In this episode of the Risk Management show, Jeremy talks all about API security and how organizations can ensure they keep their practices up to date.
In today’s landscape saturated with cyber threats, API security should be every developer’s priority. Tune in to learn what digital organizations need to know about in order to prevent breaches.
In this podcast, Jeremy talks all about API security and how organizations can ensure they keep their practices up to date. Listen in to learn about the common mistakes organizations make when implementing API security, and how you can avoid them.
Key topics include…
Boris:
Welcome to the Risk Management Show. I am Boris Agronomic, founder and CEO at Global Risk Community. 7.6s Welcome to our interview with Jeremy Snyder. Jeremy is the founder and CEO of Fire tail.io and advisory board member. Fire tail is an API security and posture management, and Jeremy specializes in, uh, cloud security, cybersecurity, mergers and acquisitions, international business, business development, strategy and operations. And he also knows five languages. So Jeremy, thank you for joining our for our Risk Management Show podcast today.
Jeremy:
That's a real pleasure to be here, Boris. Thanks for having me.
Boris:
Absolutely. So, Jeremy, could you tell us a short story about your career path, what brought you to where you are right now and what you guys at FireTail are up to this day?
Jeremy:
Yeah, absolutely. So for the first kind of 13 years of my career, I was actually a cybersecurity practitioner. It and cybersecurity. Uh, went through a couple SaaS companies, uh, a couple startups had a good exit with one of them. Then for years at a video game company that crashed and burned in 2010, uh, right at the same time that this company called AWS was getting off the ground. Uh, so I joined AWS in the very, very early days and kind of made a transition to the cloud, which was really eye opening because I don't know if you spent a lot of time in data centers, Boris…
Boris:
I certainly did. Um, yeah. In the 90s..
Jeremy:
Exactly. Yeah. 90s and early 2000 for me. And, you know, I used to keep a sweater in my car because you'd go into this data center and it's like, you know, ten degrees Celsius, 50, uh, Fahrenheit, and you're freezing in there working for hours on servers. But, you know, the idea of cloud was really revolutionary. And, you know, since that early time that I spent at AWS, I stayed in the cloud ecosystem for many years.
I joined a cloud security software company in 2016. We were growing very fast. We were doubling basically every year in terms of revenue, number of customers and so on. And the interesting thing that I saw was I saw companies go through kind of waves of cloud adoption as they got more, more comfortable with the cloud and more sophisticated with the cloud. Right. You know, wave one, they would just kind of copy their data center into a cloud environment, and then later they would realize that they could actually get a lot more benefit if they started to change the architecture of their applications. And the more we worked with these companies and we saw them evolve and continue to grow and transform the way that they were building applications, we actually saw one common pattern, and that was that everything moves to this so-called microservice architecture over time. But what you always end up with is you end up with an API sitting on a network that transacts data and transacts business transactions.
And so that's what really led me to start FireTail was kind of watching that process evolve and watching our customers evolve and change the way that they were using cloud. My co-founder and I, we started kind of looking at the risks and the challenges around APIs and let's say where data breaches were happening. And we used that really as the inspiration for FireTail and and the things that we've built here today.
And now we have a quick message to share. If you were listening to this podcast, it probably means you have a keen interest in risk and compliance. You're not alone. As Global Risk Community Comm has already more than 100,000 active members. Together, we share knowledge, resources and the latest events. On top of that, global risk community is a great and easy way to network and broaden your opportunities. Visit Global Risk community.com and sign up as a member. The link is in the description. Thank you for listening. Now back to the episode.
Fantastic. So I believe that we will have a thoughtful conversation on the topic of, uh, API security, API security, posture management, and uh, specifically more like about, uh, predictions in the, in infosec space for the digital organization. So, uh, Jeremy, what are the most common
types of, uh, cyber threats that digital organization should be aware of in the coming years?
Jeremy:
Well, of course, everybody needs to stay aware of like the real common problems today. So, you know, phishing, malware and, uh, ransomware, all of that kind of stuff. Don't get lazy. It's very tempting to think about like, oh, the new threats are coming from cloud. The new threats are coming from, you know, novel, novel campaigns and so on. Don't forget the basics. So that's one thing I always like to tell people, but on the kind of, let's say, the coming stuff.
