When an end user thinks of a modern application, they expect a user-friendly offering, one that works on any device, from any location, and that delivers constant innovation. To deliver on that expectation, under the hood there are a large number of distributed components (and micro-components) running heterogeneous workloads on hybrid environments. They are written by many different teams, in a polyglot fashion, and access SaaS or public cloud data stores, are integrated with third-party services, and deliver well-defined service-level agreements and objectives (SLA/Os) to enable an unmatched end user experience, anywhere. In other words, modern applications are built with speed and efficiency, but have heterogeneity and immense complexity within.
Role of APIs within modern applications
What glues all these different distributed and heterogeneous components of modern applications together are APIs. Over the years, APIs have evolved from being a simple way to monetize applications or integrate with other applications, to extending application capabilities by leveraging third-party services, to provisioning infrastructure in minutes (often referred to as "infrastructure-as-code"), to becoming the data plane—essentially the central nervous system—which carries critical information and data from one part of the application to another. In other words, APIs have become an essential and core component of modern applications. As such, managing and securing modern applications cannot take place without managing and securing APIs.
Modern application security is a shared responsibility
As the number of workloads grows exponentially larger, the number of APIs between them grows as well. What makes managing and securing APIs even more difficult is the ephemeral nature of the workloads themselves. All of this, in turn, introduces risk to the applications—the risk of not knowing what is running within the environment (lack of observability); the risk of breaches, exploitation of vulnerabilities, and resource hijacking; and the risk of losing critical and sensitive data (data exfiltration). So whose job is it to mitigate these risks?
Is it the app owners’ responsibility, given that they have the deepest knowledge of the application structure, the business logic, and the APIs consumed and developed? Or is it the responsibility of the security operators, since they are ultimately responsible for protecting all of the critical data, resources, and environments?
The answer to this question lies somewhere in between. Security for modern applications is a shared responsibility among application owners, application operators, platform teams, and security operators. As an application developer, you are required to write secure code using best practices, consume APIs and services that are scanned for vulnerabilities, publish APIs that are written and well documented with security in mind, and incorporate security testing in your development process. As an application operator, you are required to provide the developers with the necessary security tools, properly vetted services, and API portals to ensure that security is implemented early on in the software development lifecycle, and to then observe the application behavior for security, compliance, or SLO violations once they are deployed. And everyone must do their part without compromising either the speed or the efficiency that are the hallmarks of modern applications.
API security within the GNS
This is where Mesh7, VMware’s recent acquisition, offers value. Sitting within the VMware Tanzu Service Mesh's GNS (Global NameSpace) construct, Mesh7’s API security and observability solution offers value to both application operators and developers. It thereby caters to the DevSecOps collaboration use case, which is an essential requirement of modern application security. There are also several other use cases and capabilities that Tanzu Service Mesh and Mesh7, respectively, address and offer, as well.
Stay tuned for more in this space!