Exploring Information Security - Exploring Information Security
Timothy De Block
100 episodes
2 days ago
Summary:
Timothy De Block is joined by Sam Chehab to unpack the key findings of the 2025 Postman State of the API Report. Sam emphasizes that APIs are the connective tissue of the modern world and that the biggest security challenges are rooted in fundamentals. The conversation dives deep into how AI agents are transforming API development and consumption, introducing new threats like "rug pulls" , and demanding higher quality documentation and error messages. Sam also shares actionable advice for engineers, including a "cheat code" for getting organizational buy-in for AI tools and a detailed breakdown of the new Model Context Protocol (MCP).
Key Insights from the State of the API Report
API Fundamentals are Still the Problem: The start of every security journey is an inventory problem (the first two CIS controls). Security success is a byproduct of solving collaboration problems for developers first.
The Collaboration Crisis: 93% of teams are struggling with API collaboration, leading to duplicated work and an ever-widening attack surface due to decentralized documentation (Slack, Confluence, etc.).
API Documentation is Up: A positive sign of progress is that 58% of teams surveyed are actively documenting their APIs to improve collaboration.
Unauthorized Access Risk: 51% of developers cite unauthorized agent access as a top security risk. Sam suspects this is predominantly due to the industry-wide "hot mess" of secrets management and leaked API keys.
Credential Amplification: This term is used to describe how risk is exponential, not linear, when one credential gains access to a service that, in turn, has access to multiple other services (i.e., lateral movement).
AI, MCP, and New Security Challenges
Model Context Protocol (MCP): MCP is a protocol layer that sits on top of existing RESTful services, allowing users to generically interact with APIs using natural language. It acts as an abstraction layer, translating natural language requests into the proper API calls.
The AI API Readiness Checklist: For APIs to be effective for AI agents:
Rich Documentation: AI thrives on documentation, which developers generally hate writing. Using AI to write documentation is key.
Rich Errors: APIs need contextual error messages (e.g., "invalid parameter, expected X, received Y") instead of generic messages like "something broke".
AI Introduces Supply Chain Threats: The "rug pull" threat involves blindly trusting an MCP server that is then swapped out for a malicious one. This is a classic supply chain problem (similar to NPM issues) that can happen much faster in the AI world.
MCP Supply Chain Risk: Because you can use other people's MCP servers, developers must validate which MCP servers they're using to avoid running untrusted code. The first reported MCP hack involved a server that silently BCC'd an email to the attacker every time an action was performed.
Actionable Advice and Engineer "Cheat Codes"
Security Shift-Left with Postman: Security teams should support engineering's use of tools like Postman because it allows developers to run security tests (load testing, denial of service simulation, black box testing) themselves within their normal workflow, accelerating development velocity.
API Key Management is Critical: Organizations need policies around API key generation, expiration, and revocation. Postman actively scans public repos (like GitHub) for leaked Postman keys, auto-revokes them, and notifies the administrator.
Getting AI Buy-in (The Cheat Code): To get an AI tool (like a Postman agent or a code generator) approved within your organization, use this tactic:
Generate a DPA (Data Processing Agreement) using an AI tool.
Present the DPA and a request for an Enterprise License to Legal, Security, and your manager.
This demonstrates due diligence and opens the door for safe, approved AI use, making you an engineering "hero".
About Postman and the Report
Postman's Reach: Postman is considered the de facto standard for API development and is used in 98% of the Fortune 500.
Report Origins: The annual report, now in its seventh year, was started because no one else was effectively collecting and synthesizing data across executives, managers, developers, and consultants regarding API production and consumption.
All content for Exploring Information Security - Exploring Information Security is the property of Timothy De Block and is served directly from their servers
with no modification, redirects, or rehosting. The podcast is not affiliated with or endorsed by Podjoint in any way.
Summary:
Timothy De Block is joined by Sam Chehab to unpack the key findings of the 2025 Postman State of the API Report. Sam emphasizes that APIs are the connective tissue of the modern world and that the biggest security challenges are rooted in fundamentals. The conversation dives deep into how AI agents are transforming API development and consumption, introducing new threats like "rug pulls" , and demanding higher quality documentation and error messages. Sam also shares actionable advice for engineers, including a "cheat code" for getting organizational buy-in for AI tools and a detailed breakdown of the new Model Context Protocol (MCP).
Key Insights from the State of the API Report
API Fundamentals are Still the Problem: The start of every security journey is an inventory problem (the first two CIS controls). Security success is a byproduct of solving collaboration problems for developers first.
