In the past few years, supply chain attacks and their impacts have or will soon overtake that of the damage done by ransomware. It’s of no surprise then that APIs are a critical attack vector that threat actors like to exploit, yet many organizations do not have a good understanding of how many doors they have running into their data.
This week we chat with the godfather of Zero Trust, Dr. Zero Trust, and a chief security officer about the current state of API security maturity. Considering our guests, we, of course, also took the opportunity to chat a bit about Zero Trust's history.
This week we have three very special guests:
John Kindervag, the creator (godfather) of Zero Trust
Chase Cunningham, AKA Dr Zero Trust, and the now VP of Market Research for G2
Richard Bird, Traceable AI’s Chief Security Officer
Like any other cybersecurity concept, APIs must have an asset inventory
There is enough margin of error tied to the intended use of APIs that require continuous monitoring/verification
There is a current maturity gap associated with securing the use of APIs in the name of speed and innovation, and often there is not a well-established owner
We will be taking a publishing break for the month of September as my daughter has arrived, and I will need to catch up on all the sleep I can get. We should be back in October and run through until the holiday break before we wrap season two. I’m also working on a few experimental podcast series during my parental leave, so stay tuned. At least one in particular should be of interest to our audience here. Also, if you work for a cybersecurity org and are interested in launching a podcast, slide into my inbox if you need a hand.
If you caught our last episode with Yubico, you hopefully saw the giveaway. They were kind enough to offer two Yubikeys to listeners, and we have our winners! John C and Simon D, you are our winners. We’ll connect you with Yubico to get your key. Once we are back, I’ll likely do a Flipper Zero giveaway.
Quick PSA for LinkedIn Users
If you do not have MFA/2FA on your LinkedIn account, turn that on right now. There is a massive account takeover campaign in flight that has spanned the last 60 days, and that is the best way to prevent your account from being frozen. Also, tell folks to stop reusing passwords.
And now, on to our episode…
Cure the Disease? Treat the Symptom.
For the endless tools we have at our disposal to prevent, detect, and mitigate cyber threats, we all know there is no magic silver bullet to fully protect an organization. Call it Defense in Depth, Security by Design, or even Zero Trust, and each of these concepts focuses on developing a layered approach to reduce the target on your back.
But here’s the thing, though… besides zero day attacks, in most cases, we know how adversaries are likely to try and attack us. Here’s Chase on why concepts like Zero Trust are so much more critical for an organization than just trying to solve problems with technology and tools:
“Why would I cure the disease when there's more money to be made when I can treat the symptoms? I know, here's another new feature that I know will do this other thing, but it's not gonna solve all the problem, even though I know I could, but it'll just, just take a little taste. It's like, it's like ZT crack, right?
You just get a little sniff of it, and then you want some more, and then you want more, and it just keeps getting worse, and worse, and worse, and... The, the fundamentals, this is, and John and I talk about this all the time, like the fundamentals of what we should be doing are, are well known. It blows my mind that people still sit around wondering where they should focus their efforts or whatever else when we have volumes of research and entire organizations dedicated to this, like this is the one place in all of warfare, the adversary tells you how they're going to come at you and people sit around going, I wonder how this is going to work.”
That is a lot to take in, but we all know this is nothing but fact. There is a tool for every use case under the sun, but without the fundamentals, what value does it really bring us? Not much. Tools only treat symptoms, and your strategy is what cures the disease. Now let’s talk about the current weakest links, API security.
API Security Maturity
“I would tell you that from a maturity standpoint, API security is currently in its password and clear text state,” said Bird.
For your typical listener, this should be a clear example of how rudimentary API security maturity is today. For everyone else, a more simple example is if you put your password on a sticky note and put that on your monitor or on the top of your laptop.
“We are in the cyber security industrial complex. Now, you know, think about the last time any large enterprise organization change the way its security organization was structured. So when you go in and you say, who's in charge of API security, like, everyone sits around the table and goes, I don't know.
Because it doesn't fit. Entirely knapsack. It doesn't fit entirely on data security. It doesn't fit entirely in network security. And yet it's now become the largest exploit and attack surface. So that's current state. And that's really kind of also how we trended into this realization recognition that we better start doing something about zero trust,” said Bird.
APIs Accelerate Innovation
If APIs are a risk and maturity is currently low, should we just stop using it in the name of security? Of course not.
“I think APIs are magical, right? We talk about the API economy and how APIs drive business and one of the things that it does is it eliminates the need for standards. So that now we can have interoperability without standards because standards inhibit innovation. So you back in the old days, if you wanted to connect something to firewall X, then you had to go through a whole bunch of things and it took forever,” said Kindervag.
