The Future of API Security with FireTail’s Jeremy Snyder

In this episode of The Secure Developer, Danny Allan, CTO of Snyk, welcomes Jeremy Snyder, co-founder and CEO of FireTail, to discuss the future of API security and AI security. Jeremy shares his professional journey, which began with an unsuccessful attempt to become a software developer, followed by an enriching career in cybersecurity and IT infrastructure. He joined AWS in 2010, then a startup, and learned the importance of cloud infrastructure. This experience led him to co-found FireTail, a company specializing in API security. Jeremy explains that API security primarily relies on authentication and authorization. He emphasizes that authorization is often neglected, which can lead to security vulnerabilities. He uses the analogy of LinkedIn profiles to illustrate the importance of authorization: Jeremy can view and edit his own profile, but cannot edit Danny's profile. He warns against using primary database keys as identifiers in API requests, which can make data vulnerable to exfiltration. The discussion also addresses the challenges of two-factor authentication (2FA), including issues related to SIM swapping and the motivation of customer support agents. Jeremy notes that the adoption of 2FA is often hindered by practical and human considerations, such as users' reluctance to set up authentication apps. Danny and Jeremy discuss the impact of microservices on security. Although microservices can introduce new vulnerabilities, Jeremy believes that the risk is often transferred to a new, poorly understood attack surface. He notes that organizations are still securing their cloud environments after the rush to the cloud during the pandemic. Jeremy shares insights on current trends in API security, including attempts to plant Mirai malware via API calls and the risks associated with LLM integrations. He emphasizes that APIs are often the entry point for AI-based applications, introducing new security risks. The conversation then turns to the intersection of AI and API security. Jeremy explains that APIs are the exposure point for many AI-based applications, introducing new security risks. He gives the example of a vulnerability in OpenAI's web crawler API, which allowed DDoS attacks against target websites. Danny asks if AI requests should be differentiated from human requests. Jeremy thinks companies will quickly realize they can charge extra for services rendered by AI agents, which could lead to service differentiation. However, he notes that this could also incentivize AI agents to seek the best deals, creating a cat-and-mouse game. Jeremy predicts that APIs will evolve to adapt to AI, moving from REST to GraphQL, which offers a more flexible model for querying data. He believes this evolution is necessary to enable services to meet the unpredictable demands of AI agents. Finally, Jeremy expresses his optimism for the future of API and AI security. He notes that security teams are increasingly aware of the need to closely follow the adoption of new technologies by businesses. He believes that this closer alignment between security and business will help avoid past mistakes. To learn more, listen to the full episode at https://snyk.io/podcasts/the-secure-developer/the-future-of-api-security-with-firetails-jeremy-snyder/