While APIs enable companies to share their application data and functionality, they have also become the #1 target of threat actors. Salt Security’s mission is to accelerate business innovation by making APIs attack-proof. In this episode of TFiR: Newsroom, Salt Security Executive Vice President of Product Ori Bach talks about his new role in the company and shares his insights on API security.
Bach’s journey to Salt Security:
- His career started in one of the technology units in the Israel Defense Forces (IDF). He then worked for a number of companies that dealt with cybersecurity and risk management. He has a strong affinity for technology that can help companies avoid being breached.
- He has always been attracted to companies that deal with disruptive technologies.
- Reasons he joined Salt Security: 1) It is solving the challenge of effectively utilizing APIs without taking on risk. 2) It has a very powerful machine learning that takes trillions of requests of data and comes up with a small subset of insights that help people manage risk. 3) It does not treat APIs as just another attack surface, but as choke points. Therefore, it is an opportunity to improve overall security, not just to secure the APIs themselves.
- Salt Security’s vision is a secure connected world where people adopt APIs and they’re not slowed down by security concerns. Bach’s role as Executive Vice President of Product is to turn that vision into reality by understanding the rapidly evolving threat landscape and making sure that Salt Security is evolving its technology to meet the growing needs of its customers.
Current trends in API security:
- The biggest change in terms of how software is developed is that it’s being assembled and generated, more than it is being written.
- With the use of AI, cloud technology, and microservices, a lot of the work is assembling different things or asking different engines to build code for you. This fundamentally changed security and in a good way because it is less prone to human mistakes.
- Customers are not looking to spend a huge amount of time on security. They’re not looking to have manual processes. They need automation to make it easy.
- API security is going through a natural maturity cycle.
- The reason companies are not fully prepared for API attacks is because API security is relatively new. They’ve built great practices along the years protecting endpoints and some of the perimeter, many organizations lack the expertise in securing APIs.
- With the economic situation in the last few years, some companies are not expanding on what they’re doing security-wise.
- When companies move to an API-first architecture, they “lose” the visibility they had in their legacy applications. They want to know what they have, what data is flowing through it, who and how people are trying to compromise it.
- Some companies are moving to a more mature place. They know what they have, they understand the attack vectors, and they understand how APIs are being exploited. Now, they want to minimize that by making sure the posture gaps are being addressed.
- Practitioners and people on the customer side are starting to gain expertise in API security.
- Companies are hiring smart people who learn how APIs are being exploited and how to defend against that.
On Generative AI:
- Threat actors are smart, innovative, and are looking at every new technology to figure out ways to manipulate it.
- As we look to leverage powerful engines like Gen AI, the biggest risk is that information that was historically kept on-prem is suddenly going to the cloud. Customers want to make sure that they’re aware of what data is flowing into those powerful engines and that that data is secured end to end.
- The opportunity lies in using Gen AI to educate developers and other people about security best practices and how to write secure code.
Advice for companies looking to strengthen their API security:
- Make sure that you know what you have. The most exploitable API is the one you haven’t heard about. Developers sometimes deploy things of which the security team is not aware.
- Make sure there are no zombie APIs left out there that are not being managed from a risk perspective.
- Look at the OWASP API Security Top 10 typical attack vectors that are out there and make sure that you have a good program in place.
- If you are attacked, determine specifically how you’re being attacked and make sure that you have special controls in place to counter or block them from even starting another attack.
- Do this step by step and don’t try to move too fast because it can overwhelm the already busy developers and security teams. Just make sure that you go through these steps and see the benefit in each step.
How Salt Security helps companies:
- Its mission is to improve API security and to make sure their customers are well educated and aware of the threats that are out there.
- It connects developers to what’s happening with their APIs in production by giving them the visibility and part-ownership of ensuring that that API does what it needs to do within the cloud environment.
- Its platform has components of threat intelligence.
- It is hard for every organization in the world to educate themselves about every attack that’s happening out there. As a SaaS vendor, it is able to make sure that attack information gets to the right people.
- When a WooCommerce site was attacked recently, it made sure that all of its customers that are in the ecommerce space are able to see exactly when that attack vector is deployed against them and give them clear actionable steps in order to mitigate that.
This summary was written by Camille Gregory.