“Now there's an API I've connected it. I've enhanced some capability and same with payments or whatever business you're in. So you don't have to have these payments, you know, these standards committees where they go into build, you know. The next second secretariat, the next thoroughbred racehorse, and they come out with an eight-hump camel, right?”
API Security Requires Continuous Monitoring
We won’t leave you hanging with one of the potential solutions, which is a common theme in Zero Trust - Continuous verification. In this particular situation, though, that means you need to have the ability to watch for any abnormal uses, no different than monitoring your SIEM/SOAR/XDR systems, and verify any flagged items.
“APIs can be leveraged to do things they weren't intended to do because there's enough margin for abuse within an API, which means that you have to track and monitor those APIs behaviors continuously and ideally traceable. We do this. Um, you know, nobody else in, uh, in the API security market does this.
We actually trace the behaviors because our founders actually created app dynamics, and we trace the behavior continuously over the life cycle of that API so that we know what it's supposed to be doing. And we know when it goes out of band and we know when it starts behaving abnormally,” said Bird.
This transcript was automatically created and is undoubtedly filled with typos. As usual, we blame the machines for any errors.
Hey everyone, Elliot Volkman, the producer of Adopting Zero Trust or AZT here with a quick update before we jump into the very special podcast episode that we have. Teed up for you today. First a week and a half, two weeks ago at this point my firstborn has arrived, so I'm going to be taking, hopefully, all of September off.
We're going to be doing some interviews, of course, to tee things up, should be back in October, but between the lack of sleep... Potentially a crying baby in the background. I just need to get a little bit of a cadence set. So there's going to be a little pause in publishing. So that's, that's going to be a thing.
Speaking of if you do not currently see our show notes and you haven't subscribed, you can actually go to adoptingzerotrust. com and get our show notes. It's also ported to security Boulevard. But you can subscribe there. So if you prefer to also see some of the stuff that we're putting together, that is a good place to find those updates.
Last episode thanks to Yubico, we also put out our first giveaway we are giving out, well, they are giving out two Yubikeys. So the two winners for that are John C and Simon D. So as long as you're in the US, we'll connect you up and they will get those. keys sent out to you. Thank you so much for participating in that.
We're probably going to do a Flipper Zero when we're back from this little summer break. And then we'll send some information out from that too. I also have a quick PSA. So I unfortunately am a janitor of the internet, which means a moderator for Reddit in particular, the LinkedIn subreddit.
In the past, I don't know, 60 days. There's been a huge influx of people with their accounts being taken over. I might actually do a full episode of that once I gather enough information, but the PSA here is really simple. If you do not have two factor on your LinkedIn account, Put that on like right now that is pretty much the biggest blocker to reduce those account takeovers.
So please put two factor on if you have not already changed your password. Do if you know people who are less savvy, also make sure they're not reusing the password.
Cause I'm pretty sure that's the the critical issue there anyways. So that is the updates and the PSA. We will have some new episodes coming up soon. I'm fortunately on parental leave from the day job. So that means I have a little bit more flexibility, I think as far as time and availability.
So I'm going to actually be working on a few new series, hopefully, which will be of interest to some of y'all. Some of the new podcasts that I'm working on too, not so much cybersecurity related, but I'll throw that out there and we'll see if you're interested and we'll kind of go from there. That's it.
So let's get to the episode that Neal and I have honestly been waiting for, for a very long time with the Godfather of Zero Trust. Let's go.
Elliot Volkman: Hello, and welcome to another episode of AZT, or Adopting Zero Trust. I am Elliot, your producer, alongside Neal, the proper host. And today, after maybe, I don't know, two years in the making, we have probably the most banged up Zero Trust Rockstar panelists that we can get for y'all today. So I'm just going to skip right to it and make some proper introductions, and we're going to go from there.
So you've already met him before on our show. You definitely listen to his show if you're listening to ours. So Chase, I'm going to hand this off real quick to you. If you want to quickly reintroduce yourself, Mr. Sorry, Dr. Zero
Chase Cunningham: Chase Cunningham, retired Navy chief former government contractor, former forestry analyst now VP for security market research at T2 and host of the Dr. Zero Trust podcast.
Elliot Volkman: All right, Richard, if you would kindly introduce yourself and what your role is over at Traceable.
