Securing Modern Applications and APIs: Why and How?

October 5, 2021 Pratik Roychowdhury

Today, we are thrilled to announce VMware Tanzu Service Mesh Enterprise, a new offering designed to help enterprises keep their modern applications and APIs secure. 

Any discussion about modern applications is incomplete without a deep dive into APIs. But what makes APIs so critical in the context of modern applications? Why is modern application security incomplete without API security? And how can one implement API security in a collaborative manner without compromising the promise modern applications offer, i.e., that of speed and agility? To answer these questions better, it is important to first start with some context on APIs and how they have evolved.  

APIs: Background and growth 

APIs today are a structured and somewhat standardized way to exchange information and data between distributed, heterogeneous components and microcomponents of an application, or between different applications, infrastructure components, users, and devices. To do so, APIs use different protocols, such as REST/JSON, GraphQL, gRPC, etc.; data protocols, such as MySQL, MongoDB, Redis, and more recently streaming and event-driven initiatives & protocols, such as AsyncAPIs, Kafka, etc.  

Now, if you look at a brief history of APIs, especially in the web 2.0 world of web applications, APIs were never meant to be exposed directly to the outside world on such a large scale. APIs were primarily the middleware used to connect users to data through web applications, which were quite well protected with web app firewalls. Over time, however, there was benefit in exposing APIs to other applications, users, and devices so they could integrate and interoperate with one another. This is what led to the growth of the API economy and the unprecedented scale of API usage as we see today. 

Data sourced from ProgrammableWeb and Akamai.

However, with the adoption of modern applications, APIs are used in many more ways than just connecting different applications. They are used when application functionalities are aggregated for third parties, such as partners or customers, to consume them using B2B integration APIs; when organizations’ line of business or product teams reuse components from one another using internal APIs; when multiple teams build microservices-based applications in an agile app development fashion, where the application components are built in parallel and interact with each other using east-west APIs; when applications go through their modernization journey, and part of the application that has been modernized interacts with the part that is still in legacy environment using intra-app APIs; when low-code or other applications leverage third-party SaaS APIs to extend their capabilities; or when an application leverages shared public cloud services (such as AWS S3) using cloud infrastructure APIs—just to name a few application patterns that use APIs extensively.

There are, of course, many more such application patterns that use APIs, such as streaming APIs or serverless functions, but the gist of it is that we are in a world where APIs are somewhat ubiquitous and indispensable. APIs are the central nervous system of modern applications, carrying critical information and data from one part of the application to another or from one application to another. As a result, when you think about securing applications, that cannot happen without first securing the APIs that connect them. 

Challenges of securing APIs 

But what makes APIs so vulnerable, and why is it a challenge to secure them? Well, firstly there are an exponentially large number of them. Imagine a Kubernetes application with hundreds or even thousands of pods and services—each managing half a dozen or more APIs—and suddenly we are talking about a huge and unmanageable number of APIs. Now add to that the fact that these microservices workloads (and hence the API calls) are ephemeral, running across clouds, written in a polyglot fashion, and using different protocols.... You get the idea. They are complex

Secondly, given that APIs were never meant to be exposed to the outside world, they were written by developers for developers in quick agile fashion, and security was never top of mind in their creation. As a result, APIs have inherent vulnerabilities and risks built within them, and those vulnerabilities and risks need to be detected and mitigated.  

Thirdly, attacks and breaches have gotten increasingly sophisticated, with many of them being perpetrated in the post-authentication and authorization phase. They are also deeper within the API data payload. So, not only is there a need to look at security beyond authentication and authorization, but there is also a need to look deep within the application and API data payload layer.  

And finally, when we think about APIs and their data, we are talking about data that is not at rest, i.e., data in motion. And, therefore, when securing APIs, all the data processing that is required to detect and mitigate threats, has to happen in real time, without introducing latency to the application and API traffic.

All this makes API security challenging—and APIs riskier and more vulnerable. There is risk from not being able to see all the API interactions of an application and how they change over time in the ephemeral world of modern applications. There is risk from sensitive data that the APIs handle, and the risk from compliance exposure, data exfiltration, or data sovereignty breaches. And of course, there is risk from a plethora of API vulnerabilities and how they are exploited, such as OWASP API top 10, API DDOS fan-out, zero-day API attacks, stolen credentials, perimeter breaches, lateral movement of breaches, data leak at the egress, or resource hijacking, just to name a few.  

