There we go – Anirban is at it again! What now?
Saturday Night Live (SNL) has a great skit based on a character played by veteran artist- Tom Hanks. I call this the “David S Pumpkins” (DSP) series. The reactions of the SNL characters, mainly the couple riding in the elevator is the main party piece. DSP – is not only hilarious, but also quite apt in the world of computer security. Still interested? Stick around and buckle up because this is going to be one convoluted, but interesting read.
The Washington Post wrote a review of the DSP skit, and the highlight for me was – “The short David S. Pumpkins sketch on “Saturday Night Live” was a perfect example of anti-comedy, something that’s funny because it’s both absurd and inherently unfunny.”
But pray tell, what does a SNL skit have to do with API security, hit me already, ok?
Here’s the connection – just like something that is inherently unfunny, and absurd can turn out to actually be quite funny – something that is perceived as just another “hair on fire” security need, and usually chuckled at behind the closed doors of security-dom can actually make a lot of sense, albeit when looking at the premise from a different perspective.
Without giving away too much of the plot of the DSP skit from SNL, here is what I have observed. The reason why the character for DSP was considered unfunny, and absurd is because the job of the character was assumed to be in line with the other “scary ghouls and frightening monsters” on the halloween ride. However, when the character is analyzed and accepted for itself, independent of this bias (formed during the ride, and possibly over the lifetimes of the couple riding in the elevator) the DSP character turns out to be quite amusing indeed.
That is the hypothesis we are discussing here. With more than a few hundred million dollars being poured into pure play API security companies, who do little more than (1) ingest your OpenAPI, Swagger documentation (2) Run automated OWASP top 10 tests and get you a report – this area seems like “yet another security trend”. But maybe a bit more closer analysis is needed.
In my 13 years of working in the security industry, building 3 companies (including Riscosity), talking to partners, selling, coding, supporting and whatever else you can take a swing at, “Are your APIs secure?” is a question which has — never — come up in a vendor, client sale conversation. In fact, I would go as far as to say that – when has a sales team ever been given a checklist to have the dev or security teams sign off on, which demonstrates unequivocally that the public-facing APIs for the vendor are battle tested prior to the customer signing on the dotted line? Let us not kid our selves – no – API security is not the next big must have.
Anirban, have you lost your mind? Have we not seen the predictions from Gartner and team, the millions poured into this area by Silicon Valley and the rich glossy marketing brochures printed (prior COVID) ready to be distributed at RSA which boldly mention API security as the next holy grail? In fact well respected industry long timers have published CISO mind maps with “API security” in them.
Well that is where the rub lies. API security today is a subset of Application Security Assurance. API security – is – important, but not as important as one would like to make you believe. Sacrilege! I know. My point is that API security, part of Static Analysis, Dynamic/Fuzz Testing makes perfect sense but is just another “add on” to the entire test harness of sorts. When testing a web form for SQL injection with a plethora of tools, do we really feel that the underlying API needs some sort of “special” snowflake treatment? No. Bottomline – API security is an add on feature – not an entire market segment to sell to.
What is a market segment then, related to all the jazz around API security? Ah! am I glad that you asked – Lets us understand the job of an API first.
- Transfer data from one organization, or product, or feature to another
- Transform the data from one organization, or product, or feature to another
An important point to notice in the above statements is “data” – focus on that. What people really care about is the “data”. An API security service that actually focuses on discovering, cataloging, securing and auditing “data” – is a market segment. Not convinced – think about IAM, PAM. What is IAM and PAM all about? SSO? No – its all about securing access to the “data”. Essentially when API security looked at from a different perspective where it focuses more on answering questions like:
- What data am I passing through my APIs, can I turn on automated classification, DLP?
- Who is the data being given to, are they worthy (Yes, Wayne’s world reference)?
- Can we Audit who got access to what, when, where did it land up, who was given the data down the chain?
A company that answers question of these sorts, might at first glance seems like DSP – but hold on to your hats for a second and you might just realize the value underneath. Essentially answering the typical is this API secure because it uses an authentication token is important – but certainly not a completely standalone, massive market segment on its own. Vulnerability Testing products took ages to form their own market segment, and now with well established appsec assurance programs, tooling, processes – is simply checking for API good/bad is barely of any significant value. So – I leave you in peace with the following statement – Any API security company that provides the obligatory OWASP top 10 checks on customer facing APIs, is probably going to get acquired and turned into a feature set – not a company that will stand on its own and become a great brand. Guess we will find out if I have to sauté my hat and have to eat it any time soon ;-).
Cheers to great success together!
Credits: Header Image – https://www.nbc.com/saturday-night-live