Episode 63

Securing Application Programming Interfaces (APIs)

Application Programming Interfaces (APIs) play a vital role in modern software development, enabling the integration of services and facilitating the exchange of information. The ubiquity of APIs is a testament to their success in supporting many functions. However, their prominence has also made APIs a target for cyberattacks. Jeremy Snyder, Founder & CEO of Firetail.io, joins me in discussing how to secure APIs effectively. Our discussion revolves around the following questions:

What do we need APIs for? Why do we need API security? What are the consequences of lax API security?

What are the risks of APIs today? How can we remedy current API security issues?


Time Stamps



00:02 -- Introduction

00:49 -- Setting the Stage and Context for the Discussion

02:26 -- Guest's Professional Highlights

04:37 -- Overview of APIs

09:12 -- Common API Security Risks and Vulnerabilities

12:29 -- Design with security in mind

13:23 -- Securing APIs

13:36 -- Integrating Security into the Development Process

13:52 -- Different Ways of Security Testing APIs

17:08 -- Vulnerability Monitoring and Promptly Acting on Alerts

19:22 -- Role of Humans in Acting on Vulnerability Alerts

21:33 -- Staying on the Right Side of the Law

23:37 -- Significance of Maintaining Logs

25:36 -- Selecting Robust APIs

27:59 -- Key Takeaways

28:57 -- API Governance

30:25 -- Zero Trust Approach

32:10 -- Use of APIs in Leveraging Large Language Models (AI)

33:41 -- API Governance and Taking Ownership

36:12 -- Final Thoughts


Memorable Jeremy Snyder Quotes/Statements

"Application Programming Interface (API) -- It's basically the way two pieces of software talk to each other, that can be to send data from system A to system B, or that can be for system A to request system B to process something for it."

"We've got sensitive data crossing the wires over an API, but we've also got critical business functions like processing credit card transactions over an API."

"API's are pretty much happening behind the scenes, they enable a huge volume of interactions and transactions every day."

"So we've been cataloging the API data breaches for the last couple of years, these breaches go back about a decade or started about a decade ago, or let me say started to be recognized about a decade ago. And as we've catalogued them, we've kind of categorized them as well, to try to understand in each of these breach scenarios, what was the primary error or breach vector? How was the API breached? And if there's a secondary cause, or things like that, we look at that as well. Two of the main things that we see are are really authentication and authorization."

"Authorization turns out to be the number one root cause of data breaches around API's. And this has been true for many years now."

"Proactive security is always much cheaper than reactive security."

"From the proactive standpoint, the number one thing that any provider of an API can do is actually just check the API's before they go live."

"You should actually pen test your API's before they go live."

"Very often, we find that API's get shipped into production environments without going through either the static code analysis, or the pre launch testing."

"The average time that a vulnerability existed in a production environment before being patched and updated, was around 180 days."

"The best practice that we recommend to customers about reacting to the logs or the alerts or the suspicious conditions that you're seeing in your logs is to do it with automation."

"The human has to come into play as soon as there is any reason to suspect a data breach."

"If you find an organization that has a lot of undocumented stuff, or poorly documented stuff, that's kind of an indicator that they don't have good governance over the API's that they themselves are providing. And so I would have concerns about what other API functions might be out there that are not documented or publicly disclosed, that could also be used by third parties or bad actors to breach that organization."

"Right now, more than 50% of all internet requests are API requests."

"If you can't see it, you can't protect it."

"From a governance perspective, do you know all the API's that you have? Do you know the versions of API's?"

"From the kind of cultural perspective, having organizational guidelines for what acceptable usage of API's is, and having that documented and communicated to the team somewhere, is always very important."

"One of the fastest areas of API usage growth right now is AI."

"What I'm seeing in a very small percentage of organizations right now are API centers of excellence. And it tends to be right now at the largest organizations that have 1000s of applications that they might have built and run."


Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast

Please subscribe to the podcast, so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.

Connect with Dr. Chatterjee on these platforms:

LinkedIn: https://www.linkedin.com/in/dchatte/

Website: https://dchatte.com/

Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338

https://us.sagepub.com/en-us/nam/cybersecurity-readiness/book275712

Latest Publications:

Published in USA Today — “Dave Chatterjee Drops the Cybersecurity Jargon, Encouraging Proactiveness Rather than Reactiveness,” April 8, 2024

Preventing Security Breaches Must Start at the Top

Mission Critical --How the American Cancer Society successfully and securely migrated to the cloud amid the pandemic

Latest Webinars:

How can brands rethink data security to maintain customer trust?

Cybersecurity Readiness in the Age of Generative AI and LLM

Insights for 2023, Cybersecurity Readiness with Dr. Dave Chatterjee

Next Episode All Episodes Previous Episode

About the Podcast

Show artwork for The Cybersecurity Readiness Podcast Series
The Cybersecurity Readiness Podcast Series
with Dr. Dave Chatterjee

Listen for free

About your host

Profile picture for Dave Chatterjee

Dave Chatterjee

Dr. Debabroto 'Dave' Chatterjee is tenured professor in the Management Information Systems (MIS) department, at the Terry College of Business, The University of Georgia (UGA). He is also a Visiting Scholar at Duke University, affiliated with the Master of Engineering in Cybersecurity program in the Pratt School of Engineering. An accomplished scholar and technology thought leader, Dr. Chatterjee’s interest and expertise lie in the various facets of information technology management – from technology sense-making to implementation and change management, data governance, internal controls, information security, and performance measurement. His work has been accepted and published in prestigious outlets such as The Wall Street Journal, MIT Sloan Management Review, California Management Review, Business Horizons, MIS Quarterly, and Journal of Management Information Systems. Dr. Chatterjee’s research has been sponsored by industry and cited over two thousand times. His book Cybersecurity Readiness: A Holistic and High-Performance Approach was published by SAGE Publishing in March 2021.