Sign up to save your podcasts
Or
Share API Security
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
API Security
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-api-security/)
APIs are gateways in and out of our kingdom and thus they're also great access points for malicious hackers. How the heck do we secure them without overwhelming ourselves?
Check out this post for the basis for our conversation on this week's episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and sponsored guest, Roey Eliyahu, CEO, Salt Security.
Salt Security protects the APIs at the core of SaaS, web, and mobile applications. By using patented behavioral protection Salt Security automatically and continuously discovers and learns the granular behavior of each unique API and stops attacks. In 2020 Salt Security was named a Gartner Cool Vendor in API Strategy.
On this episode of Defense in Depth, you'll learn:
- The skill set needed to secure APIs is different than web security.
- The move towards the cloud, DevOps, and the need to have security tools talk to each other has brought a lot more attention to the need for API security.
- Like in all areas of security, just knowing what you've got is a struggle. Same is true with APIs.
- Just knowing what APIs you have is not enough. You must know their functionality. Map your APIs to the systems and the data their transmitting.
- How aware are your developers of the pitfalls of API misuse?
- There's a myriad of security options but start with strong authenticate using hash-based message authentication.
- Much of the advice we got was simply shrinking the API attack surface. This can be done by either limiting the functionality of the API or removing unused APIs.
- The "review the code" advice that we heard often is sadly not realistic. APIs are resistant to both automatic and manual code review.
- API security seems like a 300 or 400 level security effort. Smaller companies that don't have a security operations center (SOC) may simply not be able to handle it and will need to outsource their API security and SOC needs to a third party or managed security service.
View all episodes
By David Spark, Steve Zalewski, Geoff Belknap
4.8
7373 ratings
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-api-security/)
APIs are gateways in and out of our kingdom and thus they're also great access points for malicious hackers. How the heck do we secure them without overwhelming ourselves?
Check out this post for the basis for our conversation on this week's episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and sponsored guest, Roey Eliyahu, CEO, Salt Security.
Salt Security protects the APIs at the core of SaaS, web, and mobile applications. By using patented behavioral protection Salt Security automatically and continuously discovers and learns the granular behavior of each unique API and stops attacks. In 2020 Salt Security was named a Gartner Cool Vendor in API Strategy.
On this episode of Defense in Depth, you'll learn:
- The skill set needed to secure APIs is different than web security.
- The move towards the cloud, DevOps, and the need to have security tools talk to each other has brought a lot more attention to the need for API security.
- Like in all areas of security, just knowing what you've got is a struggle. Same is true with APIs.
- Just knowing what APIs you have is not enough. You must know their functionality. Map your APIs to the systems and the data their transmitting.
- How aware are your developers of the pitfalls of API misuse?
- There's a myriad of security options but start with strong authenticate using hash-based message authentication.
- Much of the advice we got was simply shrinking the API attack surface. This can be done by either limiting the functionality of the API or removing unused APIs.
- The "review the code" advice that we heard often is sadly not realistic. APIs are resistant to both automatic and manual code review.
- API security seems like a 300 or 400 level security effort. Smaller companies that don't have a security operations center (SOC) may simply not be able to handle it and will need to outsource their API security and SOC needs to a third party or managed security service.
More shows like Defense in Depth
View all
Hacked
186 Listeners
Security Now (Audio)
2,011 Listeners
Defensive Security Podcast - Malware, Hacking, Cyber Security & Infosec
370 Listeners
Risky Business
372 Listeners
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
652 Listeners
CyberWire Daily
1,026 Listeners
Smashing Security
318 Listeners
Click Here
419 Listeners
Darknet Diaries
8,075 Listeners
Cybersecurity Today
177 Listeners
Hacking Humans
316 Listeners
CISO Series Podcast
195 Listeners
Cybersecurity Headlines
139 Listeners
Risky Bulletin
45 Listeners
Hacker And The Fed
167 Listeners