On Stranger Tides: API and Container Security Part 2

Rise of the API Security Gateway

In the first article of our series, I demystified microservices, containers, monolithic applications, Docker, and Kubernetes. In this second article, I will explain the distinction between API management gateways and API security gateways in securing APIs.

After reading Part 1 in this series, you should have a better understanding of how APIs are deployed. Understand that APIs can be internet facing (north-south) or internally facing — for example — inter-departmental (east-west).

APIs can be secured using different security controls. By far, the worse approach you can take is to secure them with a web application firewall (WAF), treating it like a web application. Unlike their network firewall cousins, WAFs are firewalls purpose-built to interdict HTTP traffic to identify common types of attacks targeting web applications, such as cross-site scripting (XSS) and SQL injection (SQLi).

I’ve met many a CISO who mistakenly believed that the way to properly secure their APIs is through WAFs, which couldn’t be further from the truth. While yes, HTTP is the protocol used by API consumers to communicate with API providers, a WAF does not apply context to the inspection (a la Sentinel One in EDR) of that API traffic nor does it provide security around…