42Crunch this week announced at the RSA Asia Pacific and Japan 2019 conference that it has extended its namesake firewall for application programming interfaces (APIs) to Kubernetes.
Dimitri Sotnikov, vice president of cloud platform at 42Crunch, says given the number of APIs being created within containerized applications, a new approach to securing those applications is required. The 42Crunch API Firewall provides IT organizations with access to a 20MB micro firewall that can be attached as a sidecar to a containerized application, he says.
That approach allows organizations to apply a zero-trust model to accessing APIs because only services that have been white-listed are allowed access with only sub-millisecond overhead, says Sotnikov. Better still, micro firewalls also eliminate the need to rely on manual policies that need to be written for legacy web application firewalls that were never designed to meet the performance requirements of cloud-native applications based on microservices, Sotnikov says.
Micro firewalls also make it easier to embrace best DevSecOps processes, he adds, by making it easier for developers to programmatically attach a micro firewall to each API. DevOps teams can also scan live API endpoints to discover potential vulnerabilities and deviations against the API contract, in addition to running more than 200 security audit tests based on controls defined by the OpenAPI specification definition, formerly known as Swagger.
42Crunch developed its API Firewall when it became apparent that providers of API management platforms were not interested in cybersecurity that dealt with anything beyond trying to limit a distributed denial of service (DDoS) attack, Sotnikov says. What providers of those platforms did not fully appreciate is that within the context of a distributed microservices application, all the calls within that application are being made across a public network and not within the confines of a single machine, he notes.
Despite the fact that API firewalls are intended to be implemented by developers, Sotnikov says it’s critical to make sure cybersecurity teams are still part of the DevOps process. Cybersecurity teams play a critical role in not only defining what controls need to be implemented but also validating that those controls have been implemented before an application is allowed to be deployed in a production environment, he adds.
It’s still clearly early days as far as adoption of best DevSecOps processes is concerned. However, given the chronic shortage of cybersecurity professionals, it’s apparent a new approach to cybersecurity is now required. Developers need to assume more responsibility for implementing cybersecurity controls as part of the quality assurance process. Fortunately, most developers are open to taking on more responsibility for cybersecurity as long as it doesn’t overly impede the rate at which applications are being developed. The challenge organizations now face is finding a way to give developers the tools they need to achieve that goal instead of merely shifting responsibility away from cybersecurity teams, Sotnikov says.
It’s now only a matter of time before the rise of microservices-based applications running on Kubernetes clusters ultimately force the tools issue inside most organizations.