In the first post of this pair, we advocated investments in application security testing and open source vulnerability management tools as a promising way to get started with DevSecOps – one of the major, transformational trends impacting today’s enterprises. In this second post intended to highlight key areas/technologies showcased in our 2018 Cyberthreat Defense Report (here), we turn our attention to API gateways.

So, besides the whole DevSecOps thing, two other trends from the application development landscape are:

• the replacement of traditional application architectures with microservices (to enable greater re-use of components, speed of development, and agility); and,
• the increasing externalization not only of individual services, but also, in some cases, entire applications (to enable third-party integration and unlock unforeseen potential).

Throw IoT, mobile devices, cloud services, and software-defined computing into the mix, and the outcome is an exponential growth in APIs and their usage.

For externalization scenarios in particular, there is a resulting need to not only mediate API access, but also ensure reliable fulfillment of associated requests. Answering the call in this case is a relatively new infrastructure component known as the API gateway. Essential security features of these products include: multi-layer authentication, authorization, and auditing (i.e., of the requesting device, service/application, and user); threat protection; data leakage protection; and data encryption.

Beyond the realm of security, important capabilities involve language transformation (i.e., XML/JSON, SOAP/REST), request/response validation, session persistence, caching, load balancing, and usage-rate monitoring and control. Maybe we’re off base here, but the net result sounds a lot like an application delivery controller (ADC) to us, which is why we expect to see some crossover and/or consolidation between these product segments before too long.

Regardless of how API gateways evolve, though, one thing is clear: based on the findings from our 2018 Cyberthreat Defense Report, they are poised to be the hot-ticket item for 2018 in the application and data security segment.

For further insights on API gateways and other IT security trends – or to develop compelling marketing content to capitalize on them – just drop us a line.