Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

3/24/2021
10:00 AM
Zane Lackey
Zane Lackey
Commentary
Connect Directly
LinkedIn
Twitter
RSS
E-Mail vvv
100%
0%

Prioritizing Application & API Security After the COVID Cloud Rush

As companies hit the gas to accommodate the rapid shift to work-from-home, security fell behind. Now, it's time to close those gaps.

Companies often find themselves playing catch-up with their infrastructure. As a chief information security officer (CISO), it's happened to me at various points in my career, and I'm sure it's happened to you. Especially in 2020, as organizations scrambled to meet radically different demands of what we now associate with the new normal.

The COVID-19 pandemic forced businesses to shift to a new work model, and it turbocharged digital transformation plans that might have been unfolding at a more leisurely pace. Things that were on the back burner suddenly turned into the highest-priority projects. Things that normally took years happened in months. But as companies hit the gas, they didn't always put security front and center, particularly as new applications and APIs were rolling quickly off the pipeline.

Related Content:

AI and APIs: The A+ Answers to Keeping Data Secure and Private

Special Report: How IT Security Organizations Are Attacking the Cybersecurity Problem

New From The Edge: How to Protect Vulnerable Seniors From Cybercrime

It's understandable. We often light huge corporate bonfires to get something established and working in a hurry. And we just passed through a unique phase in history where five-year time horizons were compressed into eight or nine months.

Now it's time to go back and fill the holes. Which applications need a security boost? Which APIs need better protection? Job No. 1 for security and development leaders in 2021 should be to find any structures put in place over the last year that gave short shrift to Web application and API security. Before pushing more digitization, make sure your organization's systems and processes are as resilient and secure as possible.

So, let's take a step back and examine which parts of the process will need particular attention over the next year.

Web Applications and APIs Are Critical to Business
Consider, for example, what's going on with consumer goods companies that make products like paper towels. Before COVID, their websites functioned as glorified marketing outlets. But when the pandemic hit, everything changed. Suddenly, there was incredible urgency to ramp up direct-to-consumer efforts as they rushed to expand global e-commerce operations while also figuring out how to secure partner APIs. Suddenly, apps and APIs went from being afterthoughts to critical business considerations virtually overnight.

Meanwhile, mobile apps have become indispensable. And, of course, if it's a mobile app, it's powered by APIs. APIs are now critical components for everything from mobile ordering to checking inventory and order status to tracking shipments from the warehouse to curbside delivery. The problem is that API security has often been an afterthought. There's no longer a reason for delay. Companies should inventory their applications and their APIs and recalibrate their security strategy to make sure all are protected with modern processes and defensive technologies that can do the job.

It's Easy, but Not Wise, for Developers to Ignore Security
It's never been easier for developers to ignore security. The reality is that security cannot just be required. It has to provide value in a way that supports modern application and development architectures.

Let's be blunt: If you're an app or API developer, you're not seeing the security team in the office anymore. Welcome to Workplace 2021, which likely won't look all that different from Workplace 2020. So, if the security experts instruct developers to add a piece of antiquated, legacy code that might break the app, that order will be ignored. That's just the reality — unless you're talking about a highly regulated industry where you can't ignore security for legal reasons.

CISOs and chief technology officers (CTOs) will need to stay on top of this and continue to bring their security and development teams closer together. Historically, these have been lousy relationships with conflicting goals and years of accumulated bad experiences. Saying "no" is no longer a sufficient security team directive. And ignoring security is no longer an acceptable development team response. The key takeaway is that security cannot rely on a "because-I-said-so" approach. It has to provide value. It has to support modern application and development architectures. And it needs to provide visibility for the benefit of both developers and security teams. This is a chance to step up.

Security and Scale Need to Go Hand in Hand
The security demands on Web applications and APIs are only going to get greater in 2021. In the last year, many organizations have been forced to rip out legacy systems because they didn't scale. It was a painful exercise, but they needed something that could scale massively — 10- or 100-fold — in traffic almost overnight.

The last year was extraordinary, but it's likely not an anomaly. CISOs must be prepared to handle the likelihood of recurring work-from-home demand spikes as well as massive bursts in traffic. Companies are learning how to deal with the challenge of scale in a version of trial by fire. Some never had to do anything remotely. Others may have been further along in their digital transformation plans and could push projects forward quickly. Every organization will need to inject this into their DNA — or suffer the consequences when their systems fail to deliver.

As we shift from scramble mode to scaling mode, development and security teams will need Web application and API security that works across all their delivery modes. It doesn't scale to have one security system for one type of application, another system for another type of application, etc. Modern development inherently spans a range of delivery models, from data centers to multiple clouds to containers and serverless. You'll need to rethink your approach to deliver security at scale, which requires technology that provides uniform protection for all Web applications and APIs wherever they live. This is a chance for everyone to step up to the challenge.

Zane Lackey is the co-founder and CSO at Signal Sciences, now part of Fastly, where he serves as the global head of security product strategy. Lackey is author of Building a Modern Security Program (O'Reilly Media). He serves on multiple advisory boards, including the ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: "Elon, I think our cover's been blown."
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31597
PUBLISHED: 2021-04-23
The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.
CVE-2021-2296
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...
CVE-2021-2297
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...
CVE-2021-2298
PUBLISHED: 2021-04-22
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attac...
CVE-2021-2299
PUBLISHED: 2021-04-22
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful atta...