
Sign up to save your podcasts
Or


At Postman's scale of 40 million developers generating billions of API requests, Sam Chehab, Head of Security & IT, centers on three enforcement domains: authenticated and encrypted data paths, zero-trust inter-service communication, and runtime instrumentation. His vendor evaluation is just as precise, cutting past feature lists to one demand: show me the architecture diagram and walk through exactly how your solution addresses my threat models.
Sam identifies why generative AI creates fundamentally new risk: the combination of private data access, untrusted content processing, and external communication capability. This trifecta explains why browser-based AI is nearly impossible to contain; it touches local machines, queries the open web, and executes actions on your behalf. Sam also covers how he screens for three traits he can't train: initiative to self-direct research, attitude to absorb constant setbacks, and aptitude to process how rapidly this field moves.
Topics discussed:
Implementing data path integrity, zero-trust inter-service authentication, and runtime instrumentation with immutable logs
Evaluating cybersecurity vendors by demanding architecture diagrams and specific threat model solutions rather than feature lists
Managing freemium platform security with anomaly detection, rate limiting, and abuse prevention across 40 million developers
Identifying AI security's dangerous trifecta: private data access, untrusted content processing, and external communication capabilities
Building MCP generators that enable least-privilege API servers by allowing developers to select only required methods before deployment
Using AI agents to generate security tests during development, shifting validation from security teams to automated testing
Applying security hygiene fundamentals before adopting specialized vendor solutions
Hiring security teams based on three unteachable traits: initiative, attitude, and aptitude
By QohashAt Postman's scale of 40 million developers generating billions of API requests, Sam Chehab, Head of Security & IT, centers on three enforcement domains: authenticated and encrypted data paths, zero-trust inter-service communication, and runtime instrumentation. His vendor evaluation is just as precise, cutting past feature lists to one demand: show me the architecture diagram and walk through exactly how your solution addresses my threat models.
Sam identifies why generative AI creates fundamentally new risk: the combination of private data access, untrusted content processing, and external communication capability. This trifecta explains why browser-based AI is nearly impossible to contain; it touches local machines, queries the open web, and executes actions on your behalf. Sam also covers how he screens for three traits he can't train: initiative to self-direct research, attitude to absorb constant setbacks, and aptitude to process how rapidly this field moves.
Topics discussed:
Implementing data path integrity, zero-trust inter-service authentication, and runtime instrumentation with immutable logs
Evaluating cybersecurity vendors by demanding architecture diagrams and specific threat model solutions rather than feature lists
Managing freemium platform security with anomaly detection, rate limiting, and abuse prevention across 40 million developers
Identifying AI security's dangerous trifecta: private data access, untrusted content processing, and external communication capabilities
Building MCP generators that enable least-privilege API servers by allowing developers to select only required methods before deployment
Using AI agents to generate security tests during development, shifting validation from security teams to automated testing
Applying security hygiene fundamentals before adopting specialized vendor solutions
Hiring security teams based on three unteachable traits: initiative, attitude, and aptitude