Prioritizing Application & API Security After the COVID Cloud Rush

As companies hit the gas to accommodate the rapid shift to work-from-home, security fell behind. Now, it's time to close those gaps.

Zane Lackey, Co-Founder and CSO of Signal Sciences

March 24, 2021

5 Min Read

Companies often find themselves playing catch-up with their infrastructure. As a chief information security officer (CISO), it's happened to me at various points in my career, and I'm sure it's happened to you. Especially in 2020, as organizations scrambled to meet radically different demands of what we now associate with the new normal.

The COVID-19 pandemic forced businesses to shift to a new work model, and it turbocharged digital transformation plans that might have been unfolding at a more leisurely pace. Things that were on the back burner suddenly turned into the highest-priority projects. Things that normally took years happened in months. But as companies hit the gas, they didn't always put security front and center, particularly as new applications and APIs were rolling quickly off the pipeline.

It's understandable. We often light huge corporate bonfires to get something established and working in a hurry. And we just passed through a unique phase in history where five-year time horizons were compressed into eight or nine months.

Now it's time to go back and fill the holes. Which applications need a security boost? Which APIs need better protection? Job No. 1 for security and development leaders in 2021 should be to find any structures put in place over the last year that gave short shrift to Web application and API security. Before pushing more digitization, make sure your organization's systems and processes are as resilient and secure as possible.

So, let's take a step back and examine which parts of the process will need particular attention over the next year.

Web Applications and APIs Are Critical to Business
Consider, for example, what's going on with consumer goods companies that make products like paper towels. Before COVID, their websites functioned as glorified marketing outlets. But when the pandemic hit, everything changed. Suddenly, there was incredible urgency to ramp up direct-to-consumer efforts as they rushed to expand global e-commerce operations while also figuring out how to secure partner APIs. Suddenly, apps and APIs went from being afterthoughts to critical business considerations virtually overnight.

Meanwhile, mobile apps have become indispensable. And, of course, if it's a mobile app, it's powered by APIs. APIs are now critical components for everything from mobile ordering to checking inventory and order status to tracking shipments from the warehouse to curbside delivery. The problem is that API security has often been an afterthought. There's no longer a reason for delay. Companies should inventory their applications and their APIs and recalibrate their security strategy to make sure all are protected with modern processes and defensive technologies that can do the job.

It's Easy, but Not Wise, for Developers to Ignore Security
It's never been easier for developers to ignore security. The reality is that security cannot just be required. It has to provide value in a way that supports modern application and development architectures.

Let's be blunt: If you're an app or API developer, you're not seeing the security team in the office anymore. Welcome to Workplace 2021, which likely won't look all that different from Workplace 2020. So, if the security experts instruct developers to add a piece of antiquated, legacy code that might break the app, that order will be ignored. That's just the reality — unless you're talking about a highly regulated industry where you can't ignore security for legal reasons.

CISOs and chief technology officers (CTOs) will need to stay on top of this and continue to bring their security and development teams closer together. Historically, these have been lousy relationships with conflicting goals and years of accumulated bad experiences. Saying "no" is no longer a sufficient security team directive. And ignoring security is no longer an acceptable development team response. The key takeaway is that security cannot rely on a "because-I-said-so" approach. It has to provide value. It has to support modern application and development architectures. And it needs to provide visibility for the benefit of both developers and security teams. This is a chance to step up.

Security and Scale Need to Go Hand in Hand
The security demands on Web applications and APIs are only going to get greater in 2021. In the last year, many organizations have been forced to rip out legacy systems because they didn't scale. It was a painful exercise, but they needed something that could scale massively — 10- or 100-fold — in traffic almost overnight.

The last year was extraordinary, but it's likely not an anomaly. CISOs must be prepared to handle the likelihood of recurring work-from-home demand spikes as well as massive bursts in traffic. Companies are learning how to deal with the challenge of scale in a version of trial by fire. Some never had to do anything remotely. Others may have been further along in their digital transformation plans and could push projects forward quickly. Every organization will need to inject this into their DNA — or suffer the consequences when their systems fail to deliver.

As we shift from scramble mode to scaling mode, development and security teams will need Web application and API security that works across all their delivery modes. It doesn't scale to have one security system for one type of application, another system for another type of application, etc. Modern development inherently spans a range of delivery models, from data centers to multiple clouds to containers and serverless. You'll need to rethink your approach to deliver security at scale, which requires technology that provides uniform protection for all Web applications and APIs wherever they live. This is a chance for everyone to step up to the challenge.

About the Author(s)

Zane Lackey

Co-Founder and CSO of Signal Sciences

Zane Lackey is the co-founder and CSO at Signal Sciences, now part of Fastly, where he serves as the global head of security product strategy. Lackey is author of Building a Modern Security Program (O'Reilly Media). He serves on multiple advisory boards, including the National Technology Security Coalition, the Internet Bug Bounty Program, and the US State Department-backed Open Technology Fund. Prior to co-founding Signal Sciences, Zane led a security team at the forefront of DevOps as CISO of Etsy.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights