I will not discuss scalability, because what I was discussing is security.
In my opinion security should be a first class citizen in any software project, but unfortunately in 2021 is still an afterthought, and this all come down how to developers not being properly educated from the begin of their career at treating security as an opt-out, instead of the current approach of opt-in.
The business side of the company doesn’t help too in this process, because they only take security seriously when they are hacked, when they need to be compliant with some standards to be able to do business or when some law specifically requires some measures, but even here they just do enough to tick the compliance or law boxes, and daily hackers prove that that attitude is not enough.
So, I work in API security daily and my newsletter subscriptions are full of data-breaches, exploits, OWASP failures, and etc, etc, and the majority of developers don’t have 10% idea of how bad things are, as I wasn’t until I got to work in this space.
It’s important for a developer to understand the difference between who and what is accessing an APIi in order to be able to change it’s security posture about software developement. Read more in this article I wrote:
The who is the user of the mobile app that we can authenticate, authorize and identify in several ways, like using OpenID Connect or OAUTH2 flows.
Now we need a way to identify what is calling your API server, and here things become more tricky than most developers may think. The what is the thing making the request to the API server. Is it really a genuine instance of your mobile app, or is a bot, an automated script or an attacker manually poking around your API server with a tool like Postman?
By the way being OWASP compliant is not enough to secure your APIs and if you want I can give you reading on it.