Starting late last year, Antigen CEO Steven Legg was joined by Antigen’s Tim De Block for a podcast in which they discussed all matters relating to cyber liability insurance and the security controls organizations need in order to be insurance-ready. If you missed an episode, just visit our YouTube page to see the original recordings!
While you are waiting for the next episode to drop, here’s an excerpt from one of our November episodes, in which Steven and Tim are discussing API Security, and everything that comes with it. Both the video version and text version are below. Be sure to subscribe if you found the information to be helpful.
Timothy DeBlock (Host): Welcome to the Antigen Cyber Podcast. I’m Timothy DeBlock, director and advisor at Antigen. With me today, as always, is Steven Legg, the CEO of Antigen Security. Steven, how are you doing?
Steven Legg (CEO): Well, Tim, how are you?
Timothy DeBlock (Host): Good. I think for this one, we’re kind of reversing roles. Let’s talk a bit about API security. So, let’s get right into it. What is API security specifically or how would you define it?
Steven Legg (CEO): APIs, or application programming interfaces, have been around for a long time. They are a crucial part of application development and security. If you think of a restaurant analogy, the back end is like the kitchen, the storefront is where you access the APIs, and the APIs themselves are like waiters. The menu is the documentation. APIs allow seamless integration of different services, both internally and externally. API security is about ensuring that these APIs aren’t abused.
APIs represent the next evolution in application development and security. They improve security by reducing issues like SQL injection and cross-site scripting. The security focus has shifted towards authentication and authorization. Identity is crucial, following the zero-trust model, and ensuring users are properly authenticated and authorized to use the APIs.
APIs come in various types like REST, SOAP, and GraphQL, and their selection depends on the specific needs of the project. API security involves documenting, testing, and ensuring proper authentication and authorization. It also extends to identifying and addressing abuse cases, which may not be traditional security vulnerabilities but can still impact the business.
Timothy DeBlock (Host): That makes total sense. So, for organizations considering API security, when should they start thinking about their API security strategy?
Steven Legg (CEO): APIs are pervasive in today’s technology landscape, so organizations should start thinking about API security as soon as they begin using or developing APIs. It’s not limited to software development; it involves everyone from GRC teams evaluating third-party APIs to developers creating internal APIs. Inventory management and understanding how data is used within the organization are critical starting points.
Timothy DeBlock (Host): Are there any common abuse cases that organizations should be aware of when dealing with APIs?
Steven Legg (CEO): Abuse cases can vary depending on the application. Threat modeling is essential for identifying potential abuse cases. For example, leaked customer information through an API can be a severe abuse case. Pentesters play a crucial role in identifying and testing potential abuse scenarios. Unit tests are valuable for developers to prevent abuse cases, and threat modeling should be an ongoing practice.
Timothy DeBlock (Host): Great insights. Is there anything else critical for people to know about API security or APIs in general?
Steven Legg (CEO): The API security tooling landscape is maturing, and it’s essential to monitor how it evolves. API security might become its own discipline due to its growing significance. Organizations should consider forming dedicated teams or including API security within existing teams based on the complexity and scale of their API usage. Finally, managing API security involves understanding the business goals, identifying sensitive data, and prioritizing risks accordingly.
Timothy DeBlock (Host): Perfect. Thank you, Steven, for the valuable insights. That concludes our discussion on API security today. We hope to see you next time.