Richard Bird: Yep. I'm Richard Bird. I'm the chief security officer for traceable. I've been in the solution side for about five years now for the 20 years prior to that 20 plus years prior to that. I was a complete corporate sellout. I was an executive in I. T. I. T. management. For about the first half of my career and the other half of my career, I was in information security, cyber security.
I say both because I'm old enough that we didn't have really cool terms for it back then. And I did about 16 or 17 of those years in banking. About 11 at JPMorgan Chase. You know, so I came from the practitioner side over to the solution side and having a blast. I love it.
Elliot Volkman: Excellent. And in just a moment, we will certainly dig into that, but we do have one final proper introduction to make again, long time in the making. John I think everyone who's ever heard of the word Zero Trust better know your name, except for I think our friend over at Serby who might have accidentally introduced something that you've created.
That said, rambling aside, John, Mr. Godfather of Zero Trust, if you can give us a little bit of a
proper introduction to yourself.
John Kindervag: Yeah, John Kindervag. I'm a senior VP at a company called ON2IT, which is a managed service company that does managed services from a zero trust perspective. Prior to that, I was four years at Palo Alto Networks as field CTO. And before that, I was eight and a half years At Forrester Research, where I created Zero Trust, wrote the first, oh, half a dozen papers, and got completely well, called lots of, lots of spicy names by people who thought that this was not going to go anywhere, and I wasn't sure it was either, but it did, and I'm happy to be here today with two of my best friends Richard and Chase So, we're gonna, we're gonna have fun today, cause the three, you, you think you think your guy's unmanageable you haven't hung out with these two, so, you know, we're gonna
Neal Dennis: not sure what to think about being called unmanageable right now, but you know, I'll take
Elliot Volkman: I mean, I did just edit an episode where we were in San Francisco, and I might have been giving him tequila shots right beforehand. So he kept it together.
Neal Dennis: Hmm.
Elliot Volkman: you know, I got to give him some credibility for that. Alright, so I do have to throw this one question out there before we kind of, you know, delve into the depth of zero trust and API.
And then God knows wherever y'all take this. So I just have to ask john, is it not weird as hell to see? Something that you've created snowballed into absolutely everything that touches almost zero trust today. Maybe not so much at RSA this year, because they are AI is taking over, but zero trust is everywhere.
You know, what are, what is your perspective on how much that has snowballed out and chase
you get some of the blame for. That product placement.
John Kindervag: Yeah, no, I mean, it's, it is weird, right? I mean, it's gratifying, it's humbling, but it's weird. I mean, literally, people did make fun of me early on. And told me I was, I was insane, not just like insane as hyperbole, but literally you're nuts for doing that. And but, you know, at Forrester at the time, what people don't realize, it wasn't just like, Oh, I threw this out.
It, there were two years of primary research where I went around the world and talked to people and here's this idea and poke holes in it and see where it happens and evolve it. And so, and then, and then by the time it became kind of mainstream, I had. Worked on the design and building of a whole bunch of various zero trust environments and then you know, had found the right people to, to really partner with.
So chase here well, I, I recruited him to Forrester once and then, and then at the last minute he, he turned me down and and I recruited him again to take over for me when I was leaving because I wanted him to be the backfill because I didn't, you know. I didn't trust what would happen if I didn't leave it in good hands and, and he took it to the next level.
And then so that's, we've known each other since well, pretty much when you got out of the Navy, I guess. Right. And a long time, we go back a long time you know, good friend. And then, and so, you know, to, to just, there was always a few people who said there's, this really has legs. Keep going really encouraging when most people were telling me, nah, this isn't going to happen and, and and a lot of those people who said this is never going to happen.
It's a dumb idea are now zero trust experts. So, I guess, you know, it's, it's fun to see, see that change, but it's, it's very, it is, it's humbling. You know, it's, it's really weird. It's, it's weird when people recognize you on an airplane and stuff. It's just, It's just a bizarre thing.
Elliot Volkman: Absolutely. And I, I think what you had just referenced probably can be summed up well in a, I don't know which one of y'all shared it. Y'all interact with it. It was on LinkedIn where they're trying to neutralize the concept of zero trust. And then like the next frame, it was, oh, by the way,
this is our flavor of zero trust, which is a product
Chase Cunningham: Oh, that was Sean Connolly. Yeah,
John Kindervag: yeah, that was Sean Connolly over at, at CISA, who, oddly enough, was an early advocate back when he was with the State Department, right? So, you know, you, you see, those are the kind of people that you go, okay, yeah this is gonna go somewhere. And, and, and it's, you know, to me... Like, you know, the, all the other panelists were in the military.
