With Black Hat, the internationally recognized cybersecurity conference series happening this week, security best practices are the talk of the town. So, of course, we had to jump on the trend and invite well-known security expert Chuck Herrin on the podcast.
Chuck is the CTO and board member of Wib, and he joined us to discuss his company’s approach to API Security. Chuck primarily focuses on API penetration testing and adversarial emulation. Chuck’s career started off as an attacker and morphed into becoming a builder and defender.
As CTO at Wib, he focuses on bringing the second generation of API security to the market, and he shared with us his top tips for handling API security the right way and answered some of the questions we’ve all been wondering.
Does the Conversation Even Start With ‘Security?’
“Organizations should start by building relationships with developers, gaining insights into their workflows, and assessing their API footprint,” shares Chuck.
Not to beat a dead horse, but every conversation, even security-related ones, all lead back to an API/Design-First approach. Before you even dive into the security world, use this approach as a guiding principle rather than just a buzzword by focusing on the “what” before the “how” in API design and development.
Chuck relates this concept to the early days of the cloud, where organizations jumped into a “cloud-first” approach without considering the specific benefits and implications for their use cases.
“Start with risk. What’s the highest-risk API? And one bite at a time, you do this. It’s not a one-week project. You work with somebody that can do all of those things and put all of that visibility into one context for you that gives you a single source of truth,” shares Chuck.
AI-Generated Models for Security: Yay or Nay?
Although all things AI are what’s hyped up in the security world right now, there are significant challenges posed by AI-generated models, particularly in the context of security. Chucks highlight confidentiality, integrity, and availability risks associated with AI-generated content.
It’s worth noting that the more you rely on AI-based tools for your security best practices, the more significant potential for data integrity issues, availability risks from third-party services, and the need to address these concerns comprehensively. Where the technology stands right now, AI-generated models can often introduce more complexity for defenders and advantages for attackers.
Speaking of AI, there’s also a decent amount of security challenges posed by AI-generated code, especially in low-code and no-code environments.
“Approach AI-generated code with intention and thorough analysis, dispelling the notion that it is automatically secure. There is definitely a need for validation, testing, and adversarial emulation to ensure the security of AI-generated applications if you’re going that route,” shares Chuck.
Shift Left or Shift Right for Security?
Regarding security best practices, there’s a fine balance between innovation and security, particularly in the context of emerging technologies. Chuck emphasizes utilizing a proactive security approach, including both “shift left” and “shift right” strategies depending on what you fancy (here at Stoplight, we’re big fans of the shift left approach).
While “shift left” typically involves proactive measures during the development phase, “shift right” involves real-time monitoring and response to ensure security in the production environment. Regardless of which approach you take, note that production should be the last line of defense, and organizations should prioritize understanding their ecosystem, identifying risks, and ensuring intentional design first and foremost.
“Ultimately, where you want to land is a mixture of using both methods…You need to shift left and address those things. But if you count on the shift left by itself, you’re going to have a bad time. You also need to shield right; you need to monitor what’s actually happening in production,” shares Chuck.
How Important is Incident Response and Monitoring REALLY?
One of the leading security challenges developers face is identifying ongoing attacks or breaches in APIs. Make sure your security team has a proactive incident response by focusing on understanding the blind spots and breaches that occurred over an extended period of time to understand where you can do better.
“I have a few real-world examples of companies discovering attacks during engagements that we’ve had with them, and it totally underscores the importance of continuous monitoring and proactive incident response. You really need strong collaboration, a regular analysis of abuse cases, and to learn from adversarial behavior the first time,” shares Chuck.
If you want to engage with the Wibb team, you can catch them at upcoming events like Black Hat (happening now!) and the FDX Fall Summit, where they showcase hands-on hacking demos and share educational content. Thank you, Chuck, for coming on the show and sharing your API security expertise! For more industry insights, check out API Intersection.
