This is the first article in a 2-part blog series outlining how application security has changed (or needs to change). Before I get into the article, let me give you a little background on myself. I am currently the Head of Security Research at Traceable but my personal journey with application security started long ago. My journey has had three stations so far: the first one was in middle school as a script kiddie, where I found myself studying vBulletin exploits and building phishing pages; the second station was serving in the Israeli Defense Forces, where I performed penetration tests for the most critical systems; and the last one was in a form of a one-way ticket to Silicon Valley, on my way to work with top startups and tier one companies.
During these 13 years, I’ve been watching the application development field change from one end to the other with new technologies coming and going. Accordingly, in order to stay relevant in the industry, I had to adapt my perspective on application security and my methodologies in understanding the new threats.
While creating the “OWASP API Security Project” as project co-leader, I tried to define exactly what “Modern Application Security” means, and the role API security plays in it. This blog series will humbly walk you through those research questions, thoughts, and conclusions.
In this first article, I focus on reviewing the most significant changes in application development over the last several years. Understanding how applications have evolved is instrumental in knowing how application security must also evolve.
There have been many changes in application development, but let’s focus on summarizing the more relevant ones that impact security:
This is an example of a backend in traditional applications:
Applications used to live in on-premises and self-hosting environments. They were self-contained and independent. The IT engineers would conduct this orchestra, and the pace used to be, well, pretty slow.
Now, here's what a backend might look like in a modern application:
Today, applications live in the cloud, they are loosely coupled and spread out. Things tend to be much more flexible and scalable thanks to the DevOps Wizard and the Three Scalability Musketeers — SaaS, Agile & Kubernetes.
Some major changes worth mentioning:
This is how regular data flowed in traditional applications:
The client used to be pretty simple, and it had a few main responsibilities: receiving and handling prepared visual HTML pages sent from the web server and showing them to the user; Updating the web server about the user’s state.
Now, this is the regular flow of data in modern applications:
Today, things look very different: the rendering component moved from the server to the client; The client app fetches very specific pieces of data and renders visual components locally on the client device; The client app receives raw data in the format of JSON instead of HTML pages.
On top of that, a few other things have changed dramatically.
API standards such as REST and GraphQL were born out of necessity. They fulfill different needs of modern applications and play a fundamental role in those applications.
Based on the concepts we discussed, let’s try to understand how REST and GraphQL support new concepts in modern applications.
Many exciting changes have happened in the last few years within the field of application development. It’s an exciting time to be a developer and create sophisticated distributed applications, but even more so, to be a security engineer and protect/break them :)
Next, read Part II where we discuss how the mentioned new changes impact application security, and why the new characteristics of modern applications make them such attractive targets for attackers.
Recommended reads.
PartII: API Security in Modern Applications
PartII: API Security in Modern Applications
An introduction to anomaly detection in the context of distributed tracing.
An introduction to anomaly detection in the context of distributed tracing.