Katie Paxton-Fear

If you can try and get as much information as you can, like whether or not that is digging through GitHub commit history, digging through what files are on servers, what cloud environments are running and what they're all running and what you have available, what pods are up, or by just asking a developer, hey, do you know what APIs we have? That is a huge first step taming this beast.

But it's not easy. You can use, there are some really great word lists that you can use like with fuzzing tools. There's the only API word list you will ever need that uses like a lot of historical data from different APIs that they've audited and sharing their knowledge.

But it's not easy. You can use, there are some really great word lists that you can use like with fuzzing tools. There's the only API word list you will ever need that uses like a lot of historical data from different APIs that they've audited and sharing their knowledge.

But it's not easy. You can use, there are some really great word lists that you can use like with fuzzing tools. There's the only API word list you will ever need that uses like a lot of historical data from different APIs that they've audited and sharing their knowledge.

Some of the other things you can do is have something like, if you have API management tools, things like Kong or MuleSoft, they can be really great ways of finding APIs. But honestly, if we had a bulletproof solution to that, you would be a millionaire.

Some of the other things you can do is have something like, if you have API management tools, things like Kong or MuleSoft, they can be really great ways of finding APIs. But honestly, if we had a bulletproof solution to that, you would be a millionaire.

Some of the other things you can do is have something like, if you have API management tools, things like Kong or MuleSoft, they can be really great ways of finding APIs. But honestly, if we had a bulletproof solution to that, you would be a millionaire.

Companies like Traceable do a lot there in trying to, again, bring in that intelligence side of things, have continuous monitoring, look for APIs in weird places. But you are simply not going to get them all. And what you need when that happens is a plan on how you're going to react when that inevitably happens.

Companies like Traceable do a lot there in trying to, again, bring in that intelligence side of things, have continuous monitoring, look for APIs in weird places. But you are simply not going to get them all. And what you need when that happens is a plan on how you're going to react when that inevitably happens.

Companies like Traceable do a lot there in trying to, again, bring in that intelligence side of things, have continuous monitoring, look for APIs in weird places. But you are simply not going to get them all. And what you need when that happens is a plan on how you're going to react when that inevitably happens.

So some of the most common kind of mistakes that I see are essentially not having a process for decommissioning things. If your process for decommissioning things is switch off, like you are not going to catch everything. You need a way to track what developers have deployed over time, where it's deployed, how it's deployed, and then you can properly decommission it when developers leave.

So some of the most common kind of mistakes that I see are essentially not having a process for decommissioning things. If your process for decommissioning things is switch off, like you are not going to catch everything. You need a way to track what developers have deployed over time, where it's deployed, how it's deployed, and then you can properly decommission it when developers leave.

So some of the most common kind of mistakes that I see are essentially not having a process for decommissioning things. If your process for decommissioning things is switch off, like you are not going to catch everything. You need a way to track what developers have deployed over time, where it's deployed, how it's deployed, and then you can properly decommission it when developers leave.

The other common mistake I see people make is having a really terrible relationship between development teams and security teams. A lot of people will have a weird adversarial relationship with their security team. And the security team is seen as an annoying, really frustrating team to have to deal with rather than it being a partnership.

The other common mistake I see people make is having a really terrible relationship between development teams and security teams. A lot of people will have a weird adversarial relationship with their security team. And the security team is seen as an annoying, really frustrating team to have to deal with rather than it being a partnership.

The other common mistake I see people make is having a really terrible relationship between development teams and security teams. A lot of people will have a weird adversarial relationship with their security team. And the security team is seen as an annoying, really frustrating team to have to deal with rather than it being a partnership.

And when you have that kind of relationship, it's really hard to bring it back. Some of the other common things is simply having no API security tools at all. I'm not even talking just you have free tools, you have nothing. You maybe don't even prioritize API security. That's another common one I see. There's no API incident response plan. There's no API management tools in place.

And when you have that kind of relationship, it's really hard to bring it back. Some of the other common things is simply having no API security tools at all. I'm not even talking just you have free tools, you have nothing. You maybe don't even prioritize API security. That's another common one I see. There's no API incident response plan. There's no API management tools in place.

And when you have that kind of relationship, it's really hard to bring it back. Some of the other common things is simply having no API security tools at all. I'm not even talking just you have free tools, you have nothing. You maybe don't even prioritize API security. That's another common one I see. There's no API incident response plan. There's no API management tools in place.

There's no process for deploying APIs. There's no API inventory in place. That is a really common thing that organizations will fall on. It's really easy to buy a tool that can scan your code and find every vulnerability. That's really tempting. Of course it's tempting. That sounds really easy. In reality, though, security is never quite that easy.