If we are from software engineering background we immediately says its developers. Some enterprise people will go ahead and say that it is combined duty of infrastructure and development. Infra has to setup proper VPN access, firewalls etc...If we scope to public internet applications, we can pretty much hear one word its the duty of developers developers developers. May be some will says its architecture too. But mostly if its not enterprise level, application architecture is part of development.
There are some problems with leaving the duty of security to developers
- Developers always focus or has to focus on application features.
- Developers are not experts in security field. They may not to not supposed to be up to date with all the security vulnerabilities found out in the world.
There could be more problems we could think of. So what is the solution in the unsecured world of IT?
Once simple answer is to let developers free from security aspect and give it to security experts. Hiring one security expert and he looking at every line of code produced is not a great idea either. So what to do? Is buy or renting a security product / service a viable option? Seems its viable than betting on developers securing the applications. Those applications or services often referred to as API Management Gateways
What are these API Management Gateways do
Suppose a developer leaves a SQL injection hole and it missed in testing stages and reached production, these gateways are expected to block SQL injection attack by inspecting the payload/traffic. Similarly other attacks also are supposed to be handled by the gateway before reaching to the application servers.
http://www.forumsys.com/product-solutions/api-security-management/
https://www.roguewave.com/products-services/akana/solutions/api-security
http://www.apiacademy.co/resources/api-management-lesson-201-api-security/
Most of the players are cloud ready. Even cloud providers such as Microsoft Azure have their own offerings to secure applications in Cloud.
Will these gateways reduce performance?
Nothing comes in free. If someone is claiming its adding 0 delay they are wrong. Somewhere instructions are supposed to execute which validate the traffic and take decision. They can make it faster enough that it is not visible to the outside. In order to speed up they often use dedicated appliances or hardware instead of commodity servers.
Comparison
Some sites where different products are compared. It might not be accurate to the date. But a good starting point.
http://transform.ca.com/API-Management-Platform-Vendor-Comparison.html
Some players
- https://www.okta.com
- Layer from CA
Is this the silver bullet
There is no silver bullet in software engineering or in science. Whatever is best at the time and situation adopt it. Embrace change when new better ways are available.
If the application is highly sensitive and bet on one gateway to protect, it will not be a great solution because that gateway might not be update with our security requirements. For example if a zero day attack is found and gateway is not updating with in days and releasing new versions but our business need in the next hour, probably we should let our developers take care of security. May be we will soon end up in building another gateway but its worth doing it.
Update - 19Nov2019
Update - 19Nov2019
1 comment:
Hey, This is very useful and informative blog.Thanks for Sharing with us. If you are looking for the latest notifications regarding betting API, then bet365 is the most reliable option. Access the performance of the team in a better way.
Post a Comment