Listen: Stoplight CTO says early checks prevent 80% of security risk vectors in open APIs

Banks and fintechs implementing open application programming interface (API) builds should look first to security measures as early security and authentication checks prevent up to 80% of risk vectors in API frameworks, Jason Harmon, chief technology officer at API design and development company Stoplight, tells Bank Automation News in this episode of “The Buzz” podcast. [caption id="attachment_220711" align="alignright" width="200"] Stoplight Chief Technology Officer Jason Harmon[/caption] Measuring current security and authentication practices against an established open-source library of API models is essential before embarking on an API journey, Harmon tells BAN . “Authentication authorization is the long pole in the tent, everywhere. It is the hardest part of building consistency in your API platform,” he says. “Having those checks as early as possible generally prevents 80% of the kind of security risk vectors that you see all the way when you're going to deploy.” API security spending will grow drastically in the new year, Harmon says. Results of these investments could vary, however, as companies struggle to migrate existing identity and security measures into API builds which are only as deep and integrative as the company allows. “If you don't have a clear way to connect your authentic identity systems back into your API's, you better get started,” Harmon tells BAN. Bank Automation Summit, taking place March 1-2 in Charlotte, N.C., is the first and only event to focus solely on automation in banking. The event will feature the brightest minds from across financial services on intelligent automation strategies and deployment. Learn more and register for Bank Automation Summit 2022 . Subscribe to The Buzz Podcast on iTunes , Spotify , Google podcast , or download the episode .

