Becoming an API security and bug bounty pro | Guest Katie Paxton-Fear

 Today on cyber work. My guest is Katie Paxton fear of traceable. But you might not know her from Traceable. If you know the name, you might know her by her YouTube channel, InsiderPhD.  

 I'm going to create YouTube videos on how to go from a tutorial on how to use a piece of software to actually finding vulnerabilities in real software. Because there is a massive gap 

 And if you know InsiderPhD, then you know that Katie is all about API security and API hacking. Katie discusses the most common mistakes made when securing APIs, why securing APIs continues to get harder, but hacking them stays the same,  

 on the hacking side, we kind of have the easy job. API defense is capital H hard. 

 And And Katie also ,gives us a solid intro to the world of bug bounties and the way that you can get involved as well. 

 the people I've met in the bug bounty community, you will not meet a more welcoming community.

 This is a power hour, so have your notes open because Katie is dropping pearls of wisdom every which way.

 The IT and cybersecurity job market is thriving. The Bureau of Labor Statistics predicts 377, 500 new IT jobs annually. You need skill and hustle to obtain these jobs, of course, but the good news is that cybersecurity professionals can look forward to extremely competitive salaries. That's why InfoSec has leveraged 20 years of industry experience Drawing from multiple sources to give you, cyber work listeners, an analysis of the most popular and top paying industry certifications.

You can use it to navigate your way to a good paying cyber security career. 

 So to get your free copy of our cyber security salary guide ebook, just click the link in the description below. It's right there near the top, just below me. You can't miss it. click the link in the description and download our free cyber security salary guide ebook.

Your cyber security journey starts here. 

 Now let's get the show started 

 Hello and welcome to this week's episode of the Cyberwork podcast. My guests are a cross section of cybersecurity industry thought leaders and our goal is to help you learn about cybersecurity trends and how those trends affect the work of InfoSec professionals, as well as leave you with some tips and advice for breaking in or moving up the ladder in the cybersecurity industry.   

My guest today, Katie Paxton Feer, is an API hacker and technical marketing manager at Traceable. She has a PhD in cybersecurity and artificial intelligence, but if you know her, it's not for her academic work. She's a hacker and YouTuber who's found bugs in over 30 companies and taught 70, 000 people how to do it as well. 

She wants to show that anyone can be a hacker and share her passion and knowledge with others. You can find her all over the internet as Insider.  So yeah, today, our topics for Katie here are API security. Obviously it's the thing, uh, known very well for, as well as, uh, uh, some of your PhD work with natural language processing.

So, uh, Katie, thank you so much for joining me today and welcome to cyber work.

  Thank you so much. I'm really happy to be here.

Oh, absolutely. Great to have you. Can't wait to hear all about this stuff. So, uh, you've got a lot of really interesting topics today and, and some of them are kind of at the outer reaches of security development and thinking.

So I want to ask you. Uh, someone who was part of the conversation on these tech driven innovation and challenges, what was your initial attraction to tech computer security? Did you take to it immediately? I have to imagine, uh, this goes way back, possibly. 

  Um, so it goes back to my childhood,

so I'm of the generation of like Neopets and I read this

fantastic article a few years ago about how Neopets created this generation of women in tech because, you know, it's kind of, while it isn't

like a gendered term, It certainly does appeal more to a feminine audience and on Neopets, you could customize your pet's webpages with HTML and you could add your nice marquee, like, please come to my shop. And really as a child, I saw this and I was like, wow, how does it know? How does the server know what I'm doing? How does it know? That this account is me. How does it know that I have all of these, like, pets on it? And so I did what most children do. I went to my dad. And I was very fortunate that my dad was a programmer.

And

he's like, don't worry. And got me a book on HTML.

And I was about six or seven and I decided, yes, this is it. This is my obsession. I'm going to do this

for the rest of my life. Um, so I went through school. I knew I was into computing. I knew I was going to end up doing, probably working as a developer.

I was fairly sure about that. 

So once I finished school, I went to our version of like post 16 education that we call college, uh, and I had the choice to just focus on doing computing. And this made me so happy because as far as I was concerned, every other subject, maths, English, science, it wasn't computers.

It wasn't important to my life.

Um, and so I got started. Got, uh, really into it. I had a really great mentor, a guy called Alex, who was one of my lecturers there. And he basically sat me down and said, you should do a PhD, and here's why. And it took me a few years. I went and did a regular degree in computer science, worked as a developer for a bit. But then I eventually went and did the PhD, like I think I was always destined to at that point.

 Yeah, you just had to keep going until there was no more road to travel on, basically, 

in terms of academics. That's great. Well, yeah, you said that nothing was interesting to you except for computers, but that's not quite true because we also know that language is interesting to you as well. But I want to break into a little bit of that.

