Defining API Security with Eric Sheridan (@eric_sheridan) of WhiteHat Security
12 Mar 2021
I sat down with Eric Sheridan (@eric_sheridan) of WhiteHat Security this week to talk about API security. I have been working with Eric as a partner of Postman for a number of months now, and I find their approach to security, plus the open source software and Postman collections they are building very thought provoking, so I wanted to begin recording some of our discussions. We were coming together to talk about their API security testing collectiona>, but then ended up talking about the big picture of API security and how it fits into API governance. WhiteHat Security has API security solution you can run using Docker combined with a Postman collection to scan any API you have defined using a Postman collection, adding the much needed API security scanning to the API lifecycle.
Eric and I started our session intending to walk through their API security collection, and while we did that, something I had said in a previous conversation around API governance had stuck in Eric’s brain, so we worked through the concept of API governance blueprint that would include security scanning, something that their Postman collection would help deliver—-resulting in almost an hour long conversation about the role of API security in the API lifecycle and resulting governance.
The WhiteHat Security API testing collection already provides extremely rich feedback on the state of security with any API you have defined as a Postman collection, but we began brainstorming how this could also include machine readable output that could be used as part of a wider API governance observability strategy. Every run of a Postman collection produces an output which can be aggregated, indexed, and made available alongside other testing, performance, and operational characteristics. The goal, as discussed in the video would be a machine readable blueprint for API governance which includes security, which can then be implemented and reported upon in an automated way. Helping standardize how we operate APIs, making them more tangible and accountable in all the ways that matter the most.
Eric and I will be sitting down on a regular basis working through a variety of API security topics, ranging from the very technical down in the weeds, all the way up to industry level API security certification, reporting, regulation, and other high level concerns. You can checkout the public workspace for WhiteHat Security on the Postman API Network, and stay tuned here for future conversation between us about API security. I will be pulling more of these behind the scenes conversations I am having with smart people out into the open like this, helping me be more observable in all of the API lifecycle and governance conversation I am having in my work. Otherwise all of these great discussions tend to get chewed up by the calendar moving forward each, and I’d much prefer sharing everything I am learning with the audience here so that it can reach further than just my brain.