Mitigating these risks is an essential—yet clearly daunting—task, especially in the face of the underlying complexity that these modern applications bring. And the need of the hour is a solution that uses a modern architecture, works in heterogeneous environments, mitigates risks that are embedded deep within the application, and does all this in a performant and scalable manner across multi-cloud environments, but without compromising speed and agility.  

Enter Tanzu Service Mesh Enterprise  

VMware Tanzu Service Mesh Enterprise extends the capabilities of Tanzu Service Mesh by offering API security, observability, and compliance for modern applications. It has a modern architecture with a logically centralized control plane and a distributed data plane and works for different kinds of platforms and environments.  

It leverages the abstraction of Tanzu Service Mesh’s Global Namespace (GNS) construct, to offer discovery, detection, and behavioral security and observability capabilities across multi-cloud environments. GNS allows a define-policy-once-and-apply-everywhere kind of security paradigm. 

Tanzu Service Mesh Enterprise first discovers the components of the application—APIs (REST/JSON), PII data, and application users (based on their user ID or token). 

It then learns the behavior of the application and creates a baseline of “normal behavior” in terms of what services constitute the application, what APIs and data they exchange, and which users access those services, APIs, and data. 

Once this learning (or baselining) is complete, it can detect any drifts or deviations, from that “normal behavior” and report it back to the admin (whether a Dev, DevOps, or SecOps personnel). For example, if there is a rogue workload that shows up and starts accessing APIs and data, the admin will immediately know about it. This lets the admin block or allow traffic and create policies in an automated fashion. The admin can further create additional granular policies that offer API and data segmentation, OWASP 10 attack defense, schema validation, geofencing, data compliance, and egress controls. 

All of this generates a huge amount of information that is collected, processed, and turned into meaningful insights in the form of analytics, event alerts, and transaction logs.

Now, you might be wondering, “All those are great features and capabilities, but is Tanzu Service Mesh Enterprise for me?” 

Is Tanzu Service Mesh Enterprise for you? 

If you are an application operator running a modern, distributed, multi-cloud application in your pre-prod or production environment, you might be asking yourself these questions: 

  • Do I know all the services and APIs actually running in my application environment, right now? And do I know how this changed from an hour ago, a day ago, a week ago?  

  • Are there rogue workloads that are spun up and are accessing APIs and data?   

  • Are there APIs that are still in use but should have been deprecated?  

  • Are there third-party APIs that my applications are accessing? If so, are they malicious? If they are, how can I block them?  

  • Are there any breaches to my modern application? If so, how do I detect and mitigate them? 

  • Do the applications handle PII or sensitive data? If so, which services or microservices? Which APIs? Are they violating data sovereignty policies? Is there a risk of data theft? Can I block them?  

Or if you are an application developer who has built your applications and created some build artifacts and now want to test your application, perhaps you are wondering: 

  • Are there vulnerabilities within my application APIs that I have not uncovered and that might show up in production?  

  • Is my application behaving the way my API spec tells it to behave? 

  • Am I violating data compliance because my app handles sensitive data that my operations team is not aware of? 

  • Are there malicious domains my application is reaching out to that I am not aware of because I might have leveraged code from another module? 

  • How do I securely connect all the parts of my application with end-to-end encryption and zero-trust security across clouds? 

  • How do I constantly monitor the service-level objectives of my apps and adjust my app to meet them?  

If these sound familiar, then yes, Tanzu Service Mesh Enterprise is absolutely for you.  

And with the White House executive order earlier this year, you need to ensure that security and zero-trust are implemented in all environments, including APIs. 

As we move to this modern applications and API-first world, security of the new network endpoint, namely API, becomes extremely critical. And that is exactly what Tanzu Service Mesh Enterprise offers. It helps you by providing deep observability of your application environment. It provides defense against threats in your production environment. It also lets you uncover those API vulnerabilities in your CI pipeline during the app SDLC process, so you can fix them early in the development lifecycle. And finally, it helps you uncover any data-related issues, such as exfiltration or theft, when running your application in production.

VMware is doing its part to help make your modern applications secure and compliant, so that you can focus on the other aspects of your business operation. 

Stay agile. Stay secure.

Protect Cloud Native Applications from Log4Shell with VMware Tanzu Service Mesh
Protect Cloud Native Applications from Log4Shell with VMware Tanzu Service Mesh

Tanzu Service Mesh protects modern cloud native apps from Log4Shell exploit attempts with advanced applicat...

Securing Modern Applications and APIs: Whose Job Is It, Anyway?
Securing Modern Applications and APIs: Whose Job Is It, Anyway?

Sitting within the VMware Tanzu Service Mesh's Global NameSpace construct, Mesh7’s API security and observa...