It’s easy to feel unmoored in a fast-changing world with such choppy waves. With so much change, there’s a natural tendency to want to drop the anchor in the nearest calm waters and remain there, hoping this approach will be the most secure. But the water’s never really placid. There are extremely strong currents beneath the surface. Even the most gigantic anchor won’t be able to keep the ship from moving. It’ll just slow it down a little, and, maybe, even pull the vessel apart no matter the quality of how it was built. Joshua Scott, the Head of IT and Security for Postman, believes that accepting and planning for changes in technology is the best security strategy.

Main Takeaways

• Evolution of the API Market: The API market was often overlooked in the past but that’s no longer the case. Postman has about fifteen million developers on its site who are working on various API projects. Where API was treated as something less than before, it is now appreciated like any other application. The mentality concerning API security has also evolved. Previously, API security was more of an afterthought. Given the  amount of increasingly interconnected tools, the import of API security is now more greatly understood. 
• Both Centralization and Decentralization: When maintaining security, there needs to be clear leadership; therefore, a level of centralization. A clear, centralized hierarchy establishes accountability for leadership. An aspect of security decentralization is building a culture of shared responsibility among all stakeholders. Additionally, decentralizing security by empowering those closest to the action increases the speed of decision-making.
• Compartmentalization is a Good thing: In one’s personal life, compartmentalize is a good thing in some respects but tends to have diminishing returns when overused. In the security arena, the capacity to compartmentalize mitigates risk from spreading from one spot to all aspects of the business. If a business is a ship, it’s never great to have a breach in the hull but it’s better if the gaping hole is limited to one compartment.

For a more in-depth look at this episode, check out the article below.

Article:

It’s easy to feel unmoored in a fast-changing world with such choppy waves. With so much change, there’s a natural tendency to want to drop the anchor in the nearest calm waters and remain there, hoping this approach will be the most secure. But the water’s never really placid. There are extremely strong currents beneath the surface. Even the most gigantic anchor won’t be able to keep the ship from moving. It’ll just slow it down a little, and, maybe, even pull the vessel apart no matter the quality of how it was built. Joshua Scott, the Head of IT and Security for Postman, believes that accepting and planning for changes in technology is the best security strategy.

“The only constant we have is change,” Scott said. “Let’s just continue to plan for that. We know tech will change, but if we put in good patterns and good practices and really enable the teams to make better decisions, we’re going to have much more success.”

Being a stubborn captain is simply untenable because it will not lead to success. Accepting change allows for moving along with the current. The captain charts a new course and engages the crew to work together toward that end. Suddenly, change goes from a destructive problem to an asset. Instead of tearing the hull apart, the energy moves the vessel forward in unity with the captain’s plans.

On a recent episode of IT Visionaries, Scott explained his security philosophy and his work at Postman, a platform that helps developers build APIs. He shared the importance of creating a positive security culture for an entire company that simultaneously has clear leadership while also empowering employees nearest to where decisions are actually made. 

“I view my role as I’m here to help your organization make better decisions around security to allow them to make informed decisions,” Scott said. “But that doesn’t mean that I own every single aspect of it. I want to make sure that the teams are empowered so that they can move quickly too.” 

In this manner, a level of centralization in leadership is important and helps with accountability. Simultaneously, decentralization in the security effort increases empowerment for those closest to the action. A head of security is not likely in that position at all times.

“A lot of times we’re not in the best position to make certain types of decisions,” Scott said. “It could be the engineering teams who are actually at the frontline writing the code, or it could be the finance team was actually approving these types of transactions. It’s about getting them the necessary information; making sure that they understand how to respond in certain types of scenarios, and enabling them to do their job in a secure manner.” 

Another aspect of decentralization is in compartmentalization. Compartmentalizing work into sections decreases the chance for a bad actor’s ill intent to spread. 

Um, another kind of ideal scenario is ”How do you compartmentalize things more; segment things more so that the blast radius is reduced,” Scott said. “If there is an issue with this particular segment, this business unit, this application, this component, that it can only do so much damage because you’ve limited essentially the blast radius.” 

Security is constantly changing and evolving to adapt to advances in technology.

No product is ever a hundred percent, uh, you know, fulfills every need. So you’re going to need a bunch of different tool sets to actually kind of pull things together. And that’s where the API has come into play. Um, it, you know, where does security end with it? I think it’s a, that’s an interesting question. I mean, basically security is involved at pretty much every level and it’s, it’s an interesting, uh, item because you know, “Many years ago, security wasn’t involved in those types of things and really APIs were an afterthought, so things are changing quite a bit,” Scott said.

According to Scott, that’s certainly no longer the case. 

“APIs are eating the world; software’s eating the world,” Scott said. “Every application needs to be able to communicate to another application and you need to be able to integrate it into,  basically, the fabric of your business.”

From a security perspective, Scott contended that APIs must be analyzed just like any other application.

“It’s a matter of understanding, what are the data flows within that application?” Scott asked. What are the risky calls that you can actually make that would actually have an impact to the organization? Really, [it’s] monitoring basically your crown jewels. What’s that really dangerous endpoint that could delete all data within a database or delete certain records. [It’s about] monitoring those for usage [and] monitoring those for anomalies.” 

Companies are now realizing that overlooking API security leads them open to trouble. Some of the initial work that must be done is in discoverability. 

“You can’t secure what you don’t know about,” Scott said. “If you don’t actually have the catalog of the different types of APIs you have, how do you know what kind of controls to put on it and what needs to be protected?”

Another API security aspect is testing functional APIs to make certain they are running safely.

So that’s another part of the big workflow is, you know, “Once you have something running from an API standpoint, you also want to test it and make sure that when it’s actually running that it’s not introducing vulnerabilities or exposing data,” Scott said. 

APIs are finally having their moment in the tech world. Now, they are appreciated for their value and also for the security risks that correspond to great worth.

To hear more about how Scott and Postman are rolling with technological changes to support the development and security of APIs, check out the full episode of IT Visionaries!