I wasn't, my dad was, but I wasn't, but it's the same concept, right? It's being mission focused and, and we're fighting against an adversary, right? So there's three adversarial businesses. There's the military, there's law enforcement and there's cybersecurity. And general John Davis, who who was a two star retired.
Former special forces, but who stood up what, what eventually became cyber command worked with me at Palo and one time he pulled me aside and he, he put his arm around me and he, he leaned over and he said, John, I fought my wars already. You go out and fight yours. And so that kind of encouragement, you know, can really keep you going.
And so you need those people, you need the chases, you need the Richards, you need those people in your life to encourage you to keep moving forward. And, And, that's what we have to give back to the community, right? Thank you.
Elliot Volkman: All right. So that is all the time that I will. Thank you. Nag you on the concept. I mean, you know, you've covered this a million different ways. Chase's entire podcast dedicated to it. So let's let's go a couple of layers lower and chat about the elements of API as it associates to zero trust.
Obviously, we know you know, from a risk perspective, supply chain attacks are absolutely a critical piece to the pie. But yeah, Richard, maybe we can kind of hand this off to you. What is the current state of API in cybersecurity and how impactful is it to organizations today?
Richard Bird: Wow. There's there's so I'm going to use my favorite Richardism for for John. There's so many different threads to pull here. And you know, when I think about this, you know, I would tell you that from a maturity standpoint A. P. I. Security is currently in its password and clear text state.
You know, this is it's a very interesting set of problems that have propagated for. You can argue at least a dozen years which is really the rise of the API economy using APIs to access all the things. But obviously APIs go back way further, right? We just go back to scripting and we go back to, you know, SSH keys, keys and calls and all that kind of stuff.
Been around a long time, but now with the virtualization of everything that virtualization of everything has unleashed the capability for us to connect everything. with APIs. So APIs are APIs are proxies and or function like networks. They function like data transport. They function like data transformation.
You know, old ETL. They do all the things and to bring this back around to how, you know, chase and john and I and a number of other people have started to really think about this notion of layer seven security. It all comes about from a conversation that John and I had a number of well, it's gotta be two, two, two years ago, right after we got out of COVID, John and I were in Miami on a panel, and John does such a great job presenting how zero trust really works in kind of an unvarnished way, and he stood up and he was in front of the audience and he said, you know, when we get all this stuff right security will be driven into layer seven by policy.
And when I joined Traceable all of a sudden they had this epiphany that Layer 7 security sucks. I mean, it's bad. If we think about the history of application security, it is horrible when it comes to you know, security controls. You know, it's very coarse grained. You either have access to something or you don't have access to something.
There's no nuance, there's no subtleties, and most of the fuel for APIs It's driven through authorization, whether it's Auth N or Auth Z, and there's no security controls around authorization. So I think that, you know, really, when we look at the current state of API security, there's been this massive move to achieve huge amounts of business value by leveraging APIs.
And it's pretty much like, you know, giving an 8 year old kid a shotgun. Right? You've, you've given them all the power, but none of the accountability and responsibility from security standpoint and security organizations are really institutionalized. Actually, I was going to jump on what John was saying about his experiences.
We are in the cyber security industrial complex. Now, you know, think about the last time any large enterprise organization change the way its security organization was structured. So when you go in and you say, who's in charge of API security, like, everyone sits around the table and goes, I don't know.
Because it doesn't fit. Entirely knapsack. It doesn't fit entirely on data security. It doesn't fit entirely in network security. And yet it's now become the largest exploit and attack surface. So that's current state. And that's really kind of also how we trended into this realization recognition that we better start doing something about zero trust in the API layer. Or we run the risk of all of the work and efforts being sub optimized in all of the other spaces where we apply zero trust.
Neal Dennis: Yeah, I think that's, I guess I'm gonna kick in. So , I'm, I'm in deep agreement there. You know, I, I think working at a product company who has an a p I, first off your point being, everybody's gotta have an a p i. Even if they don't want an a p i, if they own a product, someone's always gonna ask for it. But it seems like an afterthought at a lot of companies that are just really getting their feet underneath them everybody and.
It seems to inherently assume that if we set up API, it's secure, go away, do nothing. But to your point, it really is just a username and password that's waiting for someone to do something else with, right? So I'm kind of curious then on that note, thinking about, we got the problem, right? API sucks, there's better ways to do things, there's better ways to secure.
We've talked a little bit about these on the show before, loosely, but Chase, John, definitely obviously curious about your thoughts to add to the problem, and then maybe some thoughts around servicing that problem.
