In this episode, Jeremy shares invaluable insights on the risks associated with APIs and best practices for preventing breaches. Tune in to learn about the “how” and “why” of API security.
API security should be every developer’s priority, and yet it still isn’t. Join Jean Ginzburg and Jeremy Snyder as they discuss the importance of API security in today's cloud-based world.
In this episode, Jeremy shares invaluable insights on the risks associated with APIs and best practices for preventing breaches. Tune in to learn about the “how” and “why” of API security.
This episode covers…
Jean:
Welcome to listen by Jean Ginzberg. This audio experience and podcast is all about social media, digital marketing, entrepreneurship, and interviews with top entrepreneurs in the digital and social space. I'm your host, Jean Ginzberg, digital marketing expert, number one best selling author and award winning entrepreneur. I will be sharing with you strategies, tips and tactics on how to grow your business and your social media following. Thanks for listening. 2s Hey everyone, welcome back to another episode of the podcast. Very excited for everyone to be here and for our guest to be here. Jeremy Snyder, how's it going?
Jeremy:
Going great, Gene, thanks so much for having me.
Jean:
Yes, we're very glad that you're here and always love having guests on the show. And. First question I always like to ask our guests is give our audience a little bit of context about your background.
Jeremy:
Yeah. I mean, you want to go back to childhood or?
Jean:
Yeah. Okay, let's start there. I mean, I mean, if it has connections to where you are now, potentially, you know, for sure.
Jeremy:
Well, I will tell you, you know, I have been kind of a lifelong learner because my life actually has been quite nomadic and really changing environments every couple of years. So I grew up with this background of having. A mother from Finland and a father who was a US Army doctor, and we were not settled for many of the early years of my childhood in terms of where we were going to live, US, Finland, etc. and then he joined the army and we moved every couple of years. So it is kind of relevant because what it really did for me was it made me look for the next challenge and the next thing that was interesting every couple of years, and that's actually followed me throughout my career in terms of job changes, in terms of entering new domain spaces and always really trying to keep myself stimulated and engaged. So yeah, I guess from that perspective it is kind of relevant.
But, you know, from a career perspective, I spend about the first 13 years of my career as a, you know, a hands on IT and cybersecurity practitioner, a couple SaaS companies, four years at a video game company. We were doing the metaverse from 2006 to 2010, only 13 years before it failed the second time. Um, and, you know, it was a lot of great learnings. But then, you know, after that, I really took a step back, thought about the things that I enjoyed, and realized that I really did enjoy spending a lot of time talking with people and helping them understand technology, how they could use it better, etc. and so I kind of transitioned into more customer facing roles and things like solutions, architecture or sales engineering. Um, first at AWS and then with a string of companies kind of connected in the cloud ecosystem.
Most recently, I've spent about 6 or 7 years in cloud security, and it's really been kind of those years that led me to start Fire Tail, because what we saw in the cloud security side was we saw a lot of customers getting more informed and engaged on how they were using the cloud. You would see this kind of maturity path where they'll make an initial move to the cloud, and they'll bring a lot of their own operational, um, procedures and a lot of their old architectures with them. And then over time, they start to realize that there's a lot more benefit, there's a lot more agility. If they start to become more and more cloud native. And as they go down that path and they start to change things in the, in the, um, infrastructure stack and in the architecture, we realize that APIs is where everything is going to end up. All of our data is sent over APIs. APIs are kind of one of the ways that a lot of critical business transactions get, uh, transacted today, for lack of a better word. And they're very, very important in the modern internet. And I think a lot of people don't really understand that.
But my co-founder and I, we kind of saw that back in 2021, and we started Fire Tail with the idea of really trying to help people make APIs better, make them more secure, and, you know, make it really easy for people to do that. And yeah, that's that's a little bit about me and where the journey started and how I ended up where I am today.
Jean:
Excellent. That's great. A lot to unpack there. Um, next question is. Okay. Tell us about FireTail. And then what is the problem that you guys are solving?
