API Security , Video

Synack CEO Jay Kaplan on Doing Adversarial Pen Tests of APIs

Synack Co-Founder on Why Assessing the Security of Headless APIs Is Such a Struggle
Jay Kaplan, co-founder and CEO, Synack (Image: Synack)

APIs are everywhere. No wonder, since they can sling data to anything from a mobile application to an IoT device.

See Also: OnDemand | The Evolution from DAST to IAST: Take AppSec Testing to the Next Level

The downside is that testing the efficacy and security of APIs remains challenging, says Synack CEO Jay Kaplan, especially given the size of API endpoints. Many are headless and lack a front end or interface with the application environment. Kaplan says Synack is uniquely positioned to take on adversarial API penetration testing for customers given the company's crowdsourced testing model, which provides access to thousands of researchers (see: Why Crowdsourcing Cybersecurity Needs Additional Innovation).

"We now are the one-stop shop for some of the largest financial services firms, oil and gas companies, healthcare institutions and government agencies," Kaplan says. "They are now centralizing all API testing activity on the Synack platform. Our researchers not only test in an ad hoc fashion for vulnerabilities, but they're now testing using a checklist-driven approach to make sure they're covering the common attack vectors."

In a video interview with Information Security Media Group, Kaplan also discusses:

  • Synack's decision to join the Microsoft Intelligent Security Association;
  • What makes Synack's approach different from pure-play API security firms;
  • The most significant challenges associated with securing headless APIs.

Prior to establishing Synack in January 2013, Kaplan served in multiple cyber-related capacities at the Department of Defense, including on the DOD's incident response and red team. More recently, he was a senior cyber vulnerability analyst at the National Security Agency, where his focus was supporting counterterrorism-related intelligence operations. Kaplan received multiple accolades for classified work conducted while at the NSA.

About the Author

Michael Novinson

Michael Novinson

Managing Editor, Business, ISMG

Novinson is responsible for covering the vendor and technology landscape. Prior to joining ISMG, he spent four and a half years covering all the major cybersecurity vendors at CRN, with a focus on their programs and offerings for IT service providers. He was recognized for his breaking news coverage of the August 2019 coordinated ransomware attack against local governments in Texas as well as for his continued reporting around the SolarWinds hack in late 2020 and early 2021.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.