Exploring Information Security - Exploring Information Security
Timothy De Block
100 episodes
2 days ago
Summary:
Timothy De Block is joined by Sam Chehab to unpack the key findings of the 2025 Postman State of the API Report. Sam emphasizes that APIs are the connective tissue of the modern world and that the biggest security challenges are rooted in fundamentals. The conversation dives deep into how AI agents are transforming API development and consumption, introducing new threats like "rug pulls" , and demanding higher quality documentation and error messages. Sam also shares actionable advice for engineers, including a "cheat code" for getting organizational buy-in for AI tools and a detailed breakdown of the new Model Context Protocol (MCP).
Key Insights from the State of the API Report
API Fundamentals are Still the Problem: The start of every security journey is an inventory problem (the first two CIS controls). Security success is a byproduct of solving collaboration problems for developers first.
The Collaboration Crisis: 93% of teams are struggling with API collaboration, leading to duplicated work and an ever-widening attack surface due to decentralized documentation (Slack, Confluence, etc.).
API Documentation is Up: A positive sign of progress is that 58% of teams surveyed are actively documenting their APIs to improve collaboration.
Unauthorized Access Risk: 51% of developers cite unauthorized agent access as a top security risk. Sam suspects this is predominantly due to the industry-wide "hot mess" of secrets management and leaked API keys.
Credential Amplification: This term is used to describe how risk is exponential, not linear, when one credential gains access to a service that, in turn, has access to multiple other services (i.e., lateral movement).
AI, MCP, and New Security Challenges
Model Context Protocol (MCP): MCP is a protocol layer that sits on top of existing RESTful services, allowing users to generically interact with APIs using natural language. It acts as an abstraction layer, translating natural language requests into the proper API calls.
The AI API Readiness Checklist: For APIs to be effective for AI agents:
Rich Documentation: AI thrives on documentation, which developers generally hate writing. Using AI to write documentation is key.
Rich Errors: APIs need contextual error messages (e.g., "invalid parameter, expected X, received Y") instead of generic messages like "something broke".
AI Introduces Supply Chain Threats: The "rug pull" threat involves blindly trusting an MCP server that is then swapped out for a malicious one. This is a classic supply chain problem (similar to NPM issues) that can happen much faster in the AI world.
MCP Supply Chain Risk: Because you can use other people's MCP servers, developers must validate which MCP servers they're using to avoid running untrusted code. The first reported MCP hack involved a server that silently BCC'd an email to the attacker every time an action was performed.
Actionable Advice and Engineer "Cheat Codes"
Security Shift-Left with Postman: Security teams should support engineering's use of tools like Postman because it allows developers to run security tests (load testing, denial of service simulation, black box testing) themselves within their normal workflow, accelerating development velocity.
API Key Management is Critical: Organizations need policies around API key generation, expiration, and revocation. Postman actively scans public repos (like GitHub) for leaked Postman keys, auto-revokes them, and notifies the administrator.
Getting AI Buy-in (The Cheat Code): To get an AI tool (like a Postman agent or a code generator) approved within your organization, use this tactic:
Generate a DPA (Data Processing Agreement) using an AI tool.
Present the DPA and a request for an Enterprise License to Legal, Security, and your manager.
This demonstrates due diligence and opens the door for safe, approved AI use, making you an engineering "hero".
About Postman and the Report
Postman's Reach: Postman is considered the de facto standard for API development and is used in 98% of the Fortune 500.
Report Origins: The annual report, now in its seventh year, was started because no one else was effectively collecting and synthesizing data across executives, managers, developers, and consultants regarding API production and consumption.
All content for Exploring Information Security - Exploring Information Security is the property of Timothy De Block and is served directly from their servers
with no modification, redirects, or rehosting. The podcast is not affiliated with or endorsed by Podjoint in any way.
Summary:
Timothy De Block is joined by Sam Chehab to unpack the key findings of the 2025 Postman State of the API Report. Sam emphasizes that APIs are the connective tissue of the modern world and that the biggest security challenges are rooted in fundamentals. The conversation dives deep into how AI agents are transforming API development and consumption, introducing new threats like "rug pulls" , and demanding higher quality documentation and error messages. Sam also shares actionable advice for engineers, including a "cheat code" for getting organizational buy-in for AI tools and a detailed breakdown of the new Model Context Protocol (MCP).
Key Insights from the State of the API Report
API Fundamentals are Still the Problem: The start of every security journey is an inventory problem (the first two CIS controls). Security success is a byproduct of solving collaboration problems for developers first.
