Security is an afterthought in tech, like it or not. Engineers often say security should be a priority but don’t take actionable steps in their everyday work.
At its best, security is a sentinel, invisible and continuous, watching over data and alerting you to threats, breaches, and incidents. When you create and enforce security policies, you begin to manage the risk that is already threatening your company’s products, APIs, and services — whether you know it or
not. It’s become apparent that tech companies must secure every component of their systems.
Application programming interfaces (APIs) are an often overlooked attack vector, although this technology is how most modern applications transfer data to external users and internally
between services. Most companies have adopted software architectures such as microservices, which emphasize distributed systems, and tools like containers, which make applications more ephemeral in nature. Serverless, a fully managed method of writing functionality and paying only for execution time, continues to increase in adoption and relies heavily on APIs.
The short-lived and dispersed nature of modern applications makes traditional security practices — much of which were manual — ineffective. Instead, organizations must adopt modern security practices and automation to secure APIs with appropriate techniques, catch security incidents before they become critical, and alert appropriate engineers in as close to real-time as possible.
Much of modern security moves away from the manual work of traditional processes and adopts automation for continuous testing, scanning, monitoring, and alerting. This doesn’t mean
humans are removed from security; instead, they have improved tools to discover and remedy vulnerabilities in near real-time.
About This Book
This book is a high-level introduction to the key concepts of API security and DevSecOps. It’s meant to be an amuse-bouche in your security journey and empower you with the knowledge to make decisions as you determine security practices for your engineering organization.
As you read this book, you may find your interest piqued over specific security attack vectors or modern approaches to securing systems. That’s great! I encourage you to seek out additional information from a plethora of resources on modern API security , DevSecOps, and application security.
In addition to a number of automation tools, Data Theorem offers regular webinars and resources on API security to empower you to make the best decisions for securing your applications and systems.