CISO Talks: API Security Best Practices And Where to Begin

FireTail co-founder and CEO Jeremy Snyder breaks down the basic pillars of API security and debunks common misconceptions around APIs, cybersecurity, and more.

CISO Talks: API Security Best Practices And Where to Begin

APIs are the essential building blocks that power the seamless connections between platforms, and they now account for over 83% of all web traffic. But with so many different APIs and endpoints, staying ahead of threats is a challenge for security teams, especially as the level of threats has continued to rise, too.

Listen in to learn Jeremy’s advice around best practices for API security starting with visibility, and including many facets such as authentication and authorization mechanisms, an API inventory and more. API Security can be complicated, which is why so many companies have suffered from breaches, but sometimes all you need is a push in the right direction to get started.

Key topics covered in the talk include…

  • Cyber security then and now: how the landscape has changed and what we need to do to stay vigilant against a rising level of threats.
  • API security VS Cloud security- what are the key differences between the two, and how can we balance both?
  • The importance of APIs and API security in today’s cyber landscape
  • API security misconceptions, and how to avoid leaving your APIs open to vulnerabilities
  • Key API security practices- a good jumping off point for API security

Podcast Transcript

Daniel

I think that again I think that's fascinating really that it that it is different regionally like the I suppose that you always I always get the feeling when I talked to like we've got like British clients or American clients that there's more of an excitement around a technology coming out whereas when I've talked to like the Asian side it's been more of a oh there's a new technology coming out we need to sort of but let's make sure what this is before we start probably throwing everything at it. 

So have you found that like now within like the bigger companies have you found it like secure like cyber security teams are actually having almost divisions the wrong word but are they having like a team of people who are now just purely outpaced and they're the ones they need to like the security team yeah has that been like a new introduction like as they've been introduced recently or do you has that been like is it quite recent or is it has that been a sort of uh a stepped approach that you found?

Jeremy

I think it is quite recent. I mean again going back to like 2016 let's call it 2016 to 2019. 

Vast majority of the customers that we interacted with we were talking to the cloud teams not the security teams the use cases that we were tackling were very much security related let's say like 80 to 90 percent of what we were doing was security problems or tackling security problems but the security teams in those days were still a little bit more traditional when you went to talk to those security teams the things that they would ask you about is like well where's my AWS firewall you know because that's what they're used to or they're wondering about you know where's my AWS uh endpoint security solution and where's my like AWS VPC threat detection module and things like that because you know, I think historically a lot of security teams come from networking and so there's always been this kind of heavy emphasis and if you rewind like to the beginning of my technology career in the late 90s early 2000s you know a lot of the time the first name that was on people's list around security was one of the big firewall vendors years and so that has been for a long time one of the leading cyber security constructs.

So coming back to your question you know I think it's only in the kind of last four years 2019 to the present that we've started to see security teams either have people get trained up on Cloud so that they understand the full breadth of what Cloud security really entails or Cloud teams have people that have migrated over onto a security specialization and so now you do to your point you do see these specialized Cloud security teams but I don't think they're the majority yet like I think within these larger Enterprises that have let's say tens of if not hundreds of people within the organization tasked with security yes there you will see it but on smaller teams you know smaller let's say mid-market 500 person organization unless it's a born in the cloud digital native that specifically allocates headcount towards this it's not that common yet so we still see a lot of kind of separation of Cloud from security or we see teams that are all wrapped together you know it's cloud and I.T and security all wrapped up in in one team at smaller organizations.

Daniel

Yeah, it's not the common thing at the moment it's still building it's still going because obviously like now to like to API security I mean that it's such a massive attack surface yeah I bet the majority of the companies that you work with must it's it's almost like um so vast that they don't almost don't know where to start and I suppose is that is that what you as a as a company that is that where you're taking them really is to take them on that journey that gives them a start point and then to build from there or is it yeah you've got a different approach…

Jeremy

No, it very much is kind of building from a starting point of understanding what the problems are right and to some extent it kind of mirrors those early days of cloud Security in the sense that you know you start with that visibility and you start with kind of pulling together a list of APIs and then you know people tend to be okay now what I've got this list what doI do with it and then  you've got kind of that secondary function of like assessment and by the way like all of this process has kind of been encapsulated now into the um I'll say like insert asterisk here SPM security posture management and you're seeing you know a whole wave of companies that are like we're data security posture management identity security posture management and really what it means is like get visibility build an inventory.

Ideally, that's a self-updating real-time inventory so you've got some kind of ongoing scanning mechanism to update you know new API came online old API went offline Etc that kind of change um but then assess that and help to prioritize that's one of the problems that is pretty typical also on the Cloud security side you know the same organizations that don't have visibility once you give them that inventory they're like oh crap this is way too much stuff for us to to wrap our heads around and deal with it's a little bit lower scale on the API side for a lot of organizations right now they don't have quite as many APIs as they have let's say infrastructure assets in their Cloud environments but it is to your question you know it is very much like “okay I've got that visibility we can do some assessment work what do we really need to worry about with API security” and so to that end you know we've been doing a lot of work on um you know doing research on the different topics relative to API security. 

We've just finished up like an analysis of kind of 10 years of data that we've scraped together we on the bottom of our website you can find this API data breach tracker where we track all of the publicly disclosed either breaches or disclosures from security researchers around APIs and you know there's there's a couple common threads that you can pull out of there so when we go talk to customers we try to help them understand either on like you know taking one of those as a use case or as a case study or on kind of some of the thematic things that we've been able to pull out of there. 

But you know, for instance people don't understand that the biggest risks around APIs are not you know the network exposure or the fact that an API exists or is sitting on a public network or exposed to the internet, it's the fact that you're not doing authorization very well or that you're not authorizing server side on every API call you know decoupling the security model from client to server is actually not a very good construct on APIs because guess what, you know hackers if they're going after their API they're not going to go through your client they're going to go after it programmatically they're going to go after it through Postman they're going to write their own code to attack your API so it really comes down to a lot of kind of application constructs for the most part and that's been very much an educational process working with a lot of customers to to kind of identify the risks in both API security at large and then within their specific API security their specific API implementations it's been a lot of fun though I have to say and I've learned a lot myself along the way.

Schedule a demo

To learn more about API security, and see how FireTail can help you secure your APIs, schedule a free 30-minute demo with us.