Internet of Things, Smart Cities and API Security

Mamoon Yunus

Subscribe to Mamoon Yunus: eMailAlertsEmail Alerts
Get Mamoon Yunus via: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

Blog Feed Post

Buy vs. Build: Application Security Solutions

Three factors that will help determine the best approach for your organization

In the world of application security, there are numerous options in the marketplace for both buying and building.  Purchasing a centralized API security solution isn’t cheap but it can be less expensive than building your own, depending on your situation.  In this blog post, we will look at three critical factors that will help you determine which API security solution is best for you.

The number of application security policies needed

This might seem obvious but the number of security policies needed is one of the easiest factors to help determine which option is best for your company.  The math is pretty simple, the more applications you develop, the more security policies you will need. And, the more security policies needed, the longer it will take to code them.  Configuring a security policy through a centralized API Security system takes much less time than building it from scratch.  The key is to figure out the threshold where it makes more sense to buy instead of building them yourself.

It’s also important to consider your product road map.  Are you planning to dramatically increase the number of applications being developed?  That will likely influence your decision.

The nature and use of your applications

How many of your applications will be integrating with other applications? Are those other applications internal or external?  The ease of creating integrated applications has allowed developers to quickly build rich and powerful programs but it also increases an application’s exposure to breaches and other security risks.

It’s important for organizations to look at the type of information that is at risk and what are the consequences if their application is breached.  For example, a company that stores PII (Personally Identifiable Information) in their application should be much more cautious than an online forum that stores email addresses and usernames.  The company that stores PII should see a lot more value in a centralized API security solution and would likely work with an outside vendor rather than building and maintaining the policies in house.

Resources & Timing

Let’s say you wanted to code your own security policies, does your development team have the necessary skill set and bandwidth?  How long will it take them to define and code the API security policies?  Building will probably require a project manager or product manager to lead the process.  If you ask any seasoned product manager or developer, defining and building usually takes longer than originally anticipated.  Hiring new team members also takes time and money - finding the right people isn’t easy!  There’s an opportunity cost to be evaluated when looking at the time it takes to properly staff and build vs. working with a vendor but we will go over that in a future blog post.

Organizations also need to consider the cost of maintenance: is your organization willing to dedicate someone’s time to updating and maintaining your in-house security policies? If you saved time by hiring contractors to build the security policies, are you willing to keep them on staff to keep up with the maintenance?

With any major infrastructure decision, there are pros and cons to each side. What’s important is to look at both sides and decide what’s best for your company. These topics and criteria are some of the main items that need to be considered.  If you’ve gone through this process, share in the comments what other factors should be included in the buy vs. build analysis?

Read the original blog entry...

More Stories By Mamoon Yunus

Mamoon Yunus is an industry-honored CEO and visionary in Web Services-based technologies. As the founder of Forum Systems, he pioneered XML Security Gateways & Firewalls and was granted a patent for XML Gateway Appliances. He has spearheaded Forum's direction and strategy for eight generations of award-winning XML Security products. Prior to Forum Systems, Yunus was a Global Systems Engineer for webMethods (NASD: WEBM) where he developed XML-based business integration and architecture plans for Global 2000 companies such as GE, Pepsi, Siemens, and Mass Mutual. He has held various high-level executive positions at Informix (acquired by IBM) and Cambridge Technology Group.

He holds two Graduate Degrees in Engineering from MIT and a BSME from Georgia Institute of Technology. InfoWorld recognized Yunus as one of four "Up and coming CTOs to watch in 2004." He is a sought-after speaker at industry conferences such as RSA, Gartner, Web Services Edge, CSI, Network Interop, and Microsoft TechEd. Yunus has the distinction of showcasing Forum Systems' entrepreneurial leadership as a case study at the MIT Sloan School of Management. He has also been featured on CNBC as Terry Bradshaw's "Pick of the Week."