So, you're an undergraduate at the University of Salford and Your, uh, Ph. D. studies at, at Cranfield, you combined your twin fascinations, tech and language, in this case. In undergrad, you, you put technical, technological solutions to the task of deciphering Linear B, which is a syllabic sign based writing system, that's known as the earliest known form of the Greek language, which I, uh, I Wikipedia'd that real quick and I was like, Whoa, cool.

Uh, so yeah, for your doctoral dissertation, you similarly fused computing and language, creating a way to use natural language processing to investigate insider threats. So this is really cool, but you created a fluid model that can be updated with new information, and you were able to use, uh, this creation, this natural language processing of yours to find commonalities, attacks, events, outcomes, and more scattered through numerous reports of insider threat attacks to find patterns and models, which is, is really cool.

And I'd love to hear more about these two projects. Like how did that combination of language and computing come to you as this initial point of focus learning? 

  It's really interesting. I'm not sure when I decided that I was also interested in linguistics.

Um, I wonder if it's because I'm dyslexic

and that kind of, like, sparked it. But I learned, I think it was in my second year of university, that there were these languages that were written in the Bronze Age, thousands of years ago. And no one can read them. And I just had this like, I don't know, like mental kind of whoa moment when I was like, you know, we have all this technology. We consider ourselves so technologically advanced. And there are these like lines on a clay tablet from 4, 000 years ago. And we have no idea what they mean.

Like we assume that they look like language, but we have no idea. And that kind of blew my mind. I'm like, you know, we have all this technology. Why can't we do that? So, for my undergrad dissertation, so my final year project, my capstone project, depending on where you are in the world, I decide, you know what, I'm gonna do something that is completely something that I'm interested in. And Linear B is quite well known because it's one of the only languages in this kind of ancient writing systems that has no, um, multiple translations of a document. So you think about the Rosetta Stone, the

same text, three different languages,

Linear B has nothing like that.

It's got no translations, it's got no parallel, um,  Corpus is what we'd call it.

Um, it was done completely by comparing the language to itself and recognizing patterns, which is why I chose to do it. And really what I was kind of automating is very much that, okay, let's look at this pattern. Big collection of writing and see if we can notice patterns, which then comes on to my PhD, where really what I was doing is looking for patterns.

But instead of looking for where word endings change, um, I was looking for, okay, can we find the same general event in different people's testimonies?  In a lot of cyberattacks, we really focus on the technical forensics, right?

We're really focused on, okay, what files were accessed, when were they accessed,

you know, when, what happened after the file.

Very much stuff, logs, data,

sorted. In an insider threat attack, because the person attacking is an employee, all Often the first signs are not actually technical,

but they're things like a discussion in the break room where someone says, Uh, I didn't get a raise again. Or, Uh, I didn't get a promotion. Or maybe they're venting to somebody saying, So and so works less hard than me and st get to promotion and I don't.  And those can be some of the biggest signs of insider threat attacks. And because insiders often know how to hide their activity, they kind of understand some of the forensics that a company is using. They can get around it. So I wanted to look at, like, different witness reports and try and find that same incident in loads of different witness reports. So, was that a discussion about why they were, um, disgruntled? Did they then go and copy a database? And because you can use, then, witness reports from different people and organizations, not the same, Not just technical people, but you know, friends, colleagues, you know, the person in HR that saw something once. You could start to bring all that together.

And I really describe my PhD as, you know, those red string walls that detectives have and they're pulling

together all  of the 

Yeah 

  That was my PhD, doing that, but using a computer.

  Wow, okay. That's fantastic. Um, can I ask about sort of the, uh, uh, the aftermath of it? Have you, do you sort of like check in on your, on your baby, so to speak, your, uh, your technical forensics baby here? And are you still seeing it like doing work? Is it, is it being utilized by  police or, you know, investigators?

Uh, I'm just, I'm just curious about, uh, like what, what's happened with it?

  I think one of the most frustrating things about working in academia is that often you spend three years of your life working on this. It's your entire full time job for three years, and then you stop working on it, and it goes 

Dead.  Unfortunately, that's just the nature of like academics and

how it works and it kind of I will I've been like completely okay By the fact it hasn't really gone anywhere further  Just because like my interests have also changed

and I want to do more in the kind of transcripting You know, having a data science approach to say AI in cyber security.

So thinking about how hackers can work alongside data scientists  to help secure AI systems or the kind of, I always call it eat your vegetables. If you're so focused on AI security, are you forgetting kind of fundamental aspects of security

because you're stuck in a hype cycle?

Um, and one of my more recent projects has been about, you know, what technologies are kind of in their infancy now, but that are going to be huge, not.

You know, in one year or five years, but ten years,

you know, natural language processing, really, like, when I was doing my dissertation and my PhD, it was, really, nobody had really heard of it.

