API Security and MySQL — A match made in Hell

What do API Security and MySQL have in common? Not much one hopes, especially if you are responsible for implementing enterprise-wide API Security.

When picking any security product, particularly an API Security Gateway, an enterprise should carefully evaluate the architecture and components of the product that it’s purchasing. If the components such as Operating System, PKI security stack and policy storage mechanisms are not secure, then an enterprise is increasing its API attack surface area rather than mitigating it through an API Security Gateway.

And please don’t have your security policies stored in a database such as MySQL — a prime target for hackers. If you security policies are stolen, your entire enterprise API ecosystem is compromised.

Alexei Balaganski‘s article — “The Cargo Cult of Cybersecurity” — critiques our false sense of security. We spend billions of dollars (120 Billion in 2017) on cybersecurity products that are poorly developed, improperly or never deployed, and rarely tested by a third party. By doing so, we are creating a false sense of security.

Here is an excerpt from Alexei’s article:

However, the exact reason for my today’s rant is somewhat different and, in my opinion, even more troubling. While reading the documentation for a security-related product of one reputable vendor, I’ve realized that it uses an external MySQL database to store its configuration. That got me thinking: a security product is sold with a promise to add a layer of protection around an existing business application with known vulnerabilities. However, this security product itself relies on another application with known vulnerabilities (MySQL isn’t exactly known for its security) to fulfill its basic functions. Is the resulting architecture even a tiny bit more secure? Not at all – due to added complexity it’s in fact even more open to malicious attacks.

For complete article, see: The Cargo Cult of Cybersecurity.”