Exploring the Relationship Between APIs and Cyber Security

APIs are a growing part of the tech industry, and impact a number of areas like Cyber Security. On Episode 20 of The Cyber Security Matters Podcast we spoke with Jeremy Ventura, who is the Director, Security Strategy & Field CISO at ThreatX, about how the rise of APIs is affecting the Cyber Security space. Jeremy has over 10 years’ experience in the Cyber Security industry, beginning his professional career as a security analyst for defence based manufacturing business radian before working his way up to his current position. He’s also the host of ThreatX’s eXploring Cybersecurity podcast, making him an experienced and informed member of the Cyber Security community. Read on for his insights on APIs. 

What should a regular person know about API security and how it affects the world around them?

We use API’s every single day, but most consumers, especially if you’re not technical, won’t realise it. Let’s think about ease of use. If I want to pay a bill I’ll do it with one of the three credit cards that I have. When I’m on an app, I’m just selecting whether I want to pay with Apple Pay or my Chase Card or my Amex card, whatever it might be. Those payments are all API connections. Here’s another good one; when you call an Uber or a Lyft, they’re looking for the closest Uber in your geolocation and the fastest route. Those are all API connections that are pulling that data down. Think about your phone – when you look at the weather today in your location, that uses API connections to pull together your geolocation and the weather from different weather providers. So even though API’s are all out there, they’re pretty much hidden by design. We use API’s on an everyday basis – probably hundreds of them on a normal day. 

Now, when it comes to API security, that’s where individuals need to be conscious. Just because it’s easy to use doesn’t mean it’s always secure. APIs in general are designed to connect multiple systems together and send business logic or business data. That’s not anything insecure. However, those transactions that are sent in the background sometimes can contain sensitive company information, or what we call PII, personally identifiable information. That’s things like usernames, passwords, credit card numbers, social security numbers, whatever it might be. That’s why the API security space is so hot right now, because they’re designed to send potentially sensitive data to each other. If that process or transfer is not secured properly, then we have big problems. Every individual – technical or not – needs to be aware of everything they’re putting out there on APIs. Your information is being sent to and from multiple different companies or products, which is a risk.

What is your take on the current state of the API space generally?

API’s are nothing new – they have been around for decades now. API security though is fairly new. That’s where we’re starting to see a lot of security vendors either incorporate technology that can help them in the API security space or we’re seeing a lot of big companies being completely transparent. 

I think with that we’re going to see a lot of acquisitions happen pretty soon as well. That’s normal when you have hot, new emerging technologies that are solving real world problems. Why wouldn’t I want to get my hands on that if I’m the largest security vendor? This is when the market can get a little confusing, where you have a lot of different vendors saying, ‘Hey, I do API security’, but they all do it differently. My recommendation is that when you’re evaluating vendors or you’re valuing the space, make sure you’re getting tools and products and services built with that in-depth approach. No one security tool is ever going to be perfect, so it’s important to take a layered approach. 

How much does AI affect API security?

AI in general is definitely affecting security. One thing I’ll be clear about is that attackers and hackers alike have been using AI for a long time. It’s actually nothing new. What’s happening now is that typical security may be a little bit behind. Now they’re starting to ask ‘how can I incorporate AI in my security tools like a security vendor? Can I incorporate AI into my products?’ 

An instant response company just announced that they included AI in their responses. They can create playbooks on the fly based upon the data that someone enters. Maybe I’ve experienced a phishing incident and I need to know who to contact. The AI model within that tool will actually spit out the exact task, or runbook that you need to do. If it’s used correctly, especially in security tooling, AI can definitely have an extreme power and effect for end users. 

Just like anything though, AI can also create a lot of false positives. We need to be very careful about 100% relying on AI and saying ‘this is the be all and end all’, because AI isn’t right all the time. AI in general security, including API security, is definitely starting to have an effect on both the security vendor side and the end user side.

To learn more about how APIs are affecting the Cyber Security space, tune into The Cyber Security Matters Podcast here

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

Improving Accessibility in NewSpace

Accessibility is a key issue in the NewSpace industry. With a number of different applications for satellite technology, there is an increasing focus on enabling smaller players to enter the sector and access the NewSpace sector. On Episode 20 of The Satellite & NewSpace Matters Podcast we spoke to Nathan Monster, the CEO and Founder of A-SpaX (which means Affordable Space Access), about the company’s aims to make the opportunities that space offers accessible to as many people as possible. They offer an end to end service that spans from pre launch to delivery. Nathan also shared how we can improve accessibility as an industry. 

