API and modern application security

Before we understand why API security is one of the most important aspects of modern application security we first need to define and understand modern application security. And before we can define and understand modern application security, we have to understand how modern applications are different from traditional applications. Well, that sounds like we need a blog series. And just like that, we have one.

In this first part, let’s call it Part I, we’ll compare traditional and modern application architectures. In part 2 we’ll dive into modern app security and outline the requirements needed to protect modern applications. And last but not least, in part 3 we finally get to API security.

Without further ado, let’s get into part 1.

Traditional vs. modern applications

Let’s start with a quick refresher on the “Traditional” application architecture so we’re all on the same page. 

1. There was hardware. Servers with operating systems and software running on them and networking gear and storage. This was all hosted in a private or co-located data center.
2. There were a few web servers behind a load balancer. The web servers talked to the app servers which in turn talked to databases hopefully running on a different server.
3. There were firewalls, DMZs, yada, yada, yada.
4. Then there was the client. The client talked to port 80. It was a simpler time. And SSH.

You get the picture. Now, fast forward to today and we’ve got, what at present time is referred to as modern, cloud-native application architectures! Let’s take a look:

1. Microservices, tons of them, running in a public cloud, probably in a Kubernetes cluster.
2. Microservices are talking to each other, chatting with 3rd party services and getting data from at least two different datastores.
3. There are firewalls.
4. There are the clients. Browsers, native apps, javascript snippets, and other internal and 3rd party services. And SSH.

Yes, there are lots of differences 

Check out this comparison list:

The Cloud: Modern applications live “in the cloud”. Cloud providers offer different levels of abstractions (IaaS, PaaS, SaaS) but long story short, these apps run in the cloud. 

Business Logic is Highly Distributed: Applications are decentralized with business logic spread across services.

Microservices: Large applications are broken down into smaller components or services.

Deployment Orchestration: Containers and Kubernetes (K8S) make it easier to connect and manage large numbers of microservices. 

Continuous Integration / Continuous Delivery (CI/CD): Software teams develop features using agile methodologies and continuously deliver new code to production.

DevOps: Developers and operations work together to manage and operate the application and development toolchain. 

Data Volumes: There’s no shortage of useful data these days and it comes in many shapes and sizes that require more databases than your standard RDBMS (sorry Oracle). 

Cloud / 3rd Party Services: Not all application functionality needs to be created in-house. Most apps integrate 3rd party services, using APIs, to beef up application functionality without reinventing the wheel. Or the storage bucket.

‍

Clients have differences too!

Devices became more powerful: When I was a kid, iPhones only had 1 camera! What a time.

Client Varietals: Today there are more types of clients - from traditional web browsers to native mobile apps to (purposely) exposing your own APIs to other developers.

Client Muscle: Modern frontend frameworks (Angular, React.js) allow developers to write complex logic that runs efficiently in the client. Clients now render visual components that used to render server-side.

More Calls, More Parameters: Clients maintain user state locally and trigger API calls when data or an action is needed. This is done at the component level vs the page, so the number of calls is higher and the number of parameters sent to the server is higher as well.

In part 2 of our series we cover the security requirements for modern applications.