API Security's James Webb Moment

it's not what you don’t know that gets you into trouble. It’s what you know for sure that just ain’t so. We have been largely unaware of the totality of our attack surface, trusting legacy security tooling to provide us with a false sense of security. Today, APIs make up the vast majority of traffic, but they go largely undetected because our proverbial telescope is unable to spot them. If it does "see", it lacks the context to understand how to interpret their behavior.

If we look at the Hubble photo below showing the star forming region in the Carina Nebula in optical light, it is very difficult to see what is going on inside these collapsing pockets, because of all the surrounding space dust. Dust acts like a thick curtain to regular telescopes.

We therefore need a strong telescope that can pick up this infrared light from the star forming pockets, and the JWST can do exactly that, in addition to spectacular resolution.

It is clear that the extra detail is not only due to the increased sensitivity, but also to the extra information that is simply not retrieved with the Hubble telescope. Take a look at the dark regions on the Hubble photo. These regions are not empty or passive. They are simply opaque to Hubble’s camera, and hence the telescope does not see what goes on in these pockets. But in the JWST photo, you see a plethora of activity in these otherwise dark and hidden regions.

Similary, relying on your WAF (Hubble Telescope) to provide API security will lead to blind spots and false negatives. As APIs mostly use HTTP protocol and HTTP methods to communicate and exchange data between systems, it is no wonder we started with a familiar tool (WAF), but it is now clear (weekly public API breaches) that this is not the way forward.

The API security platform provides the "extra" information, or context if you will, to understand how the APIs are being used, what their security posture looks like, and how to spot misuse. The information from the WAF is still useful, but can be extended to look deeper into the API transaction (JWST), as opposed to only the HTTP transaction (Hubble).?