What are some of the collateral ideas?
John Kindervag: Well, before, because I
know Chase is going to talk
Neal Dennis: Yeah.
John Kindervag: to hack them because that's his background,
right? But I want to talk about the business value because I disagree with the comment that APIs suck. Conceptually, right? I think APIs are magical, right? I think APIs, we, we talk about the API economy, and API drives business.
And one of the things that it does is it eliminates the need for standards. So that now we can have interoperability without standards because standards inhibit innovation. So you back in the old days, if you wanted to connect something to firewall X, then you had to go through a whole bunch of things and it took forever.
Now there's an API I've connected it. I've, I've enhanced some capability and same with payments or whatever business you're in. So you don't have to have these payment, you know, these standards committees where they go into build, you know. The next second secretariat, the next thoroughbred racehorse, and they come out with an eight hump camel, right?
Which is what standards bodies do. So, now we can have innovation, and it's like everything else. Here's this magical thing. Oh, let's think about some security because security is always an afterthought, but because it's, you know, I think we can figure out pretty quickly and we're, and we're doing that at traceable, how to secure that.
But of course, in the meantime, before people get a handle on that, they're going to want to hack the heck out of it. And that's where. You know, Chase's expertise doing stuff that he won't talk about comes in.
Chase Cunningham: I mean, I, I think there was the conversation a while ago about the identities, the new perimeter, whatever else, I think that APIs are the network now, like, I thought, I think that I really am not concerned about a firewall because a firewall honestly is a package shoveling, you know, sieve and I, I'm good with doing that thing.
But if I can't take care of APIs, Like, we're building a castle on a sand foundation. And if you talk to any developers out there, and say you want to build something, the first thing they ask is, is there an API? They don't even ask about code. They don't ask about languages and whatever else. They say, well, what API is going to hook into?
And, I mean, like John says, I think APIs are super too, because they are changing the way that we do business, and they are expediting the way that things move forward. But, it just, continues to be the self licking ice cream cone that gets worse and worse and worse, the deeper you get into it. And it just, there's more on the other side.
And if you don't have an inventory and a understanding of what those APIs are doing and what they're touching, I Don't care how well you think your architecture is secured because I'll Find me someone that does that and call me and I'll put a year's salary up against your stuff with two or three folks I know and we'll get you like it's just not even a question And my salary is small.
So it'd probably be something you'd be willing to risk, but I'm just saying
Richard Bird: and if we can, I mean, to drive a
Neal Dennis: Yeah, I
Richard Bird: point home that that both John and and. Chase have talked about, like the APIs have just a massive amount of possibilities in terms of improving all aspects of the digital world, right? The the problem is, is the, it's the Uncle Ben Peter Parker problem, right?
Which is, with great responsibility comes great or great power comes great responsibility, right? It's the responsibility piece that's not being exercised within most large and medium sized enterprises today, or government agencies when it comes to APIs. If, if you are a CISO. Or if you're an information security practitioner, and I ask you to follow three questions.
How many APIs do you have? Where do those APIs reside? And what are those APIs doing? What are they doing? And you can't answer positively to all three. And if you answer negatively to all three, you've got a serious problem. Right? A serious problem. Because there's nothing in security that ever starts out with, I have no idea what I'm facing, that ends with a good outcome.
Right. It's, it's always, it's always the unknown unknowns that end up being your exploits and your risk and your attack surface. And yet we've got companies where it is a common knowledge that nobody is controlling these APIs outside of a gateway and a firewall. And neither of those are sufficient with the attacks and the the exploits are being used with APIs today.
Neal Dennis: think those are fair points. And to iterate, I don't think APIs suck. I think the security implementation of APIs is what sucks, to be very abundantly clear. I take advantage of them every day, like on this. So, a lot of things there. But That being said, on a happier note, yeah, you know, I think APIs are a game changer when they're available.
Implementation is where there's a lot of issues, and then follow up, post implementation, yeah, you've got all these endpoints. And I will say from my perspective, and this is a question, I've seen a lot of consolidation of endpoints on vendors side, where they're trying to consolidate to one or two endpoints finally.
Do y'all feel like that's still kind of where things are going with a lot of, a lot of the vendors out there, where at least they're trying to go from having 8 different endpoints. To maybe that consolidation approach and, and finally, maybe getting a little closer to a more secure environment. Maybe throw that one over to the hacker on the chase real quick, and then we'll see what everybody else's feels are.
