Web applications are nothing new. Neither is web application security. Many businesses have been building and securing web-based applications for more than a decade.
Yet, over the past several years, the nature of web applications has changed fundamentally. Monolithic applications hosted by individual web servers have been replaced by containerized, cloud native applications that are distributed across a cluster of host servers. According to O’Reilly, more than three-quarters of businesses have now pivoted to microservices as the go-to means of designing applications. Microservice architectures not only introduce additional security complexities but also, since they require orchestrators like Kubernetes®, lead to larger tech stacks, which increases the attack surface.
At the same time, APIs—which have also existed for decades but have never been as central to applications as they are today—have become increasingly critical for connecting web applications to external resources, as well as for managing internal communication. The average application now depends on between 10 and 15 individual APIs, TechCrunch reports. APIs also expand the attack surface of web applications and increase security challenges surrounding authentication, authorization, and data privacy.