API Gateways & API security — Breaking The Illusion!
A lot of organisations focusing on API programs very likely takes a strategic approach in including API gateways (API GWs) in their overall solution stack.
Most of these API GWs include security features such as Authentication & Authorisation. It is highly recommended that organisations leverage such security features without fail!
However, just restricting one to only these security defence & feeling secured about their APIs is not less than an illusion!
Why it’s an illusion?
While API gateways do provide security defence for your APIs to some extent; they, however, are always limited because of their very nature of what they can see & do!
An API GW only have visibility & control over the APIs that one have configured in it. The ones that haven’t been remains undetected & vulnerable for exploitation!
The authentication support from API GW is limited. Most of the API gateways really cannot inspect an inflight request’s payloads nor could they profile behaviour to detect API misuses!
Another limitations with API gateways is with their lacking capabilities in being able to distinguish between what constitutes as a security attack & what isn’t! This is largely due to their limited API observability capabilities!
Also, think around what happens when an API is under attack? How fast is one able to detect such attacks but more importantly able to mitigate such threat! Such capabilities are quite limited with the existing vanilla API gateways.
