The Future Of API Security With FireTail’s Jeremy Snyder

6 snips

May 13, 2025

Jeremy Snyder, Co-founder and CEO of FireTail, brings deep expertise in API and AI security. He discusses the challenges of GraphQL adoption, highlighting its vulnerabilities compared to the traditional REST framework. Snyder shares insights on critical security practices, emphasizing the difference between authentication and authorization. He uncovers common pitfalls like Broken Object-Level Authorization and the risks posed by microservices. The conversation also delves into the evolving landscape of security in the context of AI integration, hinting at a brighter future for API protection.

Ask episode

AI Snips

Chapters

Transcript

Episode notes

ANECDOTE

Jeremy Snyder's Security Journey

Jeremy Snyder shared his journey from a failed software developer to cloud security expert, emphasizing his early IT and security roles and time at AWS.
His experience witnessing AWS's early startup phase deeply shaped his understanding of cloud and API security needs.

ADVICE

Never Skip Server-Side Authorization

Always enforce server-side authorization checks on your APIs to prevent data breaches.
Avoid relying solely on authentication or pushing authorization to client-side; treat authentication and authorization distinctly.

ADVICE

Protect Against Sequential ID Attacks

Avoid using sequential integer IDs as primary keys in API requests because they enable attackers to iterate and access unauthorized data.
Implement non-sequential or obfuscated identifiers to reduce broken object-level authorization risks.

Get the Snipd Podcast app to discover more snips from this episode

Get the app

Episode Summary

Jeremy Snyder is the co-founder and CEO of FireTail, a company that enables organizations to adopt AI safely without sacrificing speed or innovation. In this conversation, Jeremy shares his deep expertise in API and AI security, highlighting the second wave of cloud adoption and his pivotal experiences at AWS during key moments in its growth from startup onwards.

Show Notes

In this episode of The Secure Developer, host Danny Allan sits down with Jeremy Snyder, the Co-founder and CEO of FireTail, to unravel the complexities of API security and explore its critical intersection with the burgeoning field of Artificial Intelligence. Jeremy brings a wealth of experience, tracing his journey from early days in computational linguistics and IT infrastructure, through a pivotal period at AWS during its startup phase, to eventually co-founding FireTail to address the escalating challenges in API security driven by modern, decoupled software architectures.

The conversation dives deep into the common pitfalls and crucial best practices for securing APIs. Jeremy clearly distinguishes between authentication (verifying identity) and authorization (defining permissions), emphasizing that failures in authorization are a leading cause of API-related data breaches. He sheds light on vulnerabilities like Broken Object-Level Authorization (BOLA), explaining how seemingly innocuous practices like using sequential integer IDs can expose entire datasets if server-side checks are missed. The discussion also touches on the discoverability of backend APIs and the persistent challenges surrounding multi-factor authentication, including the human element in security weaknesses like SIM swapping.

Looking at current trends, Jeremy shares insights from FireTail's ongoing research, including their annual "State of API Security" report, which has uncovered novel attack vectors such as attempts to deploy malware via API calls. A significant portion of the discussion focuses on the new frontier of AI security, where APIs serve as the primary conduit for interaction—and potential exploitation. Jeremy details how AI systems and LLM integrations introduce new risks, citing a real-world example of how a vulnerability in an AI's web crawler API could be leveraged for DDoS attacks. He speculates on the future evolution of APIs, suggesting that technologies like GraphQL might become more prevalent to accommodate the non-deterministic and data-hungry nature of AI agents. Despite the evolving threats, Jeremy concludes with an optimistic view, noting that the gap between business adoption of new technologies and security teams' responses is encouragingly shrinking, leading to more proactive and integrated security practices.

Links

Follow Us