Application Programming Interfaces (APIs) play a vital role in modern software development, enabling the integration of services and facilitating the exchange of information. The ubiquity of APIs is a testament to their success in supporting many functions. However, their prominence has also made APIs a target for cyberattacks. Jeremy Snyder, Founder & CEO of Firetail.io, joins me in discussing how to secure APIs effectively. Our discussion revolves around the following questions:

What do we need APIs for? Why do we need API security? What are the consequences of lax API security?

What are the risks of APIs today? How can we remedy current API security issues?

Time Stamps



00:02 -- Introduction

00:49 -- Setting the Stage and Context for the Discussion

02:26 -- Guest's Professional Highlights

04:37 -- Overview of APIs

09:12 -- Common API Security Risks and Vulnerabilities

12:29 -- Design with security in mind

13:23 -- Securing APIs

13:36 -- Integrating Security into the Development Process

13:52 -- Different Ways of Security Testing APIs

17:08 -- Vulnerability Monitoring and Promptly Acting on Alerts

19:22 -- Role of Humans in Acting on Vulnerability Alerts

21:33 -- Staying on the Right Side of the Law

23:37 -- Significance of Maintaining Logs

25:36 -- Selecting Robust APIs

27:59 -- Key Takeaways

28:57 -- API Governance

30:25 -- Zero Trust Approach

32:10 -- Use of APIs in Leveraging Large Language Models (AI)

33:41 -- API Governance and Taking Ownership

36:12 -- Final Thoughts

Memorable Jeremy Snyder Quotes/Statements

"Application Programming Interface (API) -- It's basically the way two pieces of software talk to each other, that can be to send data from system A to system B, or that can be for system A to request system B to process something for it."

"We've got sensitive data crossing the wires over an API, but we've also got critical business functions like processing credit card transactions over an API."

"API's are pretty much happening behind the scenes, they enable a huge volume of interactions and transactions every day."

"So we've been cataloging the API data breaches for the last couple of years, these breaches go back about a decade or started about a decade ago, or let me say started to be recognized about a decade ago. And as we've catalogued them, we've kind of categorized them as well, to try to understand in each of these breach scenarios, what was the primary error or breach vector? How was the API breached? And if there's a secondary cause, or things like that, we look at that as well. Two of the main things that we see are are really authentication and authorization."

"Authorization turns out to be the number one root cause of data breaches around API's. And this has been true for many years now."

"Proactive security is always much cheaper than reactive security."

"From the proactive standpoint, the number one thing that any provider of an API can do is actually just check the API's before they go live."

"You should actually pen test your API's before they go live."

"Very often, we find that API's get shipped into production environments without going through either the static code analysis, or the pre launch testing."

"The average time that a vulnerability existed in a production environment before being patched and updated, was around 180 days."

"The best practice that we recommend to customers about reacting to the logs or the alerts or the suspicious conditions that you're seeing in your logs