attacks (automated or not). The first step is familiarizing yourself with the keywords/terms used most frequently in the application security space.

The following post details, alphabetical order, the first 10 keywords:

In a world where speed and agility is expected by consumers and required for business operations, automation has become key component of successful enterprise operations, from identity and access management to patching. But it goes beyond that. Automation has enabled many security teams to transfer maintenance burdens and manual tasks from security teams to applications, which in turn, frees skilled human workers to focus their energy on strategic initiatives. Unfortunately, that's not the end of the story. Without proper parameters, automation can actually introduce critical security vulnerabilities and serve more as an adversary than an ally. 

You would never leave the keys to your building lying around, so why do so many organizations leave the keys to their business exposed?

Automation has become a central component to growing and successful businesses. This holds true in the cybersecurity sector as well, specifically with identity and access management, patching, and network change management. No matter the business, the goal of automation remains the same - improving response and task completion times or freeing skilled human labor from mundane tasks. And while automation successfully returns those benefits, among many others, if automation functions are not implemented with a few key considerations, the implications can end up outweighing the benefits.

The term “next-generation” gets thrown around a lot in security. Marketers have overused the term to the point that, for many, it has become an empty buzzword used to describe virtually anything. On the other hand, technology does go through major transformational changes where new approaches are needed to replace the old ways of doing things. The rise of next-generation firewalls (NGFWs), which replaced the old port-based firewalls are a classic example of this sort of transformation.

*We are thrilled to introduce and feature David Geer on the ThreatX Blog. David is a content marketing writer and market influencer specializing in cybersecurity.*

You’ve heard that nation-state hackers stole 145 million consumer records in the 2017 Equifax breach. Did you know that this attack and breaches at Amazon, Facebook, T-Mobile, and the Black Hat security conference all targeted vulnerable APIs?

Thanks to APIs, your consumers, employees, and partners benefit from robust applications with rich features. But, cyberthugs profit too, because they can leverage APIs and their flaws to get to your data.

Thousands of new APIs become available each year on ProgrammableWeb.com alone. The global cloud API market will generate more than $1.7 billion in revenues by 2026, according to Persistence Market Research. With organizations like yours creating and using more APIs each year, the attack surface grows ever broader. Any solution must surround and secure your APIs, apps, and data despite the burgeoning landscape.

Application security is undergoing a broad transformation - from the way applications are architected, developed, and deployed to the ever-evolving diversity and scale of the threats they face. Driving this transformation is the growing complexity of application portfolios, which are providing more engaging experiences for customers but are also housing increasingly more data. Often, this is accomplished through Application Programming Interfaces (APIs), which can be both external-facing, as well as connected on back-end systems. In addition, applications are becoming more modular or are broken into microservices.

As a result, legacy, rules-based web application firewalls (WAFs) like F5 and Imperva Incapsula are not equipped to keep pace with today's dynamic application and threat environments. These tools are increasingly unable to keep up with sophisticated, high-impact threats. Security teams need the right tools and strategies built for these new realities. Enter, the next-gen WAF.