The Collaboration Crisis: 93% of teams are struggling with API collaboration, leading to duplicated work and an ever-widening attack surface due to decentralized documentation (Slack, Confluence, etc.).
API Documentation is Up: A positive sign of progress is that 58% of teams surveyed are actively documenting their APIs to improve collaboration.
Unauthorized Access Risk: 51% of developers cite unauthorized agent access as a top security risk. Sam suspects this is predominantly due to the industry-wide "hot mess" of secrets management and leaked API keys.
Credential Amplification: This term is used to describe how risk is exponential, not linear, when one credential gains access to a service that, in turn, has access to multiple other services (i.e., lateral movement).
AI, MCP, and New Security Challenges
Model Context Protocol (MCP): MCP is a protocol layer that sits on top of existing RESTful services, allowing users to generically interact with APIs using natural language. It acts as an abstraction layer, translating natural language requests into the proper API calls.
The AI API Readiness Checklist: For APIs to be effective for AI agents:
Rich Documentation: AI thrives on documentation, which developers generally hate writing. Using AI to write documentation is key.
Rich Errors: APIs need contextual error messages (e.g., "invalid parameter, expected X, received Y") instead of generic messages like "something broke".
AI Introduces Supply Chain Threats: The "rug pull" threat involves blindly trusting an MCP server that is then swapped out for a malicious one. This is a classic supply chain problem (similar to NPM issues) that can happen much faster in the AI world.
MCP Supply Chain Risk: Because you can use other people's MCP servers, developers must validate which MCP servers they're using to avoid running untrusted code. The first reported MCP hack involved a server that silently BCC'd an email to the attacker every time an action was performed.
Actionable Advice and Engineer "Cheat Codes"
Security Shift-Left with Postman: Security teams should support engineering's use of tools like Postman because it allows developers to run security tests (load testing, denial of service simulation, black box testing) themselves within their normal workflow, accelerating development velocity.
API Key Management is Critical: Organizations need policies around API key generation, expiration, and revocation. Postman actively scans public repos (like GitHub) for leaked Postman keys, auto-revokes them, and notifies the administrator.
Getting AI Buy-in (The Cheat Code): To get an AI tool (like a Postman agent or a code generator) approved within your organization, use this tactic:
Generate a DPA (Data Processing Agreement) using an AI tool.
Present the DPA and a request for an Enterprise License to Legal, Security, and your manager.
This demonstrates due diligence and opens the door for safe, approved AI use, making you an engineering "hero".
About Postman and the Report
Postman's Reach: Postman is considered the de facto standard for API development and is used in 98% of the Fortune 500.
Report Origins: The annual report, now in its seventh year, was started because no one else was effectively collecting and synthesizing data across executives, managers, developers, and consultants regarding API production and consumption.
How BSides St Louis Can Help Take The Next Step in Cybersecurity
Exploring Information Security - Exploring Information Security
38 minutes 27 seconds
3 months ago
How BSides St Louis Can Help Take The Next Step in Cybersecurity
Summary:
Timothy De Block and Ben Miller discuss the upcoming BSides St. Louis conference. Ben shares the mission behind the event: to provide a low-cost, high-value conference for beginners and those new to the security community. They cover the importance of community-building, the value of professional skills alongside technical ones, and the power of networking at local events.
Key Takeaways:
BSides St. Louis Mission: Ben and his co-founders created BSides St. Louis in 2015 as a "passion project" with the motto, "bringing the interested to the connected". The goal is to offer a free or low-cost conference to make cybersecurity knowledge accessible to beginners and career-changers who can't afford larger, more expensive events.
Cost and Accessibility: This year's conference operates on a donation basis, with a recommended $25 charge to help estimate food and t-shirt orders. Ben clarifies that no one will be turned away for an inability to pay, and the organization is a 501(c)(3) charity.
Networking and Career Growth: Both Ben and Timothy stress that attending local conferences like BSides on a Saturday demonstrates a commitment to learning that employers value. Networking at these events can lead to job opportunities and valuable professional connections.
Professional Skills Over Hard Skills: Ben argues that professional skills—such as public speaking, running effective meetings, and communicating politely—are more crucial for career longevity than hard technical skills. He shares a personal story about how a poorly chosen phrase accidentally hurt a colleague and taught him the importance of careful communication.