The Collaboration Crisis: 93% of teams are struggling with API collaboration, leading to duplicated work and an ever-widening attack surface due to decentralized documentation (Slack, Confluence, etc.).
API Documentation is Up: A positive sign of progress is that 58% of teams surveyed are actively documenting their APIs to improve collaboration.
Unauthorized Access Risk: 51% of developers cite unauthorized agent access as a top security risk. Sam suspects this is predominantly due to the industry-wide "hot mess" of secrets management and leaked API keys.
Credential Amplification: This term is used to describe how risk is exponential, not linear, when one credential gains access to a service that, in turn, has access to multiple other services (i.e., lateral movement).
AI, MCP, and New Security Challenges
Model Context Protocol (MCP): MCP is a protocol layer that sits on top of existing RESTful services, allowing users to generically interact with APIs using natural language. It acts as an abstraction layer, translating natural language requests into the proper API calls.
The AI API Readiness Checklist: For APIs to be effective for AI agents:
Rich Documentation: AI thrives on documentation, which developers generally hate writing. Using AI to write documentation is key.
Rich Errors: APIs need contextual error messages (e.g., "invalid parameter, expected X, received Y") instead of generic messages like "something broke".
AI Introduces Supply Chain Threats: The "rug pull" threat involves blindly trusting an MCP server that is then swapped out for a malicious one. This is a classic supply chain problem (similar to NPM issues) that can happen much faster in the AI world.
MCP Supply Chain Risk: Because you can use other people's MCP servers, developers must validate which MCP servers they're using to avoid running untrusted code. The first reported MCP hack involved a server that silently BCC'd an email to the attacker every time an action was performed.
Actionable Advice and Engineer "Cheat Codes"
Security Shift-Left with Postman: Security teams should support engineering's use of tools like Postman because it allows developers to run security tests (load testing, denial of service simulation, black box testing) themselves within their normal workflow, accelerating development velocity.
API Key Management is Critical: Organizations need policies around API key generation, expiration, and revocation. Postman actively scans public repos (like GitHub) for leaked Postman keys, auto-revokes them, and notifies the administrator.
Getting AI Buy-in (The Cheat Code): To get an AI tool (like a Postman agent or a code generator) approved within your organization, use this tactic:
Generate a DPA (Data Processing Agreement) using an AI tool.
Present the DPA and a request for an Enterprise License to Legal, Security, and your manager.
This demonstrates due diligence and opens the door for safe, approved AI use, making you an engineering "hero".
About Postman and the Report
Postman's Reach: Postman is considered the de facto standard for API development and is used in 98% of the Fortune 500.
Report Origins: The annual report, now in its seventh year, was started because no one else was effectively collecting and synthesizing data across executives, managers, developers, and consultants regarding API production and consumption.
LIVE: Unraveling the SharePoint Zero-Day Exploit (CVE-2025-53770)
Exploring Information Security - Exploring Information Security
38 minutes 27 seconds
2 months ago
LIVE: Unraveling the SharePoint Zero-Day Exploit (CVE-2025-53770)
Summary:
Link to the live recording: https://www.youtube.com/live/DHbGpRtDvIw?si=h6tHumVLrl3HOgq0
Join Timothy De Block and special guest Ben Miller for a deep dive into the SharePoint zero-day exploit, CVE-2025-53770. This episode breaks down the technical details of the "goofy authentication bypass" and its serious implications for on-premise systems. The discussion also expands into broader topics, including the critical role of human intelligence in security, the shift to Managed Security Service Providers (MSSPs), and the importance of addressing business processes and mental health in the industry.
Key Takeaways
The SharePoint Exploit (CVE-2025-53770): Ben Miller describes this vulnerability as an unauthenticated "zero-click" exploit that requires no user interaction. It's a "goofy authentication bypass" that allows an attacker to gain full control of an on-premise SharePoint server by simply sending a web request. Once an attacker gains access, they can steal keys and maintain persistent control.
On-Premise vs. Cloud: The vulnerability primarily affects on-premise SharePoint servers, which are managed directly by businesses. Ben explains that even organizations that have moved their systems to a cloud like Azure might still be vulnerable if they've retained old, vulnerable configurations.
Challenges with Detection and Remediation: Many businesses lack adequate logging and internal threat hunters, making it nearly impossible to detect if a breach occurred. The widespread use of SharePoint makes its vulnerabilities particularly dangerous, and entrenched intruders can be so difficult to remove that they may require a complete system overhaul.