Look, I think the the nature of cloud breaches has really changed over the last couple of years. For many years, what we saw was it was always companies making mistakes and exposing data accidentally. You know, it wasn't really attacks or hacks or anything like that. It was really just configuration errors that made data available. Right. But now what we're starting to see is we're actually starting to see that attackers are understanding how AWS and other cloud platforms work so they know they can use, let's say, a vulnerability at the edge of an application to get into the infrastructure. And then they can do things like leverage identity credentials, uh, authentication tokens within the cloud environment to, you know, for lateral movement, for data exfiltration, for, uh, probing, enumeration, discovery, all of these types of things. So these are the types of attacks that I'm actually working with customers on after they've taken care of a lot of the basics, you know, so the customers that we work with, they've they've spent a lot of time and they've invested a lot of energy and money into, you know, into doing a lot of the basics and into improving their cloud security posture. And now they're looking at kind of the application edge of these cloud environments. Those are the types of things that we're working on. And those are the types of things that I think companies should start thinking about now. 1.8s So let's, uh, dig deep a little bit.
Uh, to what is it actually, actually API security? And how can organizations ensure the API security approaches are up to
date and secure? Yeah. So I think the, the thing that is important to understand is that APIs are actually everywhere already today, and they're growing very fast. I think not a lot of people realize that actually, over 80% of the traffic on the internet is API calls. So it's not, you know, me pulling up a browser and searching Google for something, it's, you know, some service at the back end of Google calling some other service. An example I really like to give is around, you know, when you order food through a mobile app, right. Probably something that all of us have done many, many times. You you know, you pull up this app, you look at menus, you choose some items off the menu, and you click submit to make your order. Well what's happened? You know that order didn't happen on your phone. What happened on your phone was just kind of the assembly of the order. And then the order was sent over an API call to the processor that could be, you know, DoorDash, just eat foodpanda, whatever. The service is where you live in the world. But then what happens is that that provider sends an API call to a payment processor to to check the payment. It sends an API call to the restaurant to submit the order. It receives a call back that says the estimated delivery time. It then sends API calls out to drivers you know in the wild, who can then come and collect the order and deliver it to you. So you know what is one transaction to you is probably more than 20 API calls that's happening. So that's the first thing I want people to understand about API calls is that they're everywhere. The second thing is if we think about what was in that transaction, we have sensitive data, right. So my name, my home address, my email, my phone number, all of that. We have payment information that's being sent out, you know, so we have very critical business transactions, payment processing. And we have sensitive data being sent over APIs. And again this is already happening pretty much everywhere around us every day. So that's the second thing I want people to understand. They're critical and they have sensitive data around them. So when you ask the question, you know, what do we need to think about for API security? We need to think about whether those transactions are secure. What does that mean? It means they need to only be going from the intended sender to the intended recipient. Nobody can sniff them. Nobody can intercept them. Also, they need to be authenticated and they need to be authorized. And these are two very important concepts in API security. We've done a lot of research here at tail. We've been analyzing the last ten years of API breaches. And we see that these two problems around authentication and authorization, these are things that we've been doing in it for decades and decades, right? I mean, as long as I've been in it, as long as you've been in it, authentication and authorization have been concepts, right? And yet when we introduce new structures like APIs, we see people making mistakes with them again and again. So these are some of the things that I want people to think about with API security, think about, you know, is the transaction itself secure? Is it authenticated? Is it authorized? There's more that we can get into, but that's the starting point for a conversation around API security. You know. So, uh, for example, if we take a life of a CSA or risk manager, if there is one thing that they should, uh, start to prioritize right now that they are not doing. What would it be with regards to, uh, API and, uh,
security?
Yeah. Visibility is always a great starting point. One pattern that we see pretty regularly. We saw it with cloud adoption in the mid 2010. So kind of in the let's say 2014 to 2019 timeframe. Um, and we see it with APIs today. We see that developers get ahead of security a lot of the time. And so one of the things that I always tell people is, look, if you don't know that it's there, you can't analyze the risk around it. You can't know what kind of security risk it poses to your organization. So always start with visibility as like the, you know, kind of step one in a journey towards API security. It's not too difficult with APIs because the traffic patterns are pretty consistent. Um, you can also look at things like code repositories and see what your developers are creating. Find API patterns in code. You can even find API specification files and code repositories. So there's a lot of different ways that you can tackle that problem. Certainly we also have uh, capabilities to help people do that. But that's that's the starting point that I always suggest to people is visibility. Who? So
let's discuss a little bit about your company fire
sale. What are the
business cases that your solution solves the best in the eyes of your customers?
