CypherCon 2023
A Hole In The Boat – How APIs Threaten Everything
Richard Bird
Abstract:
Application programming interfaces (APIs) have been in the wild for more than a decade, but their use exploded during the pandemic. After decades of acquiring, deploying and managing security for every variation and evolution of application and infrastructure deployment model – from air gapped to cloud native – APIs are now poised to upend years of work and investment. Richard Bird focuses on the why, what and what next required to secure assets, data and systems in a world that has only begun to realize that the application layer is woefully insecure. API security is truly at the “password in clear text” level of maturity in the vast majority of companies and agencies around the world. And yet, the risk that APIs represent and the exponential growth in the attack surface available to bad actors barely registers as a concern for most of those same companies and organizations. Solutions are just beginning to emerge, long-time security solutions providers are trying to extend into API security and most organizations have no structure to manage or govern APIs. Learn about how to attack the problem and what pitfalls to avoid in the early development of your API security program.
Importance: API security is barely registering as a need, anywhere. Yet, just like OSS, the catastrophic consequences of failing to apply security controls, standards and processes around APIs are racking up. Most enterprise organizations today stick their fingers in their ears when API risk is discussed and then loudly proclaim “I’m not listening… lalalalalalalala…” This talk is intended to sound the alarm bell for attendees and draw attention to the fact the the continuous evolution of virtualization has driven the threat surface to the application layer – and modern security architectures (which are really more than 20 years old) simply can’t address the problem.
Richard Bird
I am the API captain!
Richard Bird is known as “The Guy With the Bow Tie” all around the world. A prolific presenter and speaker, Richard is the Chief Security Officer for API security leader Traceable.ai and a rare multi-time C-level executive in both the corporate and start-up worlds. Richard is internationally recognized for his expert insights, work and views on API security, zero trust, data privacy, and digital identity. He is a Senior Fellow with the CyberTheory Zero Trust Institute, a Forbes Tech council member, and is interviewed and quoted frequently by media outlets around the world, including the Wall Street Journal, CNBC, Bloomberg, The Financial Times, Business Insider, CNN, NBC Nightly News and TechRepublic.