Katie Paxton-Fear

So these APIs get exploited all the time. And honestly, it's because it's quite easy. If you don't even know something exists, how on earth are you supposed to secure it? You can talk about things like secure coding, secure software development life cycles, security vulnerabilities in general. But if you don't even know an API exists, how on earth are you supposed to protect it at all?

So these APIs get exploited all the time. And honestly, it's because it's quite easy. If you don't even know something exists, how on earth are you supposed to secure it? You can talk about things like secure coding, secure software development life cycles, security vulnerabilities in general. But if you don't even know an API exists, how on earth are you supposed to protect it at all?

So these APIs get exploited all the time. And honestly, it's because it's quite easy. If you don't even know something exists, how on earth are you supposed to secure it? You can talk about things like secure coding, secure software development life cycles, security vulnerabilities in general. But if you don't even know an API exists, how on earth are you supposed to protect it at all?

You don't know what you don't know. And when it comes to security, that is what will get you breached. Certainly, if we think about today as we're recording it, people have done an investigation into the Internet Archive attack from a few weeks ago and found there were just credentials on GitHub that were just valid that nobody had deleted. The problem is that they were up for decades as well.

You don't know what you don't know. And when it comes to security, that is what will get you breached. Certainly, if we think about today as we're recording it, people have done an investigation into the Internet Archive attack from a few weeks ago and found there were just credentials on GitHub that were just valid that nobody had deleted. The problem is that they were up for decades as well.

You don't know what you don't know. And when it comes to security, that is what will get you breached. Certainly, if we think about today as we're recording it, people have done an investigation into the Internet Archive attack from a few weeks ago and found there were just credentials on GitHub that were just valid that nobody had deleted. The problem is that they were up for decades as well.

I think it was up for like 10 years before anybody even noticed. So certainly, if we think about the kind of trend of people leaving companies, most people leave the company after maybe two to three years. Eventually, there'll be nobody left that knows that API exists. And the bad guys are highly motivated to find out it does exist because for them, that is a payday.

I think it was up for like 10 years before anybody even noticed. So certainly, if we think about the kind of trend of people leaving companies, most people leave the company after maybe two to three years. Eventually, there'll be nobody left that knows that API exists. And the bad guys are highly motivated to find out it does exist because for them, that is a payday.

I think it was up for like 10 years before anybody even noticed. So certainly, if we think about the kind of trend of people leaving companies, most people leave the company after maybe two to three years. Eventually, there'll be nobody left that knows that API exists. And the bad guys are highly motivated to find out it does exist because for them, that is a payday.

That is a way in, not even a backdoor, right? It is just a nice entryway, inviting one in to come and attack you.

That is a way in, not even a backdoor, right? It is just a nice entryway, inviting one in to come and attack you.

That is a way in, not even a backdoor, right? It is just a nice entryway, inviting one in to come and attack you.

I always feel bad for the defenders when I have this conversation with them, because as an attacker, my job is quite easy compared to that, because that is not an easy thing to do. Obviously, you can buy API security solutions like Traceable that have this as part of it, and that can be a great option.

I always feel bad for the defenders when I have this conversation with them, because as an attacker, my job is quite easy compared to that, because that is not an easy thing to do. Obviously, you can buy API security solutions like Traceable that have this as part of it, and that can be a great option.

I always feel bad for the defenders when I have this conversation with them, because as an attacker, my job is quite easy compared to that, because that is not an easy thing to do. Obviously, you can buy API security solutions like Traceable that have this as part of it, and that can be a great option.

But if you don't have the budget, you don't have the maturity to deal with it, that is where it is really hard. Some advice I've given some of Some of the companies I've worked with has been run an inventory.

But if you don't have the budget, you don't have the maturity to deal with it, that is where it is really hard. Some advice I've given some of Some of the companies I've worked with has been run an inventory.

But if you don't have the budget, you don't have the maturity to deal with it, that is where it is really hard. Some advice I've given some of Some of the companies I've worked with has been run an inventory.

If you can try and get as much information as you can, like whether or not that is digging through GitHub commit history, digging through what files are on servers, what cloud environments are running and what they're all running and what you have available, what pods are up, or by just asking a developer, hey, do you know what APIs we have? That is a huge first step taming this beast.

If you can try and get as much information as you can, like whether or not that is digging through GitHub commit history, digging through what files are on servers, what cloud environments are running and what they're all running and what you have available, what pods are up, or by just asking a developer, hey, do you know what APIs we have? That is a huge first step taming this beast.