The Evolution of API Security

We're seeing a rapid evolution in web application security tools – from WAFs to WAAPs to API Threat Protection. Legacy vendors are scrambling to catch up – moving from appliances to cloud, adding API threat detection capabilities to existing platforms, providing a myriad of capabilities that don't contribute to security or duplicate other capabilities that already exist in the security stack.

In a replay of the bad old days, security teams are often brought in late to the game (or after). The move to "shift left" is absolutely important, but not sufficient -- security teams also need the ability to "shield right" (just like we had to with physical endpoints).

API-specific security tools need to account for a wide swath of challenges:

• Different protocols (like REST, GraphQL, gRPC, etc.) – each presenting a different security challenge.
• A myriad of deployment options – it's not a single network anymore, but rather a multiverse.
• An open target – API are, by definition & design, open so the job of protecting them is much more difficult than before.
• Continuous attacks – making continuous detection and response critical to modern organizations in order to continue to innovate, compete, and better serve customers.
• Public-facing APIs are just the tip of the iceberg – as the recent Uber hack demonstrated, we're back to the days of "hard shell / gooey tasty insides" (which failed before), so API security must really bring the "zero-trust" to protect organizations.

‍