Designing Appsec in the Age of APIs and Microservices
Change is a constant part of security. Security teams face new threats, vulnerabilities, and intelligence on a daily basis. However, change is occurring on a much larger scale. Fundamental changes to the way that applications are developed, architected, and delivered are challenging some of the basic assumptions that Web Application Firewalls (WAFs) have relied on for decades.
- Organizations no longer have just a few apps with a few paths to access. Instead, they have many apps, each often dependent on and delivered through a myriad of APIs.
- Microservice architectures have made apps more modular and easier to develop, but rely heavily on internal communication that traditional security appliances can’t see.
- DevOps and CI/CD pipelines are driving fast, continuous development and security needs to be able to keep pace without slowing down delivery or losing efficacy.
This paper analyzes each of these major shifts and how they impact modern AppSec strategies. We will analyze some of the drivers behind the trends, the challenges they pose to traditional security, and finally, provide examples of how security can move forward.