Jeremy:
Yeah. FireTail. We are a venture backed startup. We incorporated the company in February of 2022. We had started working on it just a couple of months prior to that. Um, some experimental prototypes at the time to try to make APIs more secure and so on. We started the company, then we, you know, raised a little bit of money. We recruited some early customers onto the platform, and we've been going through this kind of learning process of helping customers, you know, do better with their APIs. Um, we're currently 12 people across four countries today. We are in kind of an era of remote first as a company culture. Um, but interestingly, we've put a twist on that. We really focused on making sure we get everybody in the team together about once a quarter, and we really find that it's that balance of giving you the heads down time that remote work allows you, you know, the freedom to live your life, how you want to live your life, etc., not cut into your, you know, into your daily life with a commute schedule or anything like that, and then bring people together for some of that more challenging work where you need, you know, two, three, four sets of eyes on a problem and you need to whiteboard together. And also just to kind of, you know, build camaraderie and team spirit and get people engaged on some of those more difficult problems. That's really worked out well for us. So we're spread across the US, Canada, Ireland and Finland today. Uh, we went into production about six months ago, one of our first customer deals right around that same time. And, you know, we're on a great growth trajectory as it is. So that's that's a little bit about the company.
To answer your other question. You know, what's the problem that we're trying to solve. It really goes back a little bit to what I was saying is, you know, we we know that there's so much critical data being sent over APIs. What we want to help our customers achieve is that they reduce the risk around their own APIs. So as they are creating APIs, publishing them, or interacting with third parties via API connections, they can have the most secure the connections and data handling, and they can solve some of those crucial risk areas that we've seen in kind of the last ten years history of API based data breaches, which really come back to like authentication and authorization and data handling problems. And so it's specifically those three areas that we're working on solving around API security.
Jean:
Um, and so what are some ramifications of, uh, if, if companies don't get your solution or a similar solution? What is the what's the worst that can happen just so that our audience and so I can also understand. Yeah. The worst that can happen.
Jeremy:
I'll give you kind of a case study and I won't mention the company's name, but this was well publicized and I'm sure people, if they're if they've been following the space, they'll probably recognize it, you know, so there was a situation with a an IoT manufacturer. So they have a smart device that's in your home. Well, what I think a lot of people don't realize is that all those devices, very little actually gets processed on the device itself. What ends up happening is the device is just an interface, sending data over an API to a back end cloud service. And there's a lot that goes into making that happen. There's kind of an authentication step that authenticates the device or maybe your user account on the device, etc., etc., etc.. 1.1s What you may or may not know is that when you're using that device, you can actually go on to your home Wi-Fi router, and you can see all that traffic happening, and you can look at that traffic and you can usually pick up things out of that traffic. You can see your authentication token. You can see the calls that this device is making to a back end API service. Why is this important? Because from that you can kind of reverse engineer how the device works and how it communicates with the cloud service in, let's say, storing data, fetching data, what have you. So there was a famous case in 2021 of a user who did exactly that, looked at this, realized that it was pretty easy to find the token, use that to authenticate, and then actually scraped 30,000 user profiles off of this service in a matter of minutes. And so the ramifications when we look at API security, what tends to happen is it's the the root cause is usually a design flaw, often around something like authentication or authorization or data handling. But when it's a design flaw means that entire data sets are vulnerable to exfiltration or to breach. And so that's why we think there's this kind of criticality element around APIs, because the flaws tend to be systemic. And so they expose whole data sets. And those whole data sets are services that all of us consume. And so, you know, your data is maybe not this particular manufacturer, but it's in some data set where it's at risk of exposure through one of these design flaws at the API level.
Jean:
Right. And so your company to you guys help with the design flaws and like within a product of the design or are you just like the security overlay on top of that?
