Why You Need to Wake Up to API Security VulnerabilitiesExpert Richard Bird on the 'Chaos' of API Security and How to Find and Fix Bad APIs
APIs represent the best and the worst of times - "massive amounts of business value, but massive amounts of unmitigated risk," says Richard Bird, CSO at Traceable AI. In the past year, misconfigured or error-prone APIs resulted in high-profile breaches at Twitter and T-Mobile. Bird fears that's just the tip of the iceberg.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
"APIs are so desirable from an attacker's standpoint because they have a number of characteristics that allow them to be leveraged for multiple different types of attacks," Bird says.
The problem for most large enterprises is that developers have created huge numbers of APIs to perform various business functions, but they have no way of tracking them. "For most companies, there's little to no baseline measurement, understanding, cataloguing or inventory about what the original and initial purpose was - and the entirety of purposes - for an API," he says.
His message to security organizations who have not started managing API security is that they had "better move really fast."
In this video interview with Information Security Media Group, Bird discusses:
- Recent major cybersecurity incidents in which attackers have exploited API vulnerabilities;
- Why APIs are so vulnerable and why threat actors are targeting them;
- What good API security looks like and how to avoid mitigation missteps.
Bird is a multi-time C-level executive in both the corporate and startup worlds. He is internationally recognized for his expert insights, work and views on cybersecurity, data privacy, digital consumer rights and identity-centric security.