The following is a transcript generated by AI technology that has been lightly edited but still contains errors. Alijah Poindexter Good day and welcome to the buzz of bank automation news podcast. I'm Associate Editor Elijah Poindexter. Recently I spoke with Jason Harmon, CTO with the API developer stoplight. I asked Mr. Harmon about API security, seeing how organizations implement API's to both leverage and protect their data against hackers who have used API's themselves malicious attack, we also spoke about general API strategy, along with some predictions for API and fintechs in the new year. And that's sort of a trend I've identified, you know, just sort of the broader, broader FinTech space going into 2022 is that, you know, if you cannot fully integrate these sort of automated capabilities into your business, both externally and internally, then you're not really doing as good of a job as I think you could be doing. I think we've seen, you know, organizations with a ton of pedigree and a ton of funding and money behind them, failing to meet the expectations that I think were laid out forms, you know, for the simple fact that it's not sort of a deep organization organizational factor, it's more of something that more of a veneer, and it looks good for the customer and for the client on the you know, on the front end. But as soon as they get past that, you know, external, you know, stratum, if you will, I think things can break down, and you start to see breakdowns in terms of how these companies sort of operate and communicate with each other. So that's a very important, Jason Harmon I think, worse than that is, you know, if you're just looking at your business and going, Okay, let's, you know, slap some API's on the side to enable, you know, some kind of partner use cases, or maybe mobile whatever, quite often, it's duct tape and baling wire, to make that connect with the existing infrastructure. And it's really creating more technical debt, creating more kind of organizational friction, as opposed to those who are really looking at it big picture. And recognizing, you know, this is going to be a long play, it's not going to happen overnight, let's be strategic about where we replatform, but have a big picture in mind of how all these API's are going to stitch together in the future and have a vision for it, let's say, you know, be customer centric in that view, so that you're not re entrenching kind of institutionalized thinking about designing around systems, but rather, the design around the customer concerns. And those, those sort of paths to take API's external, just get easier, right. And so then you're reducing organ to organizational friction, you're improving overall understanding. But you know, these are huge leaps to take, you know, for business leaders, and I think we're in a period right now, where I feel like, kind of your SI suites, especially in a lot of a lot of the medium to large sized organizations are really starting to absorb what this means. And they're seeing it, you know, competitively in the market, where folks who are making the right investments around API's are accelerating. And so there's certainly some folks come in late to the game. But, you know, I think if you're committed to having that big picture, the possibility to turn around and turn it around is still there. Alijah Poindexter So API's, you know, traditionally, and as tradition, you know, as traditionally as something that's relatively recent, can be had been, you know, leveraged for positive things for for improving client and employee experience, some improving automation, reducing labor hours, but in 2021, I think we there's been in the news, hackers and sort of these malevolent factors in the in the sector, leveraging API's for attack, leveraging them for for negative means, if you will, do you have any insight on that one? I know you do. But you know, what are some of your insights in regards to the in regards to that sort of API security thing, especially as we move forward, and it becomes more ingrained? Jason Harmon Yeah. So this one, I think, you know, I certainly lean on my own personal experience, you know, Pay Pal Expedia group, some of these larger organizations, were the thing to recognize when you're, we're putting together kind of your platform strategy is identity as a concept. And obviously, as corollary concerns, things, like authentication authorization, that is the long pole in the tent, everywhere. It is the hardest part of building kind of consistency in your API platform. And I think for folks that don't recognize that early that ends up kind of holding up the train. So I think figuring out you know, what is kind of the what are the off patterns that you're going to use in your API's is probably job one. If you have, say an API enablement team who's leading that change, which you know, with, in our case, we see quite a bit of usage of things like our spectral open source library that folks used to sort of check their standards in an automated way against the API designs to see does this match up with kind of our standard approach or pattern into how we implement all of our API's, and having these automated checks on the off pieces on kind of authentication authorization. You know, the old joke goes that if you have a two day hackathon day one of the hackathon is off that day two people build stuff, it is so true in, you know, any build out of any API platform. So I think that's certainly my biggest guidance. And, and for us, certainly see, we see were kind of spectral in the automation that provides really is, you know, opens up a lot of opportunity for us to improve API security. And what's key to that is as far left as you can go, right, that's what we do is help folks envision their future API's kind of from scratch in a lot of cases. And having those checks as early as possible, generally prevents 80% of the kind of security risk vectors that you might see all the way at the right when you're actually going to deploy this thing. So I certainly point folks to the the sorry, oh, wasp API top 10 is certainly something that we've been looking at more to provide kind of rule sets for automating that set of pretty common sense checks for the most common attack vectors against API's. Alijah Poindexter So what is not the way to implement or build out an API strategy? From your experience? What should you not be doing if you want to get into the space? Jason Harmon Yeah, I think I'll just say that the most naive thing that I see on a really frequent basis is people read that story about Jeff Bezos and Amazon in the early days, right? Basil says, build everything and API's are your fire, right? And everyone goes, Oh, that's, that's what I need, right? I just need to tell everyone to build API's and things will be great. And the risk of that, and certainly, some of what I walked into at PayPal, when I went there a number of years back, is they've kind of done that mandate. And what ended up happening and I've seen this so many times, in meeting people, is everyone goes off and builds an API for their use case. And what you end up with a year or two down the road, is 1000s of API's that are not composable. They're not modular, they don't make sense together. And if you have someone trying to stitch together a number of API's to innovate and build something new, the roadblock that every pass, and now you're going off building the next single use case API. So I think, you know, the trick, one of the trickier bits of API design, and certainly where we help a lot in the market is thinking about that reusability design an API that and I use the word capability intentionally all the time here, build something that's a reusable capability, that you could envision using a number of different situations. That means that the next use case that comes along, you can add an iteration and increment the functionality, but not have to go back to the drawing board and not have to maintain to services. And I think the consistency point is looking at things like auth, certainly, but also just you know, your basic design conventions. You know, what do you use camel case or spine case on your parameters and paths and things like that. Those are easy things to check automatically. But the key is just agree on something. Truthfully, it doesn't really matter that much what the convention is agree on one convention and be consistent, right? And automate where possible. Again, I tend to plug spectral just because it's been a bit of wildfire growth this year, and being one of the only things that really does this. Well, for open API. Alijah Poindexter Are there any negative interactions or neutral interactions between, you know, a hyper innovative strategy and sort of looking for that overall, API cohesiveness? So you have a team of people