I agree Jeff. Well spotted and well said. There are lots of ways to slice and dice the application of API security. I looked primarily at an operational SOC style protection of applications. We cannot and should not ignore the shift left discussion. Specifically we can get to the root of the issue by implementing API security at the stages that you suggest making operational API security more of an overlay of risk reduction. Both must be present but the order in which we do them is up for debate.
Agree. I’m not a big fan of the “shift left” idea. I’m hearing a lot of blowback from firms that tried a “dev centric” approach and got an avalanche of false positives because as you you move left you lose context. Suggest you “shift smart” to where effort is most cost effective, accurate, fast, scalable, etc…
If you revisit this topic, check out what instrumentation-based runtime protection can do on the protection side of things. We protect hundreds of thousands of APIs at major firms and have been at it for 8 years.
I've always loved the instrumentation based side of application protection. One of the players I mention in the report does some instrumentation based protection, but it's such a grey area with regards to the type and quantity of that telemetry being analyzed. It's also a function of how you position and if you lean into that message or not.
I agree Jeff. Well spotted and well said. There are lots of ways to slice and dice the application of API security. I looked primarily at an operational SOC style protection of applications. We cannot and should not ignore the shift left discussion. Specifically we can get to the root of the issue by implementing API security at the stages that you suggest making operational API security more of an overlay of risk reduction. Both must be present but the order in which we do them is up for debate.
Agree. I’m not a big fan of the “shift left” idea. I’m hearing a lot of blowback from firms that tried a “dev centric” approach and got an avalanche of false positives because as you you move left you lose context. Suggest you “shift smart” to where effort is most cost effective, accurate, fast, scalable, etc…
If you revisit this topic, check out what instrumentation-based runtime protection can do on the protection side of things. We protect hundreds of thousands of APIs at major firms and have been at it for 8 years.
I've always loved the instrumentation based side of application protection. One of the players I mention in the report does some instrumentation based protection, but it's such a grey area with regards to the type and quantity of that telemetry being analyzed. It's also a function of how you position and if you lean into that message or not.