Chase Cunningham: I mean, I, I think that there's a lot of vendors that are doing a lot of really good things. And I think in general, the, the people that actually care about this space are focused on trying to, you know, fix problems. But I also think that we've got kind of, I like the, I like, it's like big pharma for cyber.
Where, why would I cure the disease when there's more money to be made when I can treat the symptoms? I know, here's another new feature that I know will do this other thing, but it's not gonna solve all the problem, even though I know I could, but it'll just, just take a little taste. It's like, it's like ZT crack, right?
You just get a little sniff of it, and then you want some more, and then you want more, and it just keeps getting worse, and worse, and worse, and... The, the fundamentals, this is, and John and I talk about this all the time, like the fundamentals of what we should be doing are, are well known. I, it blows my mind that people still sit around wondering where they should focus their efforts or whatever else.
When we have volumes of research and entire organizations dedicated to this, like this is the one place in all of warfare, the adversary tells you how they're going to come at you and people sit around going, I wonder how this is going to work.
John Kindervag: right. I mean, because, and, and you said it, Richard, right? We used to do information security and now we do cyber security. Now the fundamental problem with that is what's a cyber and why should I secure it? Right? We changed it so, at least at one point, information is the thing we're going to secure. Cyber is, is a word used by, by Plato in the Republic to, it's the word for a steering wheel on a ship, and he was using it for the concept of, of, of government.
Government is cyber, kyber, it's where we get kubernetes from as well. But, you know, that's a cool word, cause... One of those writers, Neil Stevenson, or somebody used it in a science fiction book. So we want it to be cool, but now we've got away from the focus of we've got to protect something. And not only do people not know how many APIs they have, they don't know anything about what they're protecting.
So I talk to people all the time about Zero Trust. I just bought Widget X or Gadget Y. What do I do with it? Well, what are you trying to protect? Well, I haven't thought about that yet. Well, then you're going to fail, right? So, I'm going to protect APIs. In this conversation, I'm going to protect APIs. So you've got to figure out, what APIs do you use?
What APIs do you give to other people? What APIs do you connect to? How do they connect all that kind of stuff? Now, you know what to protect, right? You know, from the military, you always know what you're protecting and what the mission is. And we got it. We got to, we got to adopt that mindset of figuring out what we want to protect.
You know, we, we talk about we have general zero trust, which is Greg to Hill, the head of cert, who is a friend of ours. And he always, he always quotes Frederick, the great who, who according to Greg, and he would know. Because I was never a general, but he says Frederick the Great once said that if you try to protect everything, you protect nothing.
And that's what we're trying to do. We're trying to protect everything, just a little itty bitty bit, instead of protecting the things that are really, really important
Neal Dennis: Yeah, Richard, anything to add? Kind of helped kick off the
Richard Bird: Yeah, I mean, I mean. Yeah, as long as, you know, as long as we're diving into, you know, Greek and, and Roman philosophers and writers, right? I, I get a kick out of the fact that, you know, if you think about it from a purely stoic standpoint, right? Stoic, the stoic movement, you know, is all about incremental improvement.
Right. Improve a tiny bit each day. And then by the end of, you know, some certain span of time you will have gotten much better. And I think that that ties directly into it. John and Chase were just saying relative to Zero Trust specifically and APIs. Also, specifically, and that being like the funniest response that you'll get from anybody today talking about API security is to walk into some large room, some company, some keynote platform, and just ask the following question.
I'm using one ZT principle. Reduce your attack surface. How many of you in the room reduced your attack surface for APIs yesterday or the day before or the day before that? Or how many are you experiencing exponential growth of your API attack surface and are doing nothing about it? Right? And it's always a really interesting set of questions to ask, because People kind of choke on it, right?
They go, Oh, yeah. I mean, I guess if I'm following zero trust principles, I should be reducing not just, you know, API attack service, but all attack surfaces. But beyond that, I should be making incremental improvement. And unfortunately, one of the things over, you know, a 35 year career for me that's been frustrating is a lot of stuff that's old is still good.
Right. So we think about total quality management Deming's, you know, all of this idea of continuous process improvement, all of that knowledge has been lost in the enterprise world, we are constantly reinventing the wheel. If you want to improve for that, ask, ask somebody in a company, whether their CFO knows or not, that they have multiple redundant APIs developed across different parts of their organization, because CFOs love to hear about redundancy that relies on resources to build it.
Right? Because that's wasted cost, wasted energy, wasted efficiency. But we don't have any of these notions of process improvement anymore. But they're easily applicable. Right? I think John was mentioning that. We know what we should be doing. We've just chosen to stop doing those things for the sake of, you know, whatever the flavor of the day might be.