who want to automate, automate, automate, you know, API API API, that may, you know, speaking, what you just talked about, that may fly in the face of a general sort of cohesive strategy for the organizations that have met? That's a major sort of Flashpoint. Jason Harmon Yeah, I mean, there's definitely, you know, a spectrum here, and some of this caveat is going to be relative to organization size, right. So in a smaller organization, you probably can't commit the budget to have a central team whose sole job is to create platform consistency and perform API reviews and curate standards, and it's probably a more decentralized first kind of approach. And perhaps you have, you know, someone who is just particularly passionate about the subject helping pull together strategy. I think at the other end of the spectrum, you've got large organizations where you've got to have some central function, but if you over invest in that central function and create a big fat, you know, sort of bottleneck or a huge cost center that's equally as bad. So I think the the happy medium to kind of grow into is how Having a small centralized team curates standards, curates consistency, perhaps, you know, performs these API design reviews, and then build connections with all the different parts of the organization. And that could be, you know, per dev center that could be, you know, PR kind of silo, if you will, but increasingly give more authority to sort of a, you know, group of champions across the organization, to perform those reviews themselves to understand the constraints and standards and why they're there. And the risks that happen if they don't, and just, you know, basically kind of centralized plus a federated approach is what we've seen worked pretty well, and keeps your cost management relatively low, you know, does drive some consistency, but at the end of the day, like most things in engineering teams now, it's how can you build that ground support, right? And if you don't give any authority, and you're just creating an organizational choke point, and that's what it is. Right. So I think that answered the question, but I kind of went around the corner there. Alijah Poindexter Oh, no, it's great. And just to kind of follow up on that, you know, in the environment. So is that sort of the model, you talked about the sort of strong centralized approach? Is that something you see a lot of companies, big, small startup, firmly entrenched organizations? Is that something that you see? A lot of them maybe not a majority, but a lot of them using? Or are you? Or do you see more of the sort of negative side of API build out? If that, if that makes sense? Is that a trend? Jason Harmon I'm totally i We started the year asking this question like is, you know, it's 2021. It's been about, you know, 10 plus years that kind of API programs have started becoming a thing. Is there consistency in practice? You know, certainly, I felt like there was from people that I know who, who have done that job before, and are perhaps stoplights target customer. And so we started our API intersection podcast, in part to answer that question for ourselves. And so we've talked to program leaders from, I don't know, probably 20 Different organizations over the course of the year. And it probably think, 1015 episodes, and we realized, like, this can't be the only thing we talked about, because it's getting real repetitive. So I think, yeah, in general, folks that are successful, this is how it's done. Can you be successful in a different model, I'm sure. But in terms of, you know, reaching out to folks we thought seemed to run great API programs. It's very consistent, that kind of this mix of centralization and federated approach, works well, to spread the knowledge across the organization, give more autonomy to teams, and yet have a place where you can drive a strategy. And I think this for, you know, business leaders is something important is who are you leaning on? You know, do you have, you know, passionate enabled folks who've been given reasonable authority to go build that ground support within your sort of product development organizations? Because, you know, that much like the the basis mandate, right, you say, here's what I want everybody to do good things. So somebody really needs to have the big picture in their heads, and yet trust those domain leaders on, you know, the content of their domain. But somebody who's looking out for how does how all these pieces fit together to make a platform. Right. Alijah Poindexter All of that being said, what are your predictions for 2022? That's a extremely broad question. I know, but just what are your general, you know, within your realm of, you know, broad expertise? What are your predictions for 2022? And the API and in the FinTech sort of interpolate space? Jason Harmon Yeah, I think security spending around API's is going to be, you know, a big distinct category, we haven't really seen like that before. Which, you know, I hope that investment produces good results. But I have a feeling in some places, it's going to be a longer road than they realize, because of the aforementioned long pole in the tent of, you know, authentication and kind of identity systems is quite often where I think things are going to get sticky. So, you know, as always, I advise people, if you don't have a very clear way to connect your authentic, you know, identity systems back into your API's better get started. Certainly, if you're about to spend a bunch of money on API security. I think the, the, you know, there's been a multi year, I think, discussion now about what kind of API is it? You know, internally, especially, you know, are we building synchronous or asynchronous? Are we using something like open API or async API? Should we be looking at G RPC? What about Graph QL? Should just everything be Graph QL? And I kind of have the feeling that this next year, some of that's going to settle into a little bit better groove as far as, which really points back to graph. QL is like what is Graph QL really good for. And there are certainly, I think patterns that you can't find anyone that disagrees or great such as, you know, put graph kill behind your user experience to aggregate or compose all the different data points that you have in your organization into one easy to use thing, especially in mobile, where one call is best, right? Don't Don't make multiple calls to your back end thing for folks that are going, you know, all in top to bottom on Graph QL. Probably not in FinTech briefly, but I think those can be risky things. And, you know, as I like to put it, it's the reason like Apollo has had such tremendous growth. So to some extent, they're helping folks patch up their mistakes. So I think that's one that I hope we've got a little more broad understanding as to when to use a particular API tool, I think that started to come together. And I hope this next year, some of that gains clarity. And, you know, I think the trend toward more and more companies looking at kind of internal and external API's should be from the same catalog. I absolutely think that, that that trend is picking up. And that awareness is picking up that you can just glue API's on the side of the business and expect good things to happen. And, you know, along the same lines, I think, kind of, you know, having these sort of program teams to run API's as, say, a an organizational category of investment, I think is absolutely growing in the consistency and approaches there. And I think more and more companies are relative, they've got to have somebody that's kind of manning the helm. So certainly something I'd say you know, whether it becomes a trend or not, you should Alijah Poindexter you've been listening to the buzz, a bank automation news podcast. Thank you for your time, and be sure to visit us at Bank automation news.com For more automation news. You can also follow us on Twitter and LinkedIn. Please don't hesitate to rate this podcast on your platform of choice. Thank you.

Listen: Stoplight CTO says early checks prevent 80% of security risk vectors in open APIs

Security and verification are keys to building API strategy

Top risks for FIs for 2022 and the decade ahead

How to automate for good

Related Posts

Fenergo AI agents save 18K hours of compliance work annually

Nvidia launches AI-driven fraud detection tool

Trump postpones signing AI security order over parts he disliked

How to automate for good

Stay Informed with Our Newsletters

EMERGING FINTECH DIRECTORY

The Buzz Podcast

SPONSORED

How AI and Product Experts Turn Fuzzy Requirements Into Focused Dev-ready Roadmaps

Is Your Technology Supplier There for You?

Hiding in Plain Sight: How to Use Data to Spot Consumer Accounts Being Used by Small Businesses

Connect

Welcome Back!

Retrieve your password