With Black Hat, the globally renowned cybersecurity conference series, taking place this week, discussions surrounding security best practices are at the forefront. Naturally, we couldn’t miss the opportunity to join the conversation and invite esteemed security expert Chuck Herrin onto the podcast.
Chuck, who serves as the Chief Technology Officer and board member at Wib, joined us to delve into his company’s approach to API Security. With a primary focus on API penetration testing and adversarial emulation, Chuck’s career trajectory evolved from an attacker to a builder and defender.
In his role as CTO at Wib, Chuck concentrates on introducing the next generation of API security solutions to the market. During our discussion, he shared invaluable insights into handling API security effectively and addressed some of the pressing questions on everyone’s minds.
Chuck suggests that organizations should initiate discussions by establishing connections with developers, gaining insights into their workflows, and evaluating their API footprint.
It’s worth reiterating that every discussion, including those centered around security, ultimately circles back to an API/Design-First approach. Rather than treating it as a mere buzzword, adopt this approach as a fundamental principle by prioritizing the “what” before the “how” in API design and development.
Chuck draws parallels to the early adoption of cloud technology, where organizations embraced a “cloud-first” approach without fully considering the specific benefits and implications for their unique use cases.
“Begin with risk. Identify the APIs with the highest risk. Then, tackle them one step at a time. This isn’t a quick fix; it’s a gradual process. Partner with experts who can consolidate all relevant information and provide a unified view, offering a single source of truth,” Chuck advises."
While AI remains a focal point in the realm of security, it’s essential to recognize the significant hurdles presented by AI-generated models, particularly concerning security. Chuck underscores the risks to confidentiality, integrity, and availability inherent in AI-generated content.
It’s crucial to acknowledge that as reliance on AI-based tools for security practices increases, so does the potential for data integrity issues, availability risks stemming from third-party services, and the necessity for comprehensive addressal of these concerns. Presently, AI-generated models often introduce added complexity for defenders while offering advantages to attackers.
Furthermore, AI-generated code poses notable security challenges, particularly in low-code and no-code environments.
“Approach AI-generated code with careful consideration and meticulous analysis, rejecting the assumption that it inherently ensures security. Validation, testing, and adversarial emulation are undoubtedly imperative to guarantee the security of AI-generated applications, should you opt for this route,” Chuck advises.
In the realm of security best practices, achieving a delicate equilibrium between innovation and security, especially concerning emerging technologies, is paramount. Chuck stresses the importance of adopting a proactive security approach, encompassing both ‘shift left’ and ‘shift right’ strategies, depending on your preferences (here at Stoplight, we strongly advocate for the ‘shift left’ approach).
While ‘shift left’ typically entails proactive measures during the development phase, ‘shift right’ involves real-time monitoring and response to ensure security in the production environment. Regardless of the chosen approach, it’s crucial to recognize that production should serve as the final line of defense. Organizations should prioritize understanding their ecosystem, identifying risks, and emphasizing intentional design above all else.
In the end, the ideal approach is to employ a blend of both methods… You need to shift left and address those aspects. However, relying solely on the shift left approach is inadequate. You also need to shift right; you need to monitor what’s actually happening in production," Chuck advises.
One of the foremost security challenges confronting developers is the identification of ongoing attacks or breaches within APIs. Ensure that your security team adopts a proactive incident response approach by focusing on comprehending the blind spots and breaches that have occurred over an extended duration to ascertain areas for improvement.
I’ve encountered several instances where companies have discovered attacks during our engagements with them, which underscores the criticality of continuous monitoring and proactive incident response. Strong collaboration, regular analysis of abuse cases, and learning from adversarial behavior are essential from the outset," Chuck emphasizes.
If you’re interested in connecting with the Wibb team, you can catch them at upcoming events such as Black Hat (currently ongoing!) and the FDX Fall Summit, where they showcase hands-on hacking demos and share educational content. We extend our gratitude to Chuck for joining the show and imparting his expertise on API security! For additional industry insights, be sure to explore API Intersection.