How to Get Started With Application Security
With a comprehensive security stack, Akamai’s application security solutions defend your entire ecosystem from threats. But before you can reap the benefits that come with application security, you need to create a configuration with Akamai’s APIs. Our Developer Advocacy team is here to walk you through the process so you can achieve Infrastructure as Code — or, as we like to call it here, Akamai as Code.
Akamai as Code has the ability to support all the DevSecOps practices you know and love, such as automating repetitive tasks and streamlining configurations and workflows, along with reducing manual work and errors.
In this post, we’ll introduce you to Akamai, share popular use cases, and show you how to interact with application security using Akamai Developer tools. Then, you’ll be one step closer to end-to-end protection.
Introduction to Akamai
Since Akamai’s founding in the late 1990s, we’ve established a reputation as a trusted content delivery and cybersecurity provider for some of the largest companies in the world. Over the years, our customers have included financial services companies, banks, and many of the Fortune Global 500. Customers throughout the following industries rely on our security solutions to protect their assets and keep end users secure:
Financial services
Government
Manufacturing
High technology
Media
Entertainment
Gaming
Digital commerce
Retail and hotel
Travel, airline, and cruise lines
Akamai’s products and services range from content delivery to edge computing, but the offering most applicable to today’s post, of course, is security. Our security portfolio is split into three main branches:
- Application Security: Our application security portfolio consists of application and API protection to stop content corruption, site takeover, theft, and formjacking. It also includes fraud prevention solutions designed to guard against site scraping, user account takeover, and credential abuse.
- Network Security: Our network security branch consists of infrastructure protection and access control. Infrastructure protection is designed to stop distributed denial-of-service (DDoS) attacks, protecting against resource exhaustion and site takedown. Access control helps prevent the spread of malware, phishing exploits, or data theft inside your enterprise solutions.
- Security Services: Security Services is a team of Akamai experts who can advise you on how to best use our security solutions to protect against and mitigate threats. Through Akamai Developer, we offer a rich toolbox and a developer-friendly, transparent, and easy-to-use platform.
How application security works
Over recent years, web application attacks have evolved considerably, becoming more targeted and automated. To guard against these attacks, organizations need a source of control for web application and API protection security. Application security offers exactly that — a complete range of solutions to protect against web application and API threats, including:
Network Lists: With Akamai network lists, you can block traffic from specific IP addresses, subnets, or geographic areas
Rate Controls: Akamai offers layer 7 DDoS protection for web application resources and API endpoints, as well as content delivery and caching controls, to protect against large, volumetric attacks
Web Application Firewall: Akamai protects against different types of web application attacks — including malicious file execution, SQL injection, and cross-site scripting — with our Web Application Firewall ruleset and adaptive security intelligence
API Protection: Akamai offers API controls to keep your APIs and microservices secure
Client Reputation: Based on the previous behavior of individual and shared IP addresses, Akamai generates a client reputation score, indicating the likelihood that an IP address falls into a malicious category
Bot Manager: Using telemetry data, Akamai’s bot management solution distinguishes between human and bot behavior, allowing application access to good bots while stopping malicious bots
Client-Side Protection & Compliance: Akamai Client-Side Protection & Compliance prevents user account takeover, protects browsers, and achieves page integrity by protecting websites from JavaScript threats
Underlying these solutions is the Akamai Intelligent Edge Platform, the largest edge platform in the world. The Akamai Intelligent Edge serves as a reverse proxy for web traffic, only accepting visitors via port 443 (HTTPS). Port 80 (HTTP) is also open for traffic, but is of course less secure. Through the use of Akamai edge servers, the platform connects web applications and API clients to your own applications.
With more than 4,200 locations across the globe, Akamai edge servers are often in close proximity to end users, and have the scale necessary to stop the world’s largest and most distributed attacks at the edge. Every server has the ability to inspect web traffic to defend against DDoS attacks, web application attacks, and API-based attacks — while simultaneously allowing access to legitimate users.
Finally, because Akamai has visibility into some of the most frequently attacked organizations and industries, we have valuable crowdsourced threat intelligence that allows us to proactively and predictably stop the most sophisticated and targeted attacks. The best part? None of this adversely impacts performance.
You can use Postman to implement and integrate with the application security API endpoints. (You’ll need Akamai credentials to do so.)
Using Postman to interact with the application security API
Postman’s API platform offers a rich user interface that easily allows you to send requests to Akamai API endpoints. Three concepts in particular make the integration process even simpler:
Collection: Akamai offers an application security API collection for Postman, containing a series of folders. Inside the folders are specific requests you can make, like creating, reading, updating, and deleting operations for whichever application security solution you happen to be using.
Environment: You also have an environment that comes with different variables. The variables include Akamai EdgeGrid authentication method, contract ID, group ID, security configuration ID, and more.
EdgeGrid Authorization: Postman comes pre-installed with Akamai EdgeGrid authorization, our method for authenticating users. Akamai endpoints require EdgeGrid authorization, but you can choose whether to set this on the parent level or on a request-by-request basis.To get started, simply navigate to Postman’s authorization tab and make sure EdgeGrid authorization is selected. EdgeGrid uses four unique tokens for authentication, which you can set in your environment after creating an Akamai API client.
Download and install Postman, as well as the collection and environments mentioned above, here.
Using other tools
Although Postman is a popular tool for connecting to the application security API, there are several other options available, including Terraform and Akamai’s own command-line interface. We also offer Akamai libraries of several popular programming languages, allowing you to easily integrate Akamai actions into your own code.
Regardless of the tool you use, the concepts remain the same. Follow the checklist below to make sure you’re ready for success with our application security solutions:
I’m able to send HTTPS requests to an Akamai API endpoint.
I know exactly what requests to send to the Akamai API endpoint. (If not, look at our API documentation.)
The request is properly authenticated through the use of the EdgeGrid.
Ready to get started? For more information on this topic, check out the Akamai Developer for Application Security video playlist and the Akamai Developer Get Started guides.