Yeah. Well, visibility has the starting point for sure. And we do some of that kind of inspection of, uh, of cloud environments, of cloud traffic, of code repositories to find APIs, create kind of an inventory of APIs, if you will, and kind of put that in front of the relevant people, whether that's, let's say, security managers, whether that's risk managers, etc.. The next thing that we do with that is we try to help you understand the risk around that. So for instance, we can help you understand, you know, which APIs are public facing, which ones are internal, which ones have different types of authentication checks integrated into them. Then the last thing that we try to do is we we actually provide a library of open source solutions directly for developers. And you know, we talked a few minutes ago about how authentication and authorization are some of the common problems with APIs. We've created an open source toolkit that developers can embed with their applications that will check for some of the most common API attack patterns. So they'll actually, you know, you can create an API, include our library, and it will show you whether you're actually, um, performing good authentication checks. It will also kind of allow you the ability to block API traffic that is not going to a valid API endpoint. Um, APIs have these kind of substructures that really allow the execution of different functionality and the access to different data elements. And, you know, best practice is that API requests should only be allowed to valid destinations. And so we can help developers kind of trim down the amount of bot traffic that they get against their APIs, not allow bots to kind of scrape the API, if you will. Um, so these are some of the solutions that we provide for developers in addition to what I mentioned around kind of the the visibility and the risk assessment for, let's say, like information security teams or risk managers. Amen. And I
would like to ask you your a personal point of
view. What is the commonly
held belief or major misconception in the IP security field that you strongly disagree with? Or maybe some you see some kind of common mistakes that you kind of see. Just
to know. Yeah. 1.2s I think the the most common one that we see is that you can solve API security through network security. And there's a lot of kind of tools out there. Things like WAF, web application firewalls, they have good functionality for what they do. There's tools like API gateways. They provide some security checks. But when we look at the data around API breaches, we see that the vast majority and I mean like over 80% of the breaches come as a result of authentication and authorization problems or mistakes in data handling by the application. And the important thing to understand is these are application layer problems. And so when we think about trying to solve that through a WAF or through an API gateway, most of these breaches look like normal network traffic. So the WAF would not respond. The API gateway just keeps serving up API calls and the way that it should. So these network layer constructs, they don't have visibility or capability to understand the attacks that are at a one level higher at the application layer. That's the misconception that we hear a lot, and we see a lot of confusion in the market and in the messaging. And, you know, I have conversations with customers and prospects, and the first thing they ask me is, oh, well, I have a WAF. I should be safe, right? Well, you know, you may be safe if you're doing all the checks inside the application, again for authentication, authorization and data handling. But that's that's really what I would point to, Boris. 1.4s Thank you. All right, so
let's, uh, do, uh, go to in the future.
Where do you think that
your space, uh, API security as a whole is heading? What are the trends in the in the industry? And what should we expect from you guys in the future?
Yeah. Where I think it's heading is I think it's a space that's going to grow a lot. I liken it a lot to cloud security. So when I started in in cloud security in 2016, it was a very small percentage of of cloud customers who are buying security solutions. And we looked at the patterns and the characteristics of those customers. And they were the customers that were kind of the early adopters, the most advanced cloud customers in those days. And what do we see? You fast forward from 2016 to 2020 and it's now a mainstream need. So who's buying cloud security today? Everyone. Everyone who's using cloud. Right. And so we see that kind of pattern and that kind of evolution. We're we're I think with API security we are today where we were with cloud security in 2016. So who's buying API security today is really the early adopter. And that's fine. Uh, what we're going to see over the next two, three, four years is we're going to see API security, just like cloud security, become a mainstream need because these companies, they'll go through those cloud adoption cycles, they'll get to that point where they're more evolved and they're they're embracing more kind of cloud native architectures. And then they'll realize that the API represents the kind of the number one attack surface that they expose in their cloud environments. That's when it represents a huge part of risk, and that's when they need to kind of manage that risk by implementing the security tool. Second part of your question. What are you going to see from us? So we have kind of two main goals that we're really focused on. Number one is kind of helping information security, risk management teams, etc.. And number two is helping developers. So let me talk about the risk management and information security side of it first. We're at the beginning of kind of providing that continuous risk assessment around APIs. So what we do today we bring in visibility and we've started some assessment based on kind of traffic patterns based on traffic analysis etc., of what's happening in your APIs and allowing you to do some assessment and some categorization of risk around those