Our CEO and Co-founder, Giora Engel, joins Chuck Harold of Security Guy TV live from Black Hat 2022 to discuss the history of APIs, security flaws, and steps you can take to protect your API environment.
Chuck: Hi, everybody. Welcome back to Black Hat USA, 2022. Chuck Harold, securityguytv.com. This is episode 2,707. My next guest is Mr. Giora Engel. He's with Neosec.com. Welcome to the show, my friend.
Giora: Thank you for having me.
Chuck: Now, you're the CEO and co-founder. I always love speaking to co-founders and CEOs because you guys created the vision and now you're leading the company. You're going to speak to us about so many things you're passionate about and that’s why you started the company in the first place.
Today's topic is, you know, live from [Black Hat in] Vegas, but we're going to focus on APIs and what role APIs play in businesses. How has that changed in recent years?
I remember having APIs in the security business years ago and it was a big deal to get an API done. I had to write memos, and get everybody involved, and blah, blah, blah, and now everybody's got an API. And in fact, if you don't have an API, you can't do business. Give me a little history on how these things have changed and why it's become such an important tech factor.
Giora: So, APIs have been around for a long time. I mean, it's not a new invention, but what's new about APIs is the way that they're used today for digital transformation. And while APIs were used for web applications and mobile applications as the data infrastructure of these applications, today, people develop APIs to fuel B2B applications and machine-to-machine interactions.
So, almost every new type of product that companies deliver today includes some interaction between different microservices, both internally within the company, but also externally between your clients and your systems and between your business partners and your systems and so on.
So, APIs today are really the building blocks of digital transformation. They are the new network, the new communication channel.
Chuck: Now, my next question is what are some of the security issues associated with APIs? I think we put APIs in place thinking it's going to be convenient and maybe we didn't think about security code with APIs at first. What are some of the issues?
Giora: Yeah. So APIs, the first issue with APIs is that they expose your core business to the outside by design. So, regardless of any technological aspect of it, that concept of exposing the core of the code to the outside is really complicated from a security perspective.
On one hand, you want people to have access to your core data, you want your customers to be able to create transactions, but on the other hand, you need to do it safely so that all that sensitive data for national transactions are not going to be compromised so that if the program starts with the fact that it's a new model where you expose your internal to the outside by design from a business perspective.
Now, from a security perspective, the first problem that I know that is easiest to describe is lack of inventory, the fact that security teams today don't even have an inventory of which APIs are exposed to the outside. And that's such a basic problem that has to be solved because you can't protect what you don't see.
Chuck: I never thought about that as the problem. So, how did this get outta control? Why did people lose track of the visualization here? I mean, I kind of find it remarkable that they wouldn't know how many things they got pointing outside.
Giora: The issue is that they have so many APIs and there's so many changes in their APIs. Because of business reasons, they have to change and adjust and create new capabilities on a daily basis, and sometimes, you know, even more than once daily.
And keeping track of it is not possible anymore using the traditional methods of managing assets, so you need a technology that can help you to actually see what are these APIs, how do they change over time, and for that you need new capabilities and new technologies.
Chuck: So let me know how organizations can ensure that their sensitive data is not being exposed through their APIs. What do they do to get a handle on this because they do know it's a problem, right? It's not an awareness issue, is it?
Giora: Yeah. Yeah. I mean, they do. They know that it's a problem and the reason why they know is typically because these core services are really the basic business of the company. For example, if you're a payment company, all these payment transactions are your business. If you're a healthcare company, that access to patient data and interoperability, these are all regulated things that you have to provide. So they know about the problem. Now, what can they do?
So, I think it's always important to start with discovery, finding out what are your APIs, making sure that you can see how they change over time and you're aware of these changes, and, if something is not documented, making sure that you can see it.
Then once you solve that problem of discovery, which is, of course a recurring problem, it's something you need to do continuously, you need to make sure that you don't have any open vulnerabilities that basically expose your APIs to attacks from the outside.
And the third component is focusing on these abuse cases because your business is linked to these APIs, these APIs can be abused, and can create situations that have an adverse effect on your business. So identifying what it means for your business if your API is not used in the right way and preventing that from happening is kind of the higher level of protecting your APIs.
Chuck: Do you think that some businesses have a better handle on this? I mean, I'm thinking the financial industry must be better at keeping track of this because of the high level of risk, right? If we lose our banking data, that's a problem, but maybe not. Do they kind of suffer from the same API fatigue, so to speak?
Giora: From my experience, they suffer from the same problem, and the reason is that they have a lot of experience and controls in their web and mobile infrastructure that they built over the years. And I think online banking has been there for a long time, so there are a lot of good practices and solutions there.
But the problem is that all that knowledge and tooling is actually not effective against B2B APIs. And most of what financial institutions develop today is new products and new features for their customers, what they call digital sometimes, or open banking, open finance, all of those are B2B APIs.
And the controls that they use for web applications don't really work well for machine-to-machine interactions and these types of new channels.
So, this is where they have a huge gap and because they build so much new stuff, as a result of expanding their business and their capabilities, they're typically even more exposed than other types of companies.
Chuck: Mr. Giora Engel, he's the CEO and co-founder of Neosec, that's neosec.com, live from Black Hat USA, somewhere around the perimeter of the show floor. And we're gonna make this up to you, my friend. We're gonna do a post-production show and get a better WiFi for you and get the word out. So, thanks for coming on the show. And make sure you guys find their booth or suite and say hi. Good luck.
Giora: Thank you. Thank you very much.
Stay tuned for the next episode with Chuck and Giora!
Gartner Hype Cycle for APIs
Learn the fundamentals of API security. Made for security leaders and practitioners to increase their foundational knowledge about API security and best practices.DOWNLOAD NOW