What’s been the biggest change in the industry that has made space more accessible to date? 

Access to space has improved with the transportation from Earth to low Earth orbit. There are more frequent launches going into orbit from more commercial companies who have developed their own launchers that go through to space. There are hundreds of rocket companies now. There has been a lot of investment in the space industry too, particularly going into launchers. I’m hoping that now that we’ve gotten into space people will start to think about the return. Questions like ‘While you’re in orbit, what are you going to do there?’ are really important. For me the answer is production and bringing the results back to people on earth. 

What has enabled accessibility more, small satellite launches or rideshare opportunities? 

It’s a complex situation because of the amount of investment that has occurred. So many commercial companies now have the chance to create a difficult transportation system, launch things and reach orbit. That should be a good thing, but it often goes wrong. Having all this competition does bring down the cost and enable a lot of commercial activity, which makes the industry more accessible, but there are downsides too. It’s the investment itself that has created more accessibility rather than rideshares or launches, but I’m interested to see which method will continue to grow accessibility in the space. 

What are the barriers to accessibility and what needs to be done to remove them?

The biggest barrier is making sure a rocket is safe and in a good state. All these commercial companies need to have systems and checks in place to make sure they’re successful. As an industry we need to support these companies so that they have the chance to reach a certain point where these protocols are in order and their systems can mature. That requires quite a lot of capital, and there will be failures along the way, but we need to expect and allow that. We need to keep backing them until they’ve built a protocol to make sure that everything is ready before the launch and is done in a proper order.

To learn more about accessibility in space, tune into The Satellite & NewSpace Matters Podcast here

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

Automotive Connectivity

As smart technology advances, connecting devices while they’re on the move is becoming a priority within the Connectivity industry. On Episode 12 of The Connectivity Matters Podcast we spoke to Rafet Lakhdar, the Vice President Quality & Operations at Rolling Wireless, about how they are solving connectivity issues in the automotive space. Here are his insights: 

What specific things do you have to do to ensure that a connectivity solution meets a car manufacturer’s quality standards?

The automotive industry is often said to be requesting military quality levels for a consumer price, which means that you are going in two opposite directions to hit those targets. This is where you need to differentiate yourself by making the big jump between low cost and extremely high quality – which is where the matter of quality becomes so critical. 

The first pillar of quality is reputation. These car manufacturers need to protect their reputation – they cannot afford to be in the newspaper for recalls or that they have poor quality and so on because the consumers are very sensitive to that. This applies to the whole ecosystem behind the connectable technology. This is where we are proud to say that we have reached what we call a 10 PPM level, which means that we can guarantee that out of 1 million units you will not see more than 10 of them having an issue, which is about what the automotive segment is looking for. You have to be reliable to sell to automotive companies. 

The second pillar is financials. If you have a good quality standard you are optimising your production and you don’t have yield loss, so you could become competitive. If that is not the case you will be beaten by the competition because they could provide a better price. You need to be sure that you have made a superb optimisation of your production so that you run it at the lowest possible cost. If you look at the financials, you could say that quality is part of sales, because when you go to the competition, you will be matching your competitor to a penny. What will differentiate you is the quality level that you can bring on the table when things are the same price. 

The last pillar is innovation and expertise. If you think about quality, that means making sure we follow the processes during fabrication to ensure that every product meets those standards. We have to set specifications, but if you limit yourself to this, you miss a big part of what you can do in this industry. However, we have transformed quality into expertise. We provide expertise to the designers and optimise our cost. We provide expertise on how to make our product more reliable, so that the carmaker could use our product for 5, 10, or 15 years without suffering issues, and not having issues with the long range. That is what is important when you think about quality – it lasts. We provide a quality service by providing expertise to the company for a long time, rather than just giving them one product and limiting ourselves in that way.

What does tomorrow’s connected car actually look like? 

I think the car of the future will be safer and more environmentally friendly, and the VTX will participate in that future. It will generate softer driving behaviour because cars will be able to anticipate things, therefore reducing brutal acceleration or massive brakes, because people pick up the information at the last minute. Also, it will become much safer. The VTX creates more alert systems which should also help reduce collisions and traffic jams. 