Encouraging New Speakers: BSides St. Louis actively seeks out first-time speakers. Ben looks for people who have never given a talk before because the audience is forgiving and it helps them develop skills vital for interviewing and running meetings.
Family-Friendly Environment: The conference is explicitly family-friendly, encouraging attendees to bring children and high school students to explore the campus and participate in activities like lockpicking and soldering. Ben views "hackers" as anyone who does "something in a way that wasn't intended to be done".
Personal Philosophy: Ben shares his personal mission to help people "feel secure so they can sleep at night" and his belief that giving back through events like BSides is a way to help others who were not as fortunate as he was growing up.
Notable Quotes:
"Bringing the interested to the connected".
"One con talk isn't going to make you an expert, but learning just enough to know what to Google, so that you can become an expert when you need to later... Huge. So helpful".
"I can train somebody really easy to run NMAP... but telling somebody how to shut up in a meeting and listen way harder".
"Don't self-select yourself out of opportunities".
"My personal life goal is to help people feel secure so they can sleep at night".
Exploring Information Security - Exploring Information Security
Summary:
Timothy De Block is joined by Sam Chehab to unpack the key findings of the 2025 Postman State of the API Report. Sam emphasizes that APIs are the connective tissue of the modern world and that the biggest security challenges are rooted in fundamentals. The conversation dives deep into how AI agents are transforming API development and consumption, introducing new threats like "rug pulls" , and demanding higher quality documentation and error messages. Sam also shares actionable advice for engineers, including a "cheat code" for getting organizational buy-in for AI tools and a detailed breakdown of the new Model Context Protocol (MCP).
Key Insights from the State of the API Report
API Fundamentals are Still the Problem: The start of every security journey is an inventory problem (the first two CIS controls). Security success is a byproduct of solving collaboration problems for developers first.
The Collaboration Crisis: 93% of teams are struggling with API collaboration, leading to duplicated work and an ever-widening attack surface due to decentralized documentation (Slack, Confluence, etc.).
API Documentation is Up: A positive sign of progress is that 58% of teams surveyed are actively documenting their APIs to improve collaboration.
Unauthorized Access Risk: 51% of developers cite unauthorized agent access as a top security risk. Sam suspects this is predominantly due to the industry-wide "hot mess" of secrets management and leaked API keys.
Credential Amplification: This term is used to describe how risk is exponential, not linear, when one credential gains access to a service that, in turn, has access to multiple other services (i.e., lateral movement).
AI, MCP, and New Security Challenges
Model Context Protocol (MCP): MCP is a protocol layer that sits on top of existing RESTful services, allowing users to generically interact with APIs using natural language. It acts as an abstraction layer, translating natural language requests into the proper API calls.
The AI API Readiness Checklist: For APIs to be effective for AI agents:
Rich Documentation: AI thrives on documentation, which developers generally hate writing. Using AI to write documentation is key.
Rich Errors: APIs need contextual error messages (e.g., "invalid parameter, expected X, received Y") instead of generic messages like "something broke".
AI Introduces Supply Chain Threats: The "rug pull" threat involves blindly trusting an MCP server that is then swapped out for a malicious one. This is a classic supply chain problem (similar to NPM issues) that can happen much faster in the AI world.
MCP Supply Chain Risk: Because you can use other people's MCP servers, developers must validate which MCP servers they're using to avoid running untrusted code. The first reported MCP hack involved a server that silently BCC'd an email to the attacker every time an action was performed.
Actionable Advice and Engineer "Cheat Codes"
Security Shift-Left with Postman: Security teams should support engineering's use of tools like Postman because it allows developers to run security tests (load testing, denial of service simulation, black box testing) themselves within their normal workflow, accelerating development velocity.
API Key Management is Critical: Organizations need policies around API key generation, expiration, and revocation. Postman actively scans public repos (like GitHub) for leaked Postman keys, auto-revokes them, and notifies the administrator.
Getting AI Buy-in (The Cheat Code): To get an AI tool (like a Postman agent or a code generator) approved within your organization, use this tactic:
Generate a DPA (Data Processing Agreement) using an AI tool.
Present the DPA and a request for an Enterprise License to Legal, Security, and your manager.
This demonstrates due diligence and opens the door for safe, approved AI use, making you an engineering "hero".
About Postman and the Report
Postman's Reach: Postman is considered the de facto standard for API development and is used in 98% of the Fortune 500.
Report Origins: The annual report, now in its seventh year, was started because no one else was effectively collecting and synthesizing data across executives, managers, developers, and consultants regarding API production and consumption.
