Richard Bird

And in both of those cases, I think this is such a powerful example of why so many people in the survey that we presented said their current technology is so ineffective in finding these API exploits. The reason that these particular breaches were successful was because at some point an API was taken out of production, an API that was already resident.

So now the argument that I'll catch that API in testing is completely irrelevant, right? These APIs were already there because there are already tens of thousands of APIs out in the wild that aren't going to go through this whole dev lifecycle thing. And those APIs in both of those cases, those APIs were taken out of production.

So now the argument that I'll catch that API in testing is completely irrelevant, right? These APIs were already there because there are already tens of thousands of APIs out in the wild that aren't going to go through this whole dev lifecycle thing. And those APIs in both of those cases, those APIs were taken out of production.

So now the argument that I'll catch that API in testing is completely irrelevant, right? These APIs were already there because there are already tens of thousands of APIs out in the wild that aren't going to go through this whole dev lifecycle thing. And those APIs in both of those cases, those APIs were taken out of production.

They were fixed, tuned, changed in some way, shape or form or another. And a developer put them back into production. And in doing so, there were no lifecycle management, no development lifecycle management practices that were put over that. It was like, hey, go fix that API and then go put it back in production.

They were fixed, tuned, changed in some way, shape or form or another. And a developer put them back into production. And in doing so, there were no lifecycle management, no development lifecycle management practices that were put over that. It was like, hey, go fix that API and then go put it back in production.

They were fixed, tuned, changed in some way, shape or form or another. And a developer put them back into production. And in doing so, there were no lifecycle management, no development lifecycle management practices that were put over that. It was like, hey, go fix that API and then go put it back in production.

And in both of those cases, the developers forgot to reinstate encryption on the endpoints that were associated with those APIs. So now you have this creepy crawler. You've got an API that you thought you knew what it was supposed to be doing, but it's now doing something it wasn't supposed to do.

And in both of those cases, the developers forgot to reinstate encryption on the endpoints that were associated with those APIs. So now you have this creepy crawler. You've got an API that you thought you knew what it was supposed to be doing, but it's now doing something it wasn't supposed to do.

And in both of those cases, the developers forgot to reinstate encryption on the endpoints that were associated with those APIs. So now you have this creepy crawler. You've got an API that you thought you knew what it was supposed to be doing, but it's now doing something it wasn't supposed to do.

expose a publicly open endpoint to a bot army that was fired off by bad actors who look for open API endpoints that are missing encryption. And then they found it. And as soon as they found it, they executed the moves that were necessary to go exfiltrate tens of millions of customer records, not just name and address, but like in the case of the mobile carrier, what your payment record was.

expose a publicly open endpoint to a bot army that was fired off by bad actors who look for open API endpoints that are missing encryption. And then they found it. And as soon as they found it, they executed the moves that were necessary to go exfiltrate tens of millions of customer records, not just name and address, but like in the case of the mobile carrier, what your payment record was.

expose a publicly open endpoint to a bot army that was fired off by bad actors who look for open API endpoints that are missing encryption. And then they found it. And as soon as they found it, they executed the moves that were necessary to go exfiltrate tens of millions of customer records, not just name and address, but like in the case of the mobile carrier, what your payment record was.

The reason why that's so important to the bad guys is because The most valuable thing on the dark web is a phone number with a confirmed live user on the end of it. And now all of that stuff was exposed that said, hey, you're a current customer and you pay regularly like you're supposed to. Bet you that's going to be somebody on the other end of that line that I can scam or that I can exploit.

The reason why that's so important to the bad guys is because The most valuable thing on the dark web is a phone number with a confirmed live user on the end of it. And now all of that stuff was exposed that said, hey, you're a current customer and you pay regularly like you're supposed to. Bet you that's going to be somebody on the other end of that line that I can scam or that I can exploit.

The reason why that's so important to the bad guys is because The most valuable thing on the dark web is a phone number with a confirmed live user on the end of it. And now all of that stuff was exposed that said, hey, you're a current customer and you pay regularly like you're supposed to. Bet you that's going to be somebody on the other end of that line that I can scam or that I can exploit.

The last thing that's most important about those two breach examples is no web application firewall, no CDN on the planet could catch that. And the reason is because that API looked like it was supposed to be doing what it was supposed to be doing. And the context of the information about the need and requirement for encryption to be on that endpoint simply did not exist in the system.

The last thing that's most important about those two breach examples is no web application firewall, no CDN on the planet could catch that. And the reason is because that API looked like it was supposed to be doing what it was supposed to be doing. And the context of the information about the need and requirement for encryption to be on that endpoint simply did not exist in the system.

The last thing that's most important about those two breach examples is no web application firewall, no CDN on the planet could catch that. And the reason is because that API looked like it was supposed to be doing what it was supposed to be doing. And the context of the information about the need and requirement for encryption to be on that endpoint simply did not exist in the system.

If you aren't controlling an API's encryption from an observation standpoint, you know it's supposed to have encryption, and it's been put back into production, and now it doesn't have encryption. If you're not controlling at that level of fine-grained granularity, there is no possible way for today's current technologies to catch those breaches. Wow. That's crazy is what that is. It is.