Some people say cars will become a computer on four wheels. I think it will become an entertaining mobility moment. We’re trying to reduce the hassle of driving that makes people tired of it, and allow them to enjoy a mobility ride with infotainment, watching a movie or listening to some nice music, but also with the ability to get information on your destination while you drive. The car can point out things that are happening on your trajectory or relieve that stress by going into autopilot while you focus on preparing for your arrival. It will make driving far more entertaining. 

To learn more about connectivity in the automotive industry, tune into The Connectivity Matters Podcast here

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

Securing the Cloud in Cyber Security

Securing the Cloud is a major challenge across the Cyber Security industry. On Episode 19 of The Cyber Security Matters Podcast we spoke to Abhishek Singh, the Co-Founder and CEO of Araali Networks, about how Cyber Security professionals are navigating the growing challenges of keeping the Cloud secure. Abhishek has 25 years’ experience in Cyber Security, including a period in which he led a team to build a data centre scale platform to enable micro segmentation and security in a virtual machine environment. This wealth of experience gives him some great insights into the current issues around securing the Cloud. 

Could you explain what zero trust is and what the biggest problems are with implementing it?

Zero Trust has become a buzzword. Zero trust people say ‘trust nothing’, but zero trust is fundamentally a networking concept. That concept is actually very simple. Imagine it as a castle and moat problem, where you have a castle and a moat around it called a perimeter. Everything inside the castle is trusted. Everything outside the perimeter is untrusted. If you have to come into the castle, you come through a firewall, and then you are trusted. So it is a networking concept which relies on perimeter security and having an open interior.

The problem with that approach is that your perimeter has to be perfect. If there’s one bad guy coming in, you’re in trouble. If one Trojan horse seeps in, you’re in trouble. If you’re building a zero trust environment you have to keep your controls inside out. Even if your environment is not pristine, every resource has to defend itself. 

The Cloud is very zero trust friendly in that it denies access by default, so if you want to expose anything online you have to explicitly open it up. However, egress is open. And that is the problem with zero trust, it’s too hard to close down egress. So if someone is already inside, going out is free, and that is what attackers abuse. So in spite of Cloud being very different, very novel, very thought through and upfront, egress is open. And that is the fundamental problem. 

What do you see as the biggest challenges in securing the cloud itself?

The real question is, ‘is the Cloud more secure?’ That is the biggest thing that people need to understand, and there is no straight answer. Depending on who you ask, they will give you a different answer. Many people believe the Cloud is more secure because Amazon has done a lot of good work there, and other cloud providers have followed suit. But the real rub there is, it’s as secure as you make it. Security is a shared responsibility, and Amazon is very clear about it. They are saying ‘we have given you the tools to make it secure’, but they have not done your work for you. Amazon has not secured your stuff. Coming from an on-prem background, when you go into the Cloud where there are new paradigms, it’s very hard to fulfil your shared responsibility. If you have not done so, Cloud is not more secure. 

The other challenge is attackers. On-prem Windows is a fertile ground for attackers to be doing things. They have not exploited Cloud. At some point though, that’ll change. Things like solar wind supply chain attacks used to be science fiction, right? The cloud is like that – it’s waiting to explode. It’s not that it’s more secure – it’s just that attackers have not diverted their attention to it yet. They’re still trying to go after Windows workloads on prem. The moment they come to Cloud, there’s a lot to be had.

Why do you think businesses like Waze have had such success over the last few years?

So the reason Waze has been successful is because of simplicity. Security has been very cumbersome over the years. Orca was the first company who came out and said, ‘We’ll give you a Cloud account, and without any agents we’ll go and survey it and show you visibility’. The ease of use itself was very compelling. My problem with that approach is that by showing your Cloud position, you’re making yourself more vulnerable. I know I’m vulnerable. I did not need to see a picture to get that insight. The thing I need to know is how do I not become exploitable? How do I remediate my vulnerabilities? That is still a hard problem, because the Cloud is hard. It’s difficult, which is why it is vulnerable. Showing me my visibility is not helping me become less vulnerable. The thing we should focus on is remediation, and that’s the language of zero trust. The reason this became so popular is because of the ease of installation in a world where Cyber Security is hard to work with. Time to value is unspoken. 

To learn more about securing the Cloud, listen to Episode 19 of The Cyber Security Matters Podcast here

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.