And of course now, my mum, who is scared of computers and doesn't use a computer, knows all about it. What chat GPT isn't as heard of

large language models,

and it's predicting that as early on in the technology cycle.

So we can secure it, you know, in its infancy. So we're not having to retrofit security onto it.

   Yeah, and you know, I think especially from, you know, the other side of, of academic, you know, frustrations or whatever is that having put this thing into the world, it's going to be there. And like you said, whether it's five years down the road, 10 years down the road, someone can find your material and say, Oh, we can utilize that now or we're, you know, or whatever.

So I don't think there's ever a, A problem with, uh, you know, bringing a new piece of insight into the world, which you clearly did here, which is really exciting. So, uh, I'm, I'm very glad to have gotten to hear about that and, and, and its developments. So, um, yeah, so I'm, I want to speak to our listeners, a lot of whom are either in the midst of schooling, still in school, maybe, Studying, doing self study, getting into their first jobs, maybe engaging in the type of learning that would help them transition into cyber security from another career.

Later in life, it's another example. So, uh, can you talk about the path that you've blazed for yourself and suggest some input points for our listeners who might have a similar set of interests could work in this line? I'm assuming like the type of skills you cultivated would work AI programming, but like, what are some of the other, uh, people that are worth watching in this space? 

  So my background is very formal as in I went, uh, I did my post 16 education in computer science. I went and did a degree in computer science

and then. I ended up in cyber security kind of by mistake. But actually, if you listen to a lot of people in the space, cyber security was never a lot of people's first choice of career. They kind of ended up there a little bit. And I think that speaks for the kind of breadth of skills that you need in cyber security. You know, somebody like me with a degree in computer science, is in the same security industry as somebody who self learned, you know, before the pandemic and who just went deep on self study. So I think there's no one path into security and I really encourage anybody who is going through this path to look at where you are and where you want to be And focus on things like what job adverts are actually looking for.

Because while you might see a degree quite often, that is not necessarily accessible.

In a lot of countries, you might find that maybe, especially in the US where college is very, very expensive,

maybe looking at, you know, You know, a certification might be a better choice. On the flip side, if you're in Europe, a degree is really, really cheap and the

certifications can be really expensive in comparison.

So I think there's a lot of different ways in cybersecurity. I think hiring managers in security know that as well.

So I don't think there's one set path. Advice I would give for people kind of looking at doing maybe a PhD and going through the academic route is one, make sure you really want to do a PhD. A PhD is a slog. And it is a lot and it will become your entire personality for at least

like five years of your

 life. 

at least. Yeah. Yeah.

 Yeah, you will be a PhD student,

um, but I loved my PhD.

I found it really rewarding to work on a problem that I was really interested in, to feel like I was contributing and giving back.

Um, but one of the strongest things that actually got me quite a lot of jobs after I finished my PhD and after I finished university was my YouTube channel. You know, putting myself out there and  Creating content that goes out into the world. You'd be surprised at how many employers find that aspect of that community building and networking really, really fundamental to

cybersecurity, because it's all about how you build relationships with other people. And sometimes that's going to be your fellow. People in cybersecurity, but sometimes you have to work with developers and IT support

staff. And there's a lot of networking that goes on there. And if you're somebody who is really unapproachable,  somebody who, you know, is maybe seen as a bit difficult to work with, then, you know, having, making that content for yourself out there, showing yourself can really, really help. YouTube channel, a podcast. Blog, a podcast,

um, whatever, but put yourself out there as early as you can.

 I love that. And also, you know, almost every guest on the show  from the very beginning has talked about the importance of being able to communicate difficult concepts. In an approachable way and how that's just an intrinsic soft skill that you need to have and boy there's nothing says explain something in a easy fundamental way than having like a weekly or monthly youtube channel where you're like breaking down a very specific challenging problem so well tell us tell us a little bit about your uh your youtube channel then while we're while we're here 

  So I was really fortunate that I got into kind of offensive security and hacking via a mentorship program. So HackerOne sells bug bounty programs to companies and they often run these things called live hacking events. And they basically fly out all of their best hackers and have them work on like one single company. So

a company, large companies think like that. Verizon level, right? Um, in my case it was Uber. And they ran alongside this, like, best hackers in the world, they also ran this mentorship program, where you as a mentee would have the opportunity to kind of experience this, chat with hackers and maybe try and find a vulnerability. I don't think they were actually expecting people to be successful. 

yeah of 

 But when I was there, I actually found my first vulnerability and my second vulnerability. I knew nothing about hacking. I knew absolutely nothing about offensive security. I'd never even seen like a request.  Like, in its raw HTTP format, I had only ever, like, programmed them, and I

found my first two bugs anyway.  