Jul 9, 2020
All links and images for this episode can be found on CISO
APIs are gateways in and out of our kingdom and thus they're
also great access points for malicious hackers. How the heck do we
secure them without overwhelming ourselves?
this post for the basis for our conversation on this week’s
episode which features me, David Spark (@dspark), producer of CISO Series,
Alford (@allanalfordintx), and
sponsored guest, Roey
Eliyahu, CEO, Salt
protects the APIs at the core of SaaS, web, and mobile
applications. By using patented behavioral protection Salt Security
automatically and continuously discovers and learns the granular
behavior of each unique API and stops attacks. In 2020 Salt
Security was named a Gartner Cool Vendor in API Strategy.
On this episode of Defense in Depth, you’ll
- The skill set needed to secure APIs is different than web
- The move towards the cloud, DevOps, and the need to have
security tools talk to each other has brought a lot more attention
to the need for API security.
- Like in all areas of security, just knowing what you've got is
a struggle. Same is true with APIs.
- Just knowing what APIs you have is not enough. You must know
their functionality. Map your APIs to the systems and the data
- How aware are your developers of the pitfalls of API
- There's a myriad of security options but start with strong
authenticate using hash-based message authentication.
- Much of the advice we got was simply shrinking the API attack
surface. This can be done by either limiting the functionality of
the API or removing unused APIs.
- The "review the code" advice that we heard often is sadly not
realistic. APIs are resistant to both automatic and manual code
- API security seems like a 300 or 400 level security effort.
Smaller companies that don't have a security operations center
(SOC) may simply not be able to handle it and will need to
outsource their API security and SOC needs to a third party or
managed security service.