OPEN TALK (API): The Evolution of API Security

Ivan Novikov
Wallarm, Co-founder & CEO

Ivan Novikov is the CEO and co-founder of Wallarm and an "ethical hacker" security professional with over 12 years of experience in security services and products. He is an inventor of memcached injection and SSRF exploit class (as well as author of the SSRF bible), and the recipient of bounty awards from Google, Facebook, Twitter and others. He is an API security evangelist concerned with the discovery and prevention of API vulnerabilities and threats. He has presented at Black Hat, RSA Conference and numerous other events.

We're seeing a rapid evolution in web application security tools – from WAFs to WAAPs to API Threat Protection. Legacy vendors are scrambling to catch up – moving from appliances to cloud, adding API threat detection capabilities to existing platforms, providing a myriad of capabilities that don't contribute to security or duplicate other capabilities that already exist in the security stack.

In a replay of the bad old days, security teams are often brought in late to the game (or after). The move to "shift left" is absolutely important, but not sufficient -- security teams also need the ability to "shield right" (just like we had to with physical endpoints).

API-specific security tools need to account for a wide swath of challenges:
- Different protocols (like REST, GraphQL, gRPC, etc.) – each presenting a different security challenge.
- A myriad of deployment options – it's not a single network anymore, but rather a multiverse.
- An open target – API are, by definition & design, open so the job of protecting them is much more difficult than before.
- Continuous attacks – making continuous detection and response critical to modern organizations in order to continue to innovate, compete, and better serve customers.
- Public-facing APIs are just the tip of the iceberg – as the recent Uber hack demonstrated, we're back to the days of "hard shell / gooey tasty insides" (which failed before), so API security must really bring the "zero-trust" to protect organizations.