APIs. There's actually multiple layers deeper that we can go on that side. We're starting to implement ML and AI models on the API traffic itself. Um, we do think that's going to bring more, let's say high fidelity and high quality assessment. Um, and I actually think this wave of, you know, the kind of open AI ChatGPT tools, um, is actually proving to be pretty beneficial in terms of analysis of of all of this data. I know there's a lot of hype around, let's say, writing songs with this stuff. But actually, if you look at, you know, kind of, let's say a smaller data set that is a little bit more structured and consistent, the quality is actually even better. So if you think about how good the quality is with a broad range of data, now limit the model down to kind of known data types and file formats, and you can get even higher fidelity. So so that's one thing we're going to continue to kind of like emphasize the continuous nature and the quality of the assessments. Right now we only support a couple cloud providers. Of course we want to increase the coverage so that, you know, wherever you're running APIs, whether that's AWS, Microsoft Azure, Google Cloud Platform, what have you. We want to provide you kind of the same capabilities right now. Honestly, our AWS support is better than our support for the other cloud providers based on customer demand. Then on the other side, which is to say the developer side, we're really serious about our our open source initiatives. We really want to make it easy for developers to ship secure APIs. And we've kind of aligned a lot of our open source work to the common API frameworks. So open API being kind of the most popular one right now. And we've shipped now four language versions of that. So we have open source libraries available for Python, for Node.js, for Ruby and for Golang. We actually want to expand code coverage on that side. We've had requests for rust for dotnet for Java. So we want to actually expand the library coverage across other code languages. We need to make sure that we support both serverless and kind of server and containerized environments. Right now our focus is much more on the server and container environments again based on customer demand. But we really want to make that like consistent. So whatever kind of architectural choices and code language you have, we give you this like easy paved path towards shipping a secure API. That's that's what I hope you'll see from us in the next couple of years. All right. Fantastic. So
if we summarize it, if someone who is listening to this episode would like to walk away with 1 or 2 major takeaways,
what would it be?
I mean, look, API security is already an area of concern for a lot of organizations, and if it's not a concern for you yet, it probably will be in the next couple of years. So getting educated, getting started now is not a bad idea. Um, to that end, we've actually published an API security report. Uh, it's an analysis of the last ten years. You can find that on our website. Uh, we publish a real time API breach tracker. Uh, you can find the link to that in the footer of our website. So if you're looking to kind of get started, get educated. That's where I would point to as a as a good starting point, even if this is maybe not like a high priority for you to implement today. You know, start thinking about it now. Start thinking about, you know, where those risks are going to come into your organization and maybe getting ahead of it. 1.2s
Two fantastic gentlemen
that were all my questions.
Perhaps if I forgot something and you would like to add anything that would benefit our audience, please go
ahead. No, I mean, I think you know, what we covered today really, really sums it up. I just, I think this is an important area for people to be aware of. And if you anybody has any questions, they're more than free to reach out to, to us at retail. My personal email is just Jeremy Jeremy at Fire Tail io happy to answer any questions, any feedback from the audience. And uh, yeah.
Thanks so much for the time today, Boris.
Thank you, gentlemen, and uh, hopefully we will cooperate with you guys and with global risk community, we'll have a continuously flow of, uh, content if you if your company are looking for content, uh, to distribute, you are welcome to post on our site at Global Risk community.com. We have blogs and discussions and a lot of articles. And if you provide if you do events you can post you also your events.
Awesome. Fantastic. All right.
Thank you very much.
If you like this episode, please give it five stars on your favorite podcast app. It will help us in spreading the word. Don't forget to subscribe to receive your notifications of future episodes straight to your phone. If you like to be connected with your peers, risk managers, and compliance executives from all over the world, make sure to go to our main site site at WW Global Risk community.com and click on the sign up button to to join in. There are some incredible conversations happening inside the community. If you work in a fast growing company operating in the risk management space and your job is to acquire new customers, generate thought leadership and awareness about your products and services. Consider to become our partner. He is a concept global risk community is looking to work with a limited number of innovative risk management companies interested in a new partnership model. What do I mean by that? We will put you in front, in front of our engaged community of more than 100,000 subscribers by using our multi-channel approach such as website, email, events, online business, social communities, video and podcasts, to name a few, you generate leads, awareness and advocacy. Everybody wins. Interested? Send your request to info at Global Risk consult.com. Last but not least, if you or someone you know will be an incredible guest on our show. Email us at info at Global Risk consult.com and let us know. We love connecting with risk and compliance executives, and we love sharing your perspectives and expertise. See you in the next episode.