Jeremy:
So we're a little bit of both. So we have kind of a two part solution. And what we found in talking to customers is they always have this kind of, let's call it the day one problem. And the day one problem is they don't know all the APIs. They have very common situation, right? Developers have been empowered. And that's a good thing. You know, it moves the business forward. It allows for innovation at the speed it needs to happen, all that. But it also often means that there's this disconnect between what the developers have done and what the security team knows about. So the first part of our solution that we make available for people is really an API discovery and observability tool, and it allows you to find the APIs on your network, most specifically within your cloud environment. And it allows you to watch them and then prioritize them. Once you've done that, you can decide you know which APIs are most critical to your organization, which APIs have the most sensitive data, etc. then you go work with the developers, and we provide an SDK, a software development kit to those developers to try to eliminate those design flaws. So this SDK does things like it helps developers enforce good authentication standards and enforce kind of anti enumeration anti probing mechanisms. And we're working on something around enforcing strong authorization um server side authorization for API calls as well. So it's kind of a two part solution that's really designed to make it easier for both parties that are involved. The people writing the APIs and the people who are responsible for the security of the data within the organization.
Jean:
Got it. And is this, uh, applicable to all kinds of businesses, specific types of businesses, software, hardware, IoT?
Jeremy:
Yeah, definitely IoT. Um, certainly software where we've seen the most kind of interest and engagement from customers and prospective customers today is really kind of digital native companies. Um, you know, either born in the cloud or deeply into kind of a refactoring process towards being cloud native. Those have been certainly, you know, the majority of the customers that we've worked with so far. Um, IoT, mobile apps, API economy companies, you know, there's this kind of niche sliver within the tech world of companies who provide services over APIs. Uh, you can think about a company like Twilio that that, you know, is a name that not all of us are familiar with. But every time you get one of these, like two factor, six digit, um, authentication codes over text message or something like that, you know that a Twilio function figured by an API called the Twilio. So there's this whole category of companies who actually expose their data or their products via APIs. So they're certainly, you know, a kind of a category of company that we're deeply engaged with as well. Um, but let's say, like digitally enabled companies are really the prime kind of customer profile for us.
Jean:
Gotcha. Um, yeah, that totally makes sense. I mean, it's it's been such a push towards, uh, API. Enabled. I guess this is. I don't know how I want to describe that. Maybe, you know, my company's using API. So it's become such a a prevalent thing these days that maybe ten years ago it was not that remotely as big as it is now. So definitely need to keep that secure. Um, so the, uh, the other question I had was, what would you say is the biggest challenge in your industry now?
Jeremy:
Yeah, there's kind of two challenges that really come to mind. One is that not a lot of people are thinking about this problem right now. When we go talk to customers right now, we find that it's really kind of, you know, two out of every ten companies that are already thinking about the security of the APIs that their organization has, and the others are still kind of getting educated and learning about either learning about the APIs that they have or learning about some of the risks around APIs and data handling and so on around that. So there's there's just general awareness and educational challenge. The second is there's a lot of confusion around what's the right approach towards API security. There are you know, by some measures, there are literally thousands of cybersecurity vendors in the world. And there's a lot you know, I just came back from RSA a couple of weeks ago, and I think, you know, something like a quarter of the companies there were saying that they did API security. But when you scratch beneath the surface, they'll have maybe one tiny element of what, you know, we would consider. Obviously we're biased, but what we would consider to be an effective approach to API security. And so we think there's a lot of kind of I won't call it misinformation, but let's call it incomplete information out there that people are getting. And so as people are getting educated, they might be hearing kind of mixed messages around API security that make it a little bit more difficult for them to actually get at the root of the problem and understand where the risks really lie. And so that's that's going to be a challenge. And, you know, we're more than happy to talk to anybody about it and share, you know, our research and the data that we've been collecting to try to give a clearer picture of what is critical and what is maybe useful, but let's say not sufficient.
Jean:
Right. Yeah, that makes sense that that is a that is definitely a challenge. Um, that's going on right now. Uh, you said there were two challenges, right?
Jeremy:
Yep. So the one's general awareness and the other is kind of getting mixed messages from okay, from the broad world out there. Yeah. Yeah yeah.
Jean:
No okay I understand. Yeah. I um, and how would you say you're getting around that? Like what would be a solution or a proposed solution for these two issues that you're seeing?
Jeremy:
Well, certainly from our perspective, we're just trying to put as much useful information out there in a, let's call it a in a way that is not doesn't require a PhD to understand what's going on there. Right. Um, you know, we happen to have a PhD in astrophysics who works on things like, you know, graph theory and authorization and so on. But you shouldn't need that level of, of background or, or educational basis to understand what the challenges are. So we've been doing a lot of research.
