Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

10:00 AM
Zane Lackey
Zane Lackey
Connect Directly
E-Mail vvv

Prioritizing Application & API Security After the COVID Cloud Rush

As companies hit the gas to accommodate the rapid shift to work-from-home, security fell behind. Now, it's time to close those gaps.

Companies often find themselves playing catch-up with their infrastructure. As a chief information security officer (CISO), it's happened to me at various points in my career, and I'm sure it's happened to you. Especially in 2020, as organizations scrambled to meet radically different demands of what we now associate with the new normal.

The COVID-19 pandemic forced businesses to shift to a new work model, and it turbocharged digital transformation plans that might have been unfolding at a more leisurely pace. Things that were on the back burner suddenly turned into the highest-priority projects. Things that normally took years happened in months. But as companies hit the gas, they didn't always put security front and center, particularly as new applications and APIs were rolling quickly off the pipeline.

Related Content:

AI and APIs: The A+ Answers to Keeping Data Secure and Private

Special Report: How IT Security Organizations Are Attacking the Cybersecurity Problem

New From The Edge: How to Protect Vulnerable Seniors From Cybercrime

It's understandable. We often light huge corporate bonfires to get something established and working in a hurry. And we just passed through a unique phase in history where five-year time horizons were compressed into eight or nine months.

Now it's time to go back and fill the holes. Which applications need a security boost? Which APIs need better protection? Job No. 1 for security and development leaders in 2021 should be to find any structures put in place over the last year that gave short shrift to Web application and API security. Before pushing more digitization, make sure your organization's systems and processes are as resilient and secure as possible.

So, let's take a step back and examine which parts of the process will need particular attention over the next year.

Web Applications and APIs Are Critical to Business
Consider, for example, what's going on with consumer goods companies that make products like paper towels. Before COVID, their websites functioned as glorified marketing outlets. But when the pandemic hit, everything changed. Suddenly, there was incredible urgency to ramp up direct-to-consumer efforts as they rushed to expand global e-commerce operations while also figuring out how to secure partner APIs. Suddenly, apps and APIs went from being afterthoughts to critical business considerations virtually overnight.

Meanwhile, mobile apps have become indispensable. And, of course, if it's a mobile app, it's powered by APIs. APIs are now critical components for everything from mobile ordering to checking inventory and order status to tracking shipments from the warehouse to curbside delivery. The problem is that API security has often been an afterthought. There's no longer a reason for delay. Companies should inventory their applications and their APIs and recalibrate their security strategy to make sure all are protected with modern processes and defensive technologies that can do the job.

It's Easy, but Not Wise, for Developers to Ignore Security
It's never been easier for developers to ignore security. The reality is that security cannot just be required. It has to provide value in a way that supports modern application and development architectures.

Let's be blunt: If you're an app or API developer, you're not seeing the security team in the office anymore. Welcome to Workplace 2021, which likely won't look all that different from Workplace 2020. So, if the security experts instruct developers to add a piece of antiquated, legacy code that might break the app, that order will be ignored. That's just the reality — unless you're talking about a highly regulated industry where you can't ignore security for legal reasons.

CISOs and chief technology officers (CTOs) will need to stay on top of this and continue to bring their security and development teams closer together. Historically, these have been lousy relationships with conflicting goals and years of accumulated bad experiences. Saying "no" is no longer a sufficient security team directive. And ignoring security is no longer an acceptable development team response. The key takeaway is that security cannot rely on a "because-I-said-so" approach. It has to provide value. It has to support modern application and development architectures. And it needs to provide visibility for the benefit of both developers and security teams. This is a chance to step up.

Security and Scale Need to Go Hand in Hand
The security demands on Web applications and APIs are only going to get greater in 2021. In the last year, many organizations have been forced to rip out legacy systems because they didn't scale. It was a painful exercise, but they needed something that could scale massively — 10- or 100-fold — in traffic almost overnight.

The last year was extraordinary, but it's likely not an anomaly. CISOs must be prepared to handle the likelihood of recurring work-from-home demand spikes as well as massive bursts in traffic. Companies are learning how to deal with the challenge of scale in a version of trial by fire. Some never had to do anything remotely. Others may have been further along in their digital transformation plans and could push projects forward quickly. Every organization will need to inject this into their DNA — or suffer the consequences when their systems fail to deliver.

As we shift from scramble mode to scaling mode, development and security teams will need Web application and API security that works across all their delivery modes. It doesn't scale to have one security system for one type of application, another system for another type of application, etc. Modern development inherently spans a range of delivery models, from data centers to multiple clouds to containers and serverless. You'll need to rethink your approach to deliver security at scale, which requires technology that provides uniform protection for all Web applications and APIs wherever they live. This is a chance for everyone to step up to the challenge.

Zane Lackey is the co-founder and CSO at Signal Sciences, now part of Fastly, where he serves as the global head of security product strategy. Lackey is author of Building a Modern Security Program (O'Reilly Media). He serves on multiple advisory boards, including the ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-16
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the han...
PUBLISHED: 2021-06-16
This vulnerability allows remote attackers to execute arbitrary code on affected installations of GE Reason RPV311 14A03. Authentication is not required to exploit this vulnerability. The specific flaw exists within the firmware and filesystem of the device. The firmware and filesystem contain hard-...
PUBLISHED: 2021-06-16
Helm is a tool for managing Charts (packages of pre-configured Kubernetes resources). In versions of helm prior to 3.6.1, a vulnerability exists where the username and password credentials associated with a Helm repository could be passed on to another domain referenced by that Helm repository. This...
PUBLISHED: 2021-06-16
Apollos Apps is an open source platform for launching church-related apps. In Apollos Apps versions prior to 2.20.0, new user registrations are able to access anyone's account by only knowing their basic profile information (name, birthday, gender, etc). This includes all app functionality within th...
PUBLISHED: 2021-06-16
FOGProject v1.5.9 is affected by a File Upload RCE (Authenticated).