Today's flavor is AI, as you mentioned earlier, Elliot, right? But you know, for whatever, for whatever reason, we're sacrificing good solutions. Good practices and good thinking for speed to market and revenue and whatever else. So,
John Kindervag: Yeah, I mean, it's the same thing was, of the lessons of Six Sigma, right? Focus on your output metrics more than your input metrics. If you're, all you're focusing on is your supply chain, but not how good is the car coming off the line. Then nobody's gonna buy your car, right? And you know, you, you, you end up losing your competitive advantage because somebody else cares about quality control.
And that's what we're doing here in, in cyber security. This is quality control. And so, I always kind of joke that the, the sec ops people and the dev ops people and the dev sec ops people and the, however, ops sec dev people or whatever, the, the flavor of how we're going to put those, those things together.
Those are the Ricky Bobbies. Of cyber security, right? I just want to go fast. I got a cougar sitting next to me. I just want to go fast, right? Shake and bake. And, and, when you, when that's your only concern... There's going to be a tremendous amount of failure in that system because cyber security is an incredibly complex system And it's a system that maybe can't keep up with the speed that people want to do it at and some of the things that are That that we're so in love with maybe we're seeing that maybe we shouldn't have been so in
love with them over the over the
Neal Dennis: I think those are fair points. And I don't know if anybody knows the movie Michael Keaton's Gung Ho from the 80s, right? The car manufacturer, he has to get a certain amount of things off the line or else they shut down the factory. He gets them off the line, right? But it wouldn't drive, but maybe one of them.
That being said, you know, I think those are valid points about quality versus security versus a few other things. About 10 minutes. I am curious, especially given, you know, the company that we... behind us here in the email domains. What are some of the constructs here? Solutioning wise to help bring all this together to kind of help make sure that at least me as an enterprise entity, maybe not necessarily a producer of product like, like a SAS or anything, but at least as a consumer, what's some ideas to help.
You know, one, minimize that footprint and two, just in general, become a little bit more secure in the API world.
Richard Bird: well,
Neal Dennis: I'll throw that out. It's an open question for whoever wants to start that one off.
Richard Bird: I'll dive in because I think it's really, you know, I think it's really critical to simplify this problem statement because I think that people get to, you know, glossy eyed about all the cool things that APIs can do. So I always start, you know, what you can do about API security off with some real simple basic tenants.
The first is, is. APIs are knowable, and this is a very important fact about APIs. APIs, you can divine and tell what an API is supposed to do based upon how it's coded, right? That means that you can also keep track of that API's behavior against that baseline design. Right. So that's why it's so important to know what APIs you have and what they're supposed to be doing.
The other thing is, is that you have to understand that an API that is designed to do a thing can be leveraged to do other things. And the way that I like to explain this is the hammer analogy. Like, so. A, there are, a claw hammer, a carpenter's claw hammer is designed to do two things, drive nails and pull nails out.
And, and the vast percentage of time that is the way that a hammer is used, that hammer can also be used to cave somebody's skull in, right? Same design, same physics, same motion, same geometry, right? But it can crush somebody's skull. And I don't think there's a hammer designer alive that goes, yeah, I want to design a murder weapon. APIs are the same way. APIs can be leveraged to do things they weren't intended to do because there's enough margin for abuse within an API, which means that you have to track and monitor those APIs behaviors continuously and ideally traceable. We do this. You know, nobody else in in the API security market does this.
We actually trace the The behaviors because our founders actually created app dynamics, and they know all that traces. They trace, we trace the behavior continuously over the life cycle of that API so that we know what it's supposed to be doing. And we know when it goes out of band and we know when it starts behaving abnormally.
Right? And then ultimately, it really comes down to probably the last piece, which is give a damn about API security. Right? Don't have a situation where you're standing in a room and you're asking your organization. Who's in charge of API security? And the answer is nobody knows, right? This is serious stuff, and it just represents the next iteration or evolution within technology.
But there's no excuse to not acknowledge that change in evolution and say, Well, you know, I'm just gonna keep all my network engineers on staff, and I'm just gonna keep all my, you know, data based security guys on staff. I'm working with companies now that are taking entire infrastructure security people and retraining them.
On APIs and API security. We have to acknowledge the change in this digital landscape. And if we don't, the bad news is the bad guys acknowledge this change about six or seven years ago. And they're really capitalizing on it now and going forward.
