How Security Practitioners Master API Security in the Evolving Regulatory Landscape

Interested in sponsoring an episode like this with your target buyer?

→ Reserve your sponsorship here. ($2,575)

Summary

In this episode, host Dani Woolf is joined by Sue Bergamo, James Azar, and Chuck Herrin to discuss the challenges of API security in the context of digital transformation. They highlight the lack of visibility, tools, and control in organizations when it comes to API security. The panel emphasizes the importance of understanding the data flowing through APIs, having a clear ownership structure, and implementing secure development practices. They also discuss the impact of regulations and compliance on API security and the need for organizations to educate themselves and align their language with developers and application owners. In addition, the guests stress the importance of communication, collaboration, and education in addressing API security challenges.

Guests at a Glance:

• Sue Bergamo: Sue Bergamo is a longtime CIO and CISO who currently works as an executive advisor for BTE Partners. She advises innovative CEOs on cybersecurity and is passionate about protecting and securing data.
• James Azar: James Azar is the CTO and CSO of AP4 Group, a critical infrastructure company. He is responsible for the internal technology and security practices of the company and works with power plants, oil and gas companies, and aviation organizations.
• Chuck Herrin: Chuck Herrin is the CTO of an API security company called Wib. He has decades of experience as an attacker and defender and has served as a CISO multiple times. He is passionate about API security and helping organizations protect their data.

Key Takeaways:

1. Lack of visibility, tools, and control are major challenges in API security.
2. Organizations need to understand the data flowing through APIs and implement secure development practices.
3. Ownership and accountability for API security should be clearly defined within organizations. Regulations and compliance frameworks are starting to specifically address API security.
4. Security vendors should focus on eliminating false positives and providing guidance on addressing API vulnerabilities.
5. Communication and collaboration between security teams and application owners are crucial for effective API security.

The Challenges of Digital Transformation and API Security

Digital transformation has become a buzzword in the business world, with organizations across industries striving to embrace new technologies and improve their operations. However, this transformation comes with its own set of challenges, especially when it comes to API security.

Sue Bergamo, an executive advisor for BTE Partners, highlights the lack of visibility, tools, and control as major challenges faced by organizations in this space. She emphasizes the need for a structured approach to API security, starting from procurement and vendor management.

James Azar, CTO and CSO of AP4r Group, adds that API security is not just a responsibility of the security team but also the application owners and developers. He stresses the importance of involving developers from the beginning of the API creation process and managing third-party APIs effectively.

Chuck Herrin, CTO of Wib, emphasizes the need for ownership and architecture in API security. He highlights the importance of understanding the development teams and their practices to effectively secure APIs.

The Impact of Regulations on API Security

Regulations and compliance requirements play a significant role in shaping the landscape of API security. Sue points out that API security falls under the domains of security, compliance, and data privacy. Organizations need to address all three aspects to ensure they meet regulatory requirements and protect sensitive data.

Chuck highlights the increasing focus of regulators on API security and the need for organizations to understand and manage their APIs effectively. He mentions that major compliance frameworks are starting to specifically call out API security, making it a mandatory consideration for organizations.

James, however, plays devil's advocate and suggests that there might be pushback from industry and organizations regarding the strict requirements around API security. He believes that some regulations might be over the top and difficult to achieve, leading to resistance from industry players. He also mentions the trend of security practitioners being held accountable for breaches and the need for a balanced approach to API security.

Bridging the Communication Gap and Enabling Collaboration

Throughout the discussion, it becomes evident that effective communication and collaboration are crucial in addressing the challenges of API security.

Sue emphasizes the need for security practitioners to educate and partner with engineering teams. By understanding their language and challenges, security professionals can provide guidance and solutions that align with the business goals.

James suggests that vendors and companies selling into the practitioner community should focus on understanding the language and challenges of application engineers. By aligning their messaging and solutions with the needs of the application teams, vendors can bridge the communication gap and enable better collaboration.

Chuck Herrin adds that vendors should focus on eliminating false positives and providing actionable guidance to developers. By reducing false positives, vendors can build trust with the development teams and ensure that security issues are addressed effectively. He also highlights the importance of operationalizing security and involving stakeholders from different teams to ensure the success of API security initiatives.

Closing Thoughts

API security is a critical aspect of digital transformation, and organizations need to address the challenges it presents. By focusing on education, collaboration, and effective communication, security practitioners can work with engineering teams to implement secure API practices. Vendors play a crucial role in providing tools and solutions that align with the needs of application engineers and enable better API security. As regulations continue to evolve, organizations must stay proactive in their approach to API security and ensure compliance with industry standards.

The future of API security lies in the hands of those who understand the importance of collaboration and continuous improvement. By adopting a holistic approach to API security, organizations can protect their data, meet regulatory requirements, and build trust with their customers.