Episode 63
Securing Application Programming Interfaces (APIs)
Application Programming Interfaces (APIs) play a vital role in modern software development, enabling the integration of services and facilitating the exchange of information. The ubiquity of APIs is a testament to their success in supporting many functions. However, their prominence has also made APIs a target for cyberattacks. Jeremy Snyder, Founder & CEO of Firetail.io, joins me in discussing how to secure APIs effectively. Our discussion revolves around the following questions:
What do we need APIs for? Why do we need API security? What are the consequences of lax API security?
What are the risks of APIs today? How can we remedy current API security issues?
Time Stamps
00:02 -- Introduction
00:49 -- Setting the Stage and Context for the Discussion
02:26 -- Guest's Professional Highlights
04:37 -- Overview of APIs
09:12 -- Common API Security Risks and Vulnerabilities
12:29 -- Design with security in mind
13:23 -- Securing APIs
13:36 -- Integrating Security into the Development Process
13:52 -- Different Ways of Security Testing APIs
17:08 -- Vulnerability Monitoring and Promptly Acting on Alerts
19:22 -- Role of Humans in Acting on Vulnerability Alerts
21:33 -- Staying on the Right Side of the Law
23:37 -- Significance of Maintaining Logs
25:36 -- Selecting Robust APIs
27:59 -- Key Takeaways
28:57 -- API Governance
30:25 -- Zero Trust Approach
32:10 -- Use of APIs in Leveraging Large Language Models (AI)
33:41 -- API Governance and Taking Ownership
36:12 -- Final Thoughts
Memorable Jeremy Snyder Quotes/Statements
"Application Programming Interface (API) -- It's basically the way two pieces of software talk to each other, that can be to send data from system A to system B, or that can be for system A to request system B to process something for it."
"We've got sensitive data crossing the wires over an API, but we've also got critical business functions like processing credit card transactions over an API."
"API's are pretty much happening behind the scenes, they enable a huge volume of interactions and transactions every day."
"So we've been cataloging the API data breaches for the last couple of years, these breaches go back about a decade or started about a decade ago, or let me say started to be recognized about a decade ago. And as we've catalogued them, we've kind of categorized them as well, to try to understand in each of these breach scenarios, what was the primary error or breach vector? How was the API breached? And if there's a secondary cause, or things like that, we look at that as well. Two of the main things that we see are are really authentication and authorization."
"Authorization turns out to be the number one root cause of data breaches around API's. And this has been true for many years now."
"Proactive security is always much cheaper than reactive security."
"From the proactive standpoint, the number one thing that any provider of an API can do is actually just check the API's before they go live."
"You should actually pen test your API's before they go live."
"Very often, we find that API's get shipped into production environments without going through either the static code analysis, or the pre launch testing."
"The average time that a vulnerability existed in a production environment before being patched and updated, was around 180 days."
"The best practice that we recommend to customers about reacting to the logs or the alerts or the suspicious conditions that you're seeing in your logs is to do it with automation."
"The human has to come into play as soon as there is any reason to suspect a data breach."
"If you find an organization that has a lot of undocumented stuff, or poorly documented stuff, that's kind of an indicator that they don't have good governance over the API's that they themselves are providing. And so I would have concerns about what other API functions might be out there that are not documented or publicly disclosed, that could also be used by third parties or bad actors to breach that organization."
"Right now, more than 50% of all internet requests are API requests."
"If you can't see it, you can't protect it."
"From a governance perspective, do you know all the API's that you have? Do you know the versions of API's?"
"From the kind of cultural perspective, having organizational guidelines for what acceptable usage of API's is, and having that documented and communicated to the team somewhere, is always very important."
"One of the fastest areas of API usage growth right now is AI."
"What I'm seeing in a very small percentage of organizations right now are API centers of excellence. And it tends to be right now at the largest organizations that have 1000s of applications that they might have built and run."
Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast
Please subscribe to the podcast, so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.
Connect with Dr. Chatterjee on these platforms:
LinkedIn: https://www.linkedin.com/in/dchatte/
Website: https://dchatte.com/
Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338
https://us.sagepub.com/en-us/nam/cybersecurity-readiness/book275712
Latest Publications:
Preventing Security Breaches Must Start at the Top
Latest Webinars:
How can brands rethink data security to maintain customer trust?
Cybersecurity Readiness in the Age of Generative AI and LLM
Insights for 2023, Cybersecurity Readiness with Dr. Dave Chatterjee