- CISO Series Newsletter
- Posts
- 07-09-20 - My APIs Will Secure Themselves When They're Good and Ready
07-09-20 - My APIs Will Secure Themselves When They're Good and Ready
My APIs Will Secure Themselves When They're Good and Ready
This week's episode of Defense in Depth
API Security
On this episode of Defense in Depth:
Co-host Allan Alford and sponsored guest, Roey Eliayhu, CEO, Salt Security, discussed:
The skill set needed to secure APIs is different than web security.
The move towards the cloud, DevOps, and the need to have security tools talk to each other has brought a lot more attention to the need for API security.
Like in all areas of security, just knowing what you've got is a struggle. Same is true with APIs.
Just knowing what APIs you have is not enough. You must know their functionality. Map your APIs to the systems and the data their transmitting.
How aware are your developers of the pitfalls of API misuse?
There's a myriad of security options but start with strong authenticate using hash-based message authentication.
Much of the advice we got was simply shrinking the API attack surface. This can be done by either limiting the functionality of the API or removing unused APIs.
The "review the code" advice that we heard often is sadly not realistic. APIs are resistant to both automatic and manual code review.
API security seems like a 300 or 400 level security effort. Smaller companies that don't have a security operations center (SOC) may simply not be able to handle it and will need to outsource their API security and SOC needs to a third party or managed security service.
Thanks to this week's sponsor of Defense in Depth, Salt Security.
protects the APIs at the core of SaaS, web, and mobile applications. By using patented behavioral protection Salt Security automatically and continuously discovers and learns the granular behavior of each unique API and stops attacks. In 2020 Salt Security was named a Gartner Cool Vendor in API Strategy.
Upcoming CISO Series Video Chats
TOMORROW, Friday [7-10-20] Hacking Passwords
for an hour of critical thinking on eliminating password failure and improving access with my guests Ori Eisen, CEO, Trusona and Alex Manea, former CSO, Blackberry and now chief security and privacy officer, Georgian Partners.
As always We'll have an active chat room and we'll be playing our best bad idea game, "Department of YES". And it all starts at 10 AM PT/1 PM ET.Huge thanks to our sponsor, Trusona.Register for our future Friday video chats.7-17-20: Hacking Active Directory7-24-20: Hacking Automation
Best Moments from “Hacking API Security” Video Chat
Here are six minutes of the best moments from "Hacking API Security: An hour of critical thinking on protecting the connective tissue of corporate data”.
To watch the entire video chat and see the discussion, go here.
Much of the conversation stemmed from my earlier article, "25 API Security Tips You're Probably Not Considering."
Joining me in the discussion were Nir Valtman, vp, head of product & data security at Finastra and Roey Eliyahu, co-founder & CEO, Salt Security. Thanks again to Salt Security for sponsoring.
SUBSCRIBE TO BOTH PODCASTS
Go ahead and click on any of these links to subscribe to the podcast feed of your favorite podcast catcher.
If you're already a subscriber, THANK YOU! If you like either or both shows, please tell all your friends on social media and write a review on iTunes.