Here are six minutes of the best moments from “Hacking API Security: An hour of critical thinking on protecting the connective tissue of corporate data”.
To watch the entire video chat and see the discussion, go here.
Much of the conversation stemmed from my earlier article, “25 API Security Tips You’re Probably Not Considering.”
Joining me in the discussion were Nir Valtman (@ValtmaNir), vp, head of product & data security at Finastra and Roey Eliyahu, co-founder & CEO, Salt Security. We also had special appearances by Dutch Schwartz of AWS and Ben Walther, Atlassian.
Got feedback? Join the conversation on LinkedIn.
HUGE thanks to our sponsor, Salt Security.
Winner of “Department of YES”
We had 27 fantastic submissions for the “Department of YES”, but the best bad idea goes to Jim Zimmerman of Reliance Steel & Aluminum Co. for this well thought out bad idea: “When a user wants access to your API, they must call your support #, wait on hold, and request access from an agent. Then after 7-10 business days they receive a single-use access key in the mail that they can use to make an API call.”
Honorable mentions go to these old school suggestions.
“Fuzz test your APIs with an in-house program written in COBOL.” – Ian Poynter
“An API that only gets through after port knocking to the beat/frequency of ACDC’s Thunderstruck intro.” – Scott Sheahan, Aptiv
“Put Gene Simmons in charge of your API Security.” – Chris Westphal, Salt Security
Best quotes from the chat room
“When you have 200 critical [vulnerabilities], you might need a new category, catastrophic’ might be a good name.” – Ran Barth, Salt Security
“We often forget point in time vetting is just that… a particular point in time. Newer vulnerabilities might not have been around.” – Wil Tulaba, Cognex Corporation
Follow us on Crowdcast
For as long as we can handle it, our video chats will be happening every Friday at 10 AM Pacific/1 PM Eastern. Please follow us on Crowdcast to be alerted the moment a video chat goes live.