Security and reliability become one for APIs in 2021

Reliability -- especially for APIs -- is growing because our reliance on APIs is growing, while at the same time how we develop software has changed. Modern software stacks are written as a collection of microservices, with each service written in a type-safe language that better guards against low-hanging vulnerabilities. However, it also makes reasoning about how all the services may interact harder and harder. We expect appsec teams to increasingly orient to checking availability, especially on how malicious requests between APIs and microservices may bring down the overall application and business.

Security and reliability become one for APIs in 2021

You can’t have a secure product if an attacker can make it unreliable. While security has always included the CIA triangle -- confidentiality, integrity, and availability -- security teams have focused most of their effort on the first two. We expect this to change in 2021, with analysts predicting the API testing market to grow to $5.1 billion by 2023. -- Dr. David Brumley, co-founder, and CEO, ForAllSecure

Infrastructure as code will be the next, big culprit: Will infrastructure as code lead to the next headline-breaking breach?

The benefits of Infrastructure as Code (IaC) are huge and have accelerated the way we do business by increasing innovation through greater productivity. IaC is a technique that truly embodies the DevOps philosophy.

That said, to date, the security side of IaC has been lacking, if not entirely overlooked. We hear about “shifting security left” but realistically, a true DevSecOps model has not been prioritized, and while many embrace the strategy, many fewer really know how to make the organizational changes to fully realize it.

This can leave organizations pursuing IaC for innovation and productivity open themselves up to more cyber risk than they realize, and, in turn, that risk could lead to a large-scale attack. Let’s face it. Because IaC can have a huge impact, given the power of the automation behind it, bugs in code—and IaC configuration files in this case—happen, and can also have an outsized impact.

Those unidentified or subtle bugs often occur when things are assembled from multiple developers or operations teams. Your CI/CD pipeline constructing the pieces of that puzzle can create infrastructure containing potentially exploitable misconfigurations or vulnerabilities. These issues will manifest in the gaps where nobody is looking, in the one piece that is missing, or in the one piece that doesn’t fit well with the others. Individual pieces of IaC may pass security tests, but the assembly of all those pieces may not. Naturally, the repercussions are vast. 

In 2021, we will see problems in IaC exploited in security incidents, so the security industry will be left with no choice but to take a hard look at better protective practices for IaC.

This will mean a true shift left: both demanding more of a CI/CD focus from security teams and insistence that security considerations become a real part of the CI/CD pipeline. We’ll also see a greater focus on tools that let developers see and fix configuration issues directly in code. --PJ Kirner, co-founder and CTO, Illumio

Integration becomes imperative and will be added to every RFP: As a result of the explosion in apps, systems, and experiences, integration will be top of mind for every department.

Brands will have to ensure that processes are managed properly across disparate systems and that data -- and especially content -- is secure end-to-end. Enterprises will add integration considerations to every RFP and products that don't integrate will lose to products that do this well. -- Nishant Patel, co-founder, and CTO, Contentstack