We've been publishing a lot of content on our website, on our blog, on our social media, etc. to just try to help make it an easier conversation for people to have and to try to put it even into layman's terms like, hey, what's going on here? So you'll see, you know, sometimes some of the examples that we use are very, very simple. They're around like, hey, when you order food via one of these mobile delivery apps, what's actually happening there? And just helping people understand that you've got, you know, 3 or 4 individual parties interacting with each other to make that order happen. And guess what? A whole chunk of sensitive data is being sent over APIs who try to put it into relatable terms, um, and make that really easy.
You can check out our YouTube channel, you can check out our blog, etc. that's probably the main thing that we're doing. We also just wrapped up, uh, a research paper around, uh, we've been tracking all the API based data breaches that we could find. So, you know, caveat that it's what's available via public disclosure, either from documented events or from responsible disclosure from security researchers. And we've tried to summarize that into something. Again, you know, pretty easy to understand. Uh, it is about a 20 page white paper. We're actually working on a like a two page executive summary and a one image infographic. So stay tuned for that. In the next couple of weeks. We'll have that up on our website as well to really try to like again, boil it down to simplest terms so people can get whatever their speed is. They can go for the full 20 page if that's the level that they're at, or if they just need the really, really high level, they can get that too. So that's one.
And then two is we've actually been publishing a whole set of open source libraries, um, to help software developers in particular to publish more secure APIs from day one. Um, the idea is that, you know, you're a developer. You know, your focus should be on writing business logic, making the applications work the way they need to work. We want to be kind of the easy button for that developer. You want to ship a secure API? Yes. How are you going to do that? You know, plain and simple. It's about 15 lines of integration code open source, have at it, you know, make it work for you for your organization to make your APIs more secure. So we're trying to be, you know, giving as much as we can, both in terms of data and in terms of utilities.
Jean:
I love that. Yes, I think for such a complex concept, it's like, you know, you have there's so much education that needs to go into it. So the fact that you guys are creating videos and whitepapers and summaries, um, for the layman like myself, who's not that I guess familiar or that much of an expert in API security, uh, and, uh, distilling it down for someone like myself or just our audiences. So, uh, that's that's fantastic. I always, you know, coming from a marketing background and putting on my marketing hat, like education, uh, of complex problems or concepts is such a big point that things sometimes, you know, companies miss. It's like they just assume that everybody understands what API security is all about or whatever.
Jeremy:
Well, you know, and I think a lot of people assume that, hey, I'm a technologist. The person I'm talking to is probably a technologist. I don't need to try to make it simple. And in fact, you know, they people I've I'm sure you've been part of these meetings where people try to one up each other with, you know, how deep their knowledge goes and how in-depth it is. And hey, that's that's all well and good. But, you know, in simplest terms, we're trying to help you make something more secure. And we think that the problems lie in, you know, x, y, z. Right. And so to that end, we don't want to over complicate the matter. We don't want to we don't want to live on a lot of bud, you know, fear uncertainty and doubt type of marketing. We just want to present it in a way that you can understand, make these resources available to people if it makes sense, if it works for you, awesome. If it doesn't, hey, no harm, no foul. Hopefully you've at least learned something from the interaction and you know you can be on with your day and and move forward. We're not like a we're not an organization that's out there to try to like bowl people over with, you know, a list of jargon that goes on for days and days and days and that's just not our vibe. We're all about kind of collaboration and making things, you know, again, easy to understand and making it easy for you to try out, see if it works and if it does, great.
Jean:
That's great. Yes, I think there's definitely a fine line between like fear mongering and then but then also being. You know, beneficial and, um, important, but also making sure that, like, people are educated about it, but at the same time not too overly educated or too technical, and people kind of just glaze over that the content. So yeah, always a fine line over that.
Jeremy:
Yeah. For sure.
Jean:
Um, and I know we talked a little bit about challenges in the industry. Um, the next the last question I always ask before we wrap up is what is your prediction for the industry. And that could be specifically your industry. Or, you know, if we want to go outside to self-driving cars, terraforming Mars, whatever, whatever.
