In this conversation, Jon Scheele and F5's Field CISO Chuck Herrin discuss the critical importance of API security in today's digital landscape, where API traffic constitutes a significant portion of overall internet traffic. They explore the unique vulnerabilities associated with APIs, the relevance of OWASP's Top 10 for API security, and the evolving threat landscape that organizations face. The discussion emphasizes the need for visibility and discovery of APIs, the risks posed by third-party APIs, and the emerging vulnerabilities related to AI. Herrin highlights the necessity of understanding the architecture and attack surfaces to effectively manage security risks.

Takeaways

API traffic constitutes over 70% of overall internet traffic.
OWASP's Top 10 for API security is more granular than traditional web security.
Defenders often overlook API vulnerabilities due to legacy focus.
Visibility is crucial for understanding API exposure and risks.
Third-party APIs pose significant risks if not properly managed.
AI introduces new vulnerabilities that require updated security measures.
Organizations must understand their API architecture to protect against attacks.
Monitoring and governance are essential for API security.
The cybercrime economy is larger than the global drug trade.
Defense in depth remains a fundamental principle in cybersecurity.


Keywords

API security, OWASP, cybersecurity, vulnerabilities, third-party APIs, AI security, visibility, threat landscape, data protection, application security


Sound Bites

"APIs are just as much a cyber target."
"API traffic is now the majority of web traffic."
"You can't protect what you can't see."


00:00 The Importance of API Security
08:23 Understanding OWASP's Top 10 for API Security
16:27 The Evolving Threat Landscape of APIs
25:06 Visibility and Discovery of APIs
33:41 Third-Party API Risks and Management
42:00 AI and Emerging Vulnerabilities in API Security