We Can’t Fail at API Security If We Never Even Try
It seems like we can’t go a week without hearing reports of a data leak caused by a failure in API security. There’s nothing easy about securing APIs, but it’s hardly the only aspect of security dealing with authentication, encryption, monitoring, versioning, and validation. So why do organizations struggle with API security??
This week’s episode is hosted by me, David Spark , producer of CISO Series and Andy Ellis , operating partner, YL Ventures . Joining us is our sponsored guest Yoav Nathaniel , CEO, Silk Security, now part of Armis .
SBOMs aren’t a balm for the software supply chain
Lots of companies have been burnt by vulnerabilities in the software supply chain. It’s obvious companies need a better way to get visibility into the software they depend on. A software bill of materials, SBOMs, seems to some like a way to approach that. But in their current state, they are rife with problems. There’s no general format consensus, quality is all over the place, and tracing back an SBOM to actual vulnerabilities is immature at best, argued Kyle Kelly of CramHacks . The industry will likely mature with more standardization over time, but right now these only serve as a small piece in securing the overall software supply chain.?
The immature state of API security
We know APIs represent a huge attack surface. So why do we see a lack of strategy in API security? Sure it’s complex and represents a long term commitment rather than an end state. But doesn’t that make the case for approaching it top-down rather than with a reactive scattershot approach. API security requires managing a lot of moving pieces, like authentication, encryption, monitoring, versioning, and validation, argued Ross Moore of IT Security Guru . Why is API security so tough? We’ve found ways to systematically and strategically address these with other aspects of security.?
Don’t skip the fundamentals with security posture?
While there are a lot of subtleties to security posture management, at its core it equates to maintaining proper hygiene across all aspects of security. This needs to be a holistic and consistent effort. Think of it like taking a daily shower versus waiting for when you’re completely filthy. That sounds simple, but it comes down to organizational alignment, accountability, and clear communication to effectively manage security posture. A successful security posture needs comprehensive, proactive approaches to meet the bevy of modern challenges.
Reject tradition, embrace modernity
What actually defines a modern SOC? This isn’t just about integrating specific tooling. Slapping some AI in your SOC may have some benefits, but if it doesn’t change the fundamental workflow in your SOC, it's still traditional, argued Anton Chuvakin of Cloud Security Podcast by Google . Rather than specific tooling, a modern SOC is defined by automation and creating an engineering-led feedback loop. The end goal should be to automate the traditional SOC out of a job, freeing up analysts for more meaningful work.?
Listen to the full episode over on our blog, or your favorite podcast app where you can read the entire transcript. If you haven’t subscribed to CISO Series Podcast via your favorite podcast app, please go ahead and do so now.
Thanks to our contributor Ymir Vigfusson, PhD of Keystrike for providing the What’s Worse?! scenario.?
Huge thanks to our sponsor, Silk
What’s a great approach from a security vendor?
"I think the best security vendors lead with transparency and integrity. They’re there to provide value and partner with the customer. They don’t try to oversell and don’t feed them with marketing fluff. They actually do what they say they do." - Yoav Nathaniel, co-founder and CEO, Silk
What Is Your SOC's Single Search of Truth?
"Today, security relevant data is now everywhere. And so enabling teams to make better use of it for very specific missions I think is a much better approach. So, you may end up having different panes of glass that are used for different purposes, but the idea of trying to have just one, a single one, just seems like we’re not going to get there." - Matt Eberhart , CEO, Query
Listen to full episode of "What Is Your SOC's Single Search of Truth?"
Subscribe to our newsletters on LinkedIn!
We've got our bi-weekly and daily?Cyber Security Headlines?newsletters available right here on LinkedIn. Go ahead and subscribe to one or both!
领英推荐
CISO Series Newsletter?- Twice every week
Cyber Security Headlines Newsletter?- Every weekday
Cyber Security Headlines - Week in Review
C
Make sure you?register on YouTube?to join the LIVE "Week In Review" this Friday for?Cyber?Security?Headlines?with?CISO Series?reporter Richard Stroffolino .?We do it this and every Friday at 3:30 PM ET/12:30 PM PT?for a short 20-minute discussion of the week's cyber news. Our guest will be David B. Cross , CISO, 甲骨文 SaaS Cloud. Thanks to Conveyor .
Thanks to our Cyber Security Headlines?sponsor, Conveyor
Understanding the Complexity of Breach Response
Responding to breaches is an inevitable reality every cybersecurity professional faces. When it comes to a security incident, just determining when you have a breach versus an incident is vital according to Matthew Radolec , senior director, incident response and cloud operations, Varonis . You should also have a handle on who will be making breach-related decisions in a crisis and understand your reporting requirements. This is a preview of our Super Cyber Friday event happening this Friday, March 8, 2024. Our topic will be "Hacking Breach Response: An hour of critical thinking about recovery, containment, and remediation after a data loss event."
Joining me and Matt for this event will be Charles Garzoni , deputy CISO and staff vp of cyber defense operations, Centene Corporation .
It all starts at 1 PM Eastern/10 AM Pacific. At the end of the hour [2 PM Eastern/11 AM Pacific] we'll switch gears to our meetup where everyone will get a chance to chat face to face. Join us!
HUGE thanks to our sponsor, Varonis
Thank you for supporting CISO Series and all our programming
We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!
Everything is available at?cisoseries.com.
Interested in sponsorship,?contact me,?David Spark.
CEO at Silk (by Armis)
1 年David Spark and Andy Ellis - Thank you for having me!