Adrian Lane and I have a new research paper out on API Gateway Security. I really enjoyed working on this piece, because API Gateway bring all the talk that "security must be an enabler" right to front and center. APIs are an enabler, and businesses are going that way - making your data and app functionality exposed to any device any where and for use cases you never thought of before. Certainly your mainframe, your backend Unix servers were never designed with this in mind.
"Picture a team of developers sitting around a conference room table with your security team. What are they really asking?
What do we want?
API Access!
When do we want it?
Now!"
This leaves some hard choices for security pros, its not a question of whether or not your business is publishing APIs, they are. The question is - do you have a plan to secure them? Oh by the way, you have 6 weeks.
Paper is here.