Jeremy:
Yeah. I mean, look, there's kind of like three things that come to mind. I mean, one is on the API security side. So just very narrowly focused for a second. I mean, we think that SpaceX is going to continue to grow. Um, but interestingly, I think it is a thing that a lot of people are going to realize that they need it and then they need it contextualized. Um, there's a whole lot of challenge in cybersecurity right now, which leads to my second, uh, kind of prediction, which is that the cybersecurity industry is going to go through massive consolidation in the next five years. And when I say consolidation, what I really mean is you're going to see a lot of cybersecurity vendors get acquired in kind of merge into larger organizations.
Why do I think that's the case? So I've been in cybersecurity now for, well, the better part of my career. But what I see right now is that. All of cybersecurity is pretty much a data problem. It's about having visibility into the data and then having the right data, and then having the right data combined with the right other data. So that last point in particular is about correlation of data and kind of providing the right context. Like you might see a data signal that on its own means nothing, but when you see it in context of everything else, you know, that becomes really valid.
So for instance, Jeremy logged into his computer doesn't mean anything, but when you have the context that Jeremy logged into his computer from the Ukraine and five minutes ago he logged in from home in the Washington, DC area, you know, that something doesn't add up. So that kind of correlation and contextualization is actually becoming the most important thing in the cybersecurity space right now. I 100% predict the same thing is going to happen to API data and API security data.
I think that the contextualization of APIs with your cloud environment, with your applications, with your data stores, that's really what's going to be kind of the medium term for this. And then, you know, as a broader kind of thing, you know, right now by some measures, something like 83% of all internet traffic is API traffic, right? It's not me googling, it's not you sending an email. It's, you know, you made that food order and the food delivery service that you interacted with issued 20 API calls to third party vendors to kind of coordinate the order. You don't realize how much of that is happening already, but my big prediction around that is it's actually going to increase by an order of magnitude. So by a factor of ten in the next three years. And that I think like the whole thing of systems, talking to systems is what we don't understand. You know, we as you know, just kind of day to day people doing our jobs, living our lives, interacting with all the digital services we interact with. You just don't appreciate how much is going on behind the scenes to make all of that possible. And it's only going to get more so that way.
Jean:
Oh, I can totally believe that. Besides, um, my digital marketing agency, I also founded a startup, uh, which basically just allows you to send gifts, um, through Shopify with just an email address without the shipping address. And I'm clearly not a developer on it, and I'm not the technology person, but I just know how often we say API calls on our on our weekly, um, status updates. And, I don't know, I could every time I would take a shot, probably I would be very, very drunk by the end of the call. If we were talking about the time that the word API call was was said and uttered.
Jeremy:
Yeah. So and, you know, I would ask you, Jean, you know, in those status updates, my guess is that if you look, you know, kind of week over week or month over month, however frequently you have them, one of the success KPIs that you're looking at is that that number of API calls is actually going up from session to session
Jean:
Oh absolutely, as we are building, as we're iterating on the product and building out more features, we are connecting with more systems. So more systems are talking to each other. Um, so yes, it's like exponentially more. There you go. The word other API calls. Yeah.
Jeremy:
So so that's exactly my point. You know, all these, you know, interconnected systems that we're building to enable the digital lives and the services that we want to consume. It's only increasing.
Jean:
Yeah, absolutely. So I can I can absolutely I can understand that piece. I don't know the back end of it, but I can totally understand the API calls piece. Um, awesome. Well, thanks so much for having, uh, for being on the show here and having us interview you. Uh, last question I always ask is, how can our audiences get in touch with you or your company?
Jeremy:
Yeah. Real easy. We are just FireTail.io, fire like the flame substance and tail like the tail of an animal. Not like a story. So just look for us at Fire Tail.io. Um, and please do check out in the next couple of days. We're recording this in kind of early May of 2023. We've got our research report going up online. Um, and that is, you know, an analysis of the last ten years of API data breaches with some of those summary findings that we talked about earlier in the show. So please do check that out. And if you want to reach out to me personally real easy, I am just Jeremy at Fire Tail io. Super easy.
Jean:
Awesome. Thank you so much for being here.