Neal Dennis: I like that. I think hitting on the, the identity of what's happening, right? And funny enough, we had a conversation yesterday or so about identity versus authentication, right? Identification versus authentication. That being said, I, I think that's kind of a, a solid approach. I talk about behavior analytics a lot, not just on this podcast, but with other people around how that's going to change that fingerprinting and that capability to be more secure.
So just curious to continue it, throw it over here to John real quick, you know, your thoughts on that or any additional things around kind of that effort for the ID versus Auth and, and the take on which one and how and stuff like that.
John Kindervag: Well, I
mean, you know, to put it into, why did I join Traceable as an advisor? One is because Richard asked me to. So, when Richard asks you to do something, you go, yeah, sure, probably. As long as it's legal, right? So, is this legal? Yeah, okay. But you know, what, what, what we're doing at Traceable are the first two steps of zero trust in the five step implementation model.
Determining your protect surface, what do you need to protect? So you need to protect your APIs, right? So, what APIs do I have? Getting an inventory of them. Step two is managing the transaction flow or look, looking at the transaction flow, mapping it. How are they working together? If you don't know those two things, you can't protect anything, right?
And so by having that ability, you can automate what is the proper control structure to, to do this. And then you can also within, you know, create some policy. In Step 5, Monitor and Maintain, you know, take the telemetry and learn from it so that you can create an anti fragile system. We brought a whole lot of philosophers and thinkers into this, but Taleb is one of my favorite.
He wrote a book called Anti Fragile about how you can you know, you can get Stronger over time under load, under stress. So a stressor can make a system stronger. So he's doing that for financial systems. He's using the human body as an example, right? When you work out you stress your body.
That makes you stronger. You know, Chase has been, Chase looks like Captain America now because he's been working out so much. That's his new, or chief, I guess he'd be, he wouldn't be Captain America, he'd be Chief America, right? Or something like that. But but, you know, you can make a system stronger over time.
That's an amazing thing to be able to do technologically. So, so that's where, where I would say that. And then, is identity the new perimeter? I mean, this is the thing Richard and I talked about in Cleveland, right? When I told him, Identity is consumed within Zero Trust. It's not Zero Trust itself. And we can prove that with three, three words.
Snowden, Manning, Texarea, right? There was no question of their identity on the High Side network. But nobody looked at their packets. Nobody asked, what are they doing? Right? I mean, how did Texarea do what he did? I mean, that is just an amazing thing. Walk out of a skiff, somehow you print it in a skiff, you fold it up the papers, you walked out, nobody checked, and then you take a picture at your house and you put it on Discord?
I mean... You know, Chase is shaking his head because he spent a lot of time in SCIFS. And so it didn't matter. The identity and the authentication and the authorization didn't matter if you're not asking other questions deeper into
Neal Dennis: Chase, anything else you want to add to that? I, I feel your pain from the Skiff perspective,
Chase Cunningham: I used to have my sailors and airmen and soldiers empty their pockets and physically show me before they were allowed to leave the skiff and if they said no, there was a physical correction to follow. So like, yeah. I don't know how that happened, but, hey, guard is all I could say. Guard. Yeah. Anyway I mean, I, I still stand on the, the idea that if your goal in cyber security is to defend yourself from an adversary that is trying to attack you, I think you should basically put yourself under attack on a regular basis and see how you respond and plot your defenses based on the weaknesses you determine.
Like, it's... It doesn't do any good to do those Mickey Mouse pen tests and, you know, run your scans and then say you're good and then get your little Clippy board and clickety click and go on about your way or whatever else because they're gonna find a different route to go after you So in my perspective and I think it applies to API's and everything else in the in the infrastructure strategy wise You want to be defended you must test your defenses you do that in a realistic manner Run a red team mob.
Otherwise, you're just doing Kentucky windage. And if the wind changes direction,
Neal Dennis: awesome. Well, like I said, we got a couple minutes. I'm going to throw it back over to Elliot to wrap us up and see what else he's got for the next two minutes, but once again, appreciate it guys.
Elliot Volkman: Yeah, so as as much as I love to bring us to a typical rabbit hole that I love to prod at the end, I know that you are over maybe committed to everyone under the sun that wants to talk about cybersecurity and zero trust. So with that said I will actually wrap it here and. I just want to say thank you so much for joining us.
It has been a long time coming to get you all in here. Richard has been an absolute pleasure to get your insight on what you all are building and just in general. Chase I'm sorry that you get to deal with us at least, you know, every other month. But John, thank you so much for being here.
We really appreciate it.
Neal Dennis: Thank you gentlemen once
more. Appreciate the conversation. Even though we had to wait for the squid