While many have credited the recent API security “arms race” to the rise in API breaches across every industry, it’s without contest that APIs are now pervasive across every industry. 

With even the largest companies having fallen victim to API breaches, including Facebook, Equifax, and T-Mobile who have potentially the largest cybersecurity budgets and access to the best cybersecurity talent, it creates a sense of hopelessness for smaller companies — and a feeling that they’ve shown up to a gun fight with nothing but empty hands. 

But as I’ve said time and time again, cyberspace is the ultimate equalizer where it doesn’t matter how much money or resources a company has, everyone is equally vulnerable to a breach. 

Register for Free

Attend the inaugural APISecure conference April 6-7

Over the last two years I’ve gone on vulnerability campaigns in a “scorched earth” approach to targeting every industry’s reliance on APIs from mHealth and FHIR in healthcare to financial services and fintech, to even transportation, publishing my vulnerability reports to underscore the dangers of securing APIs with the wrong tools, mainly web application firewalls. This created an impetus for myself and my wife and business partner, Melissa Knight; along with our co-founders at APIDays to create a conference that could create a much bigger microphone and platform for educating the world on this new attack surface that was largely going unprotected or secured with the wrong tools. Coincidentally enough, dare I say fortuitously, Ashish Kuthiala approached me on the same day Baptiste Parravicini did, to create the world’s first API security conference. Mel and I moved quickly to form Knight Events, a new family company that would be owned by our existing group of companies, Knight Group to launch our new conference, APISecure.

Why APISecure

For years, I had keynoted as a presenter at different APIDays conferences, including APIWorld and other miscellaneous DevOps conferences in Europe and Asia. The problem was the audience was largely made up of developers and had a very small percentage of attendees and sponsors focused specifically on API security. This created an overall feeling of being largely irrelevant in a conference of over a thousand people focused on other challenges developers face in creating, deploying, and maintaining APIs – not securing them from the likes of me.

Cyberspace is the ultimate equalizer where it doesn’t matter how much money or resources a company has, everyone is equally vulnerable to a breach. 

–Alissa Knight

I knew that a community needed to be created that only a conference could galvanize, dedicated to API security. I waited patiently for these other event companies who had experience in running conferences to do it for me. So, true to my impatient nature, I decided to stop waiting on someone else to build it and decided to do it with my new friends at APIDays and bring Traceable in as our highest level sponsor for the first year.

security API concept

Capacity Building at APISecure

Education was fundamentally the most important thing to me with the success of our new conference. Thus, ensuring I alone would be responsible for the review and approval of all content submitted from the API security community was paramount. I absolutely, under no circumstances, wanted vendor pitching to happen at our conference. It had to be a place of learning divided into three separate tracks: Red, Blue, and Solutions. 

Red Track

The Red Track would be designated to API penetration testers/breakers of APIs who would teach the more arcane tactics and techniques of penetration testing APIs with the intent of instrumenting today’s and tomorrow’s penetration testers focused on hacking APIs with the knowledge and tools to be more effective. 

Blue Track

Those responsible for securing APIs against attacks would be relegated to the Blue Track, giving defenders a space of their own for building their capacity in identifying and responding more effectively to API attacks. 

Solutions Track

Realizing that the API security market is still at a very nascent stage of growth, I knew we needed a solutions track that would give pure play API security vendors a place to present on the challenges their company solves in API security without pitching their products. While similar to the Blue Track content, the Solutions Track is meant to try and give attendees a specific track to seek out solutions to instrumenting their API security strategies where they can better understand the API security market and a way to build their functional requirements documents for their own API security projects.

In addition to the individual speaking sessions, we also wanted to create panels/roundtables and hands-on workshops that give attendees other delivery vehicles for their curated curriculum.

Disenfranchised in API Security

For years I’ve been radical about supporting and educating women and non-binary members of our community to enter cybersecurity. While I knew we’re nowhere near where we needed to be in those numbers, I presumed the ancillary niche of API security would be even smaller in women and non-binray representation. I just didn’t know it would be as challenging as it was in trying to find women and non-binary speakers to diversify the curriculum at our conference. 

Despite our best efforts to try and bring more female and non-binary speakers into the rank and file of APISecure, we were only able to bring in approximately 16% of our 64 speakers. In order to help increase the available pool of female and non-binary identified members of our community, we’ve announced a workshop created specifically for female and non-binary API hackers and defender. The mission of this workshop, which will be run every year of the conference, will be specifically designed around building the capacity and future members of our community who identify as female or non-binary in API penetration testing and defense.

Not the Same Bat Time, Bat Channel

When planning APISecure, my co-founders at APIDays and I decided that due to the growing number of Omicron variant cases of COVID-19, 2022-Q1 was still too uncertain to commit to an in-person event no matter how much people wanted to get away from virtual to in-person events. So we decided that given the current uncertainty, we would make the inaugural year of the conference virtual, while moving to an in-person conference in 2023. 

This year, those interested in attending can register for *free* tickets here.

The conference will be held on APR 06 beginning at 0900 EST – 1600 EST and APR 07 beginning at 0900 EST – 1450 EST.

The full agenda for the conference can be found at www.apisecure.co 

APISecure conference invite

Recommended reads.