On Episode 6 of The Cyber Security Matters Podcast we sat down with Chuck Herrin, the CTO of industry leading API security business WiB. Chuck has over 15 years of experience in senior and board level IT security roles, and now sits as an advisory board member for multiple organisations in the cyber security space. He’s acted as an attacker, defender, and most recently a builder. With so much knowledge and expertise in the space, we were fascinated to hear his insights into the API industry.
What is your take on the state of the API security space at the moment?
It’d be great if there was some API security. I’m being flippant, but it’s another example of history repeating. The most recent example of this phenomenon is when we knew for 10 to 15 years that adoption of the cloud was inevitable. There are so many benefits and cost savings, we all knew it was going to happen. For some reason, defenders didn’t try to figure out how to do it safely. They resisted the change. We saw all kinds of issues and eventually had to catch up. People are still really worried about cloud issues. I saw an article that said around 94% of companies anticipate having a cloud breach in the next 12 months.
API’s are experiencing the same phenomenon. The adaptation is inevitable because the benefits are massive. There’s no way that we aren’t going to rapidly continue to adopt API and micro service based architectures. The point of business isn’t security, the point of business is delivering value. If you aren’t adopting APIs and micro services, you’re gonna be out-competed and you won’t survive, and if you adopt it incorrectly or insecurely, you’re exposing your back end systems, data and business logic. Adoption right now is rapidly outpacing security.
We’ve been doing threat modelling for 20-25 years, and we know that you need to know your assets, actors, interfaces and actions in any environment or ecosystem. Then you see who’s doing what to what, via what, and the AI and API interface. Lots of API’s are completely unmanaged and unmonitored. APIs and their adoption made it around the world before security teams got their boots on. Now we’re frantically trying to help companies catch up and keep up. It’s like a one legged man chasing a rabbit, the longer it goes on, the further apart they’re getting. While we’re working really hard to solve these problems at a macro level, it’s only getting worse. We’re not catching up.
Where do you see the API security space in 10 years time?
I really hope that we can close these blind spots and treat API security the way we should. API’s exist to make developers jobs easier, and they do a great job of that, but if you don’t know what’s exposed to the outside world, you can’t monitor it or manage it. We’ll catch up eventually because we have to.
What I’m hoping for in the interim period is that we don’t have massive national crises, critical infrastructure implications or life safety issues. There are safety issues at the individual level where people’s data is exposed. Bad actors could figure out how to abuse these API’s and target API abuse at political figures. We have critical infrastructure issues with with water treatment, or the power grid, or nuclear plants where a lot of companies that have been around a while are going to introduce APIs to their systems and there will be a risk. I worry about those attack surfaces more as a citizen than a software vendor, because if something goes wrong there we’re going to have to figure this out as a species. I hope we can address these security risks before that happens.
To hear more about the state of the API industry and Chuck Herrin’s work in protecting it, tune into the full episode of The Cyber Security Matters Podcast.
We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.