The Human Element in Security: The speakers discuss how humans are the "trust link" and "determiner" in a security program, not just the weakest link. If one person's single action can compromise a system, it points to a process problem, not a human one. The episode also highlights the powerful role of social engineering, even with something as simple as using food to gain access to a network.
MSSPs and Career Advice: The conversation touches on the growing trend of organizations using Managed Security Service Providers (MSSPs) for their security operations. Ben suggests that MSSPs are a great entry point for aspiring security professionals, as they provide broad exposure to a variety of incidents. For long-term career success, Ben advises being able to translate security needs into business sense and becoming an expert in your field.
Community and Mental Health: Ben and Timothy encourage listeners to attend the BSides St. Louis conference on September 27th. Timothy even offered to pay for a ticket for anyone who can't afford it. The episode concludes with a discussion on mental health, with Ben encouraging people to view therapy as "a form of hygiene" and to seek help when needed.
Connect with Ben Miller & BSides St. Louis:
Website: bsidesstl.org
Event Date: September 27th
Event Location: Washington University's McKelvey School of Engineering
Exploring Information Security - Exploring Information Security
Summary:
Timothy De Block is joined by Sam Chehab to unpack the key findings of the 2025 Postman State of the API Report. Sam emphasizes that APIs are the connective tissue of the modern world and that the biggest security challenges are rooted in fundamentals. The conversation dives deep into how AI agents are transforming API development and consumption, introducing new threats like "rug pulls" , and demanding higher quality documentation and error messages. Sam also shares actionable advice for engineers, including a "cheat code" for getting organizational buy-in for AI tools and a detailed breakdown of the new Model Context Protocol (MCP).
Key Insights from the State of the API Report
API Fundamentals are Still the Problem: The start of every security journey is an inventory problem (the first two CIS controls). Security success is a byproduct of solving collaboration problems for developers first.
The Collaboration Crisis: 93% of teams are struggling with API collaboration, leading to duplicated work and an ever-widening attack surface due to decentralized documentation (Slack, Confluence, etc.).
API Documentation is Up: A positive sign of progress is that 58% of teams surveyed are actively documenting their APIs to improve collaboration.
Unauthorized Access Risk: 51% of developers cite unauthorized agent access as a top security risk. Sam suspects this is predominantly due to the industry-wide "hot mess" of secrets management and leaked API keys.
Credential Amplification: This term is used to describe how risk is exponential, not linear, when one credential gains access to a service that, in turn, has access to multiple other services (i.e., lateral movement).
AI, MCP, and New Security Challenges
Model Context Protocol (MCP): MCP is a protocol layer that sits on top of existing RESTful services, allowing users to generically interact with APIs using natural language. It acts as an abstraction layer, translating natural language requests into the proper API calls.
The AI API Readiness Checklist: For APIs to be effective for AI agents:
Rich Documentation: AI thrives on documentation, which developers generally hate writing. Using AI to write documentation is key.
Rich Errors: APIs need contextual error messages (e.g., "invalid parameter, expected X, received Y") instead of generic messages like "something broke".
AI Introduces Supply Chain Threats: The "rug pull" threat involves blindly trusting an MCP server that is then swapped out for a malicious one. This is a classic supply chain problem (similar to NPM issues) that can happen much faster in the AI world.
MCP Supply Chain Risk: Because you can use other people's MCP servers, developers must validate which MCP servers they're using to avoid running untrusted code. The first reported MCP hack involved a server that silently BCC'd an email to the attacker every time an action was performed.
Actionable Advice and Engineer "Cheat Codes"
Security Shift-Left with Postman: Security teams should support engineering's use of tools like Postman because it allows developers to run security tests (load testing, denial of service simulation, black box testing) themselves within their normal workflow, accelerating development velocity.
API Key Management is Critical: Organizations need policies around API key generation, expiration, and revocation. Postman actively scans public repos (like GitHub) for leaked Postman keys, auto-revokes them, and notifies the administrator.
Getting AI Buy-in (The Cheat Code): To get an AI tool (like a Postman agent or a code generator) approved within your organization, use this tactic:
Generate a DPA (Data Processing Agreement) using an AI tool.
Present the DPA and a request for an Enterprise License to Legal, Security, and your manager.
This demonstrates due diligence and opens the door for safe, approved AI use, making you an engineering "hero".
About Postman and the Report
Postman's Reach: Postman is considered the de facto standard for API development and is used in 98% of the Fortune 500.
Report Origins: The annual report, now in its seventh year, was started because no one else was effectively collecting and synthesizing data across executives, managers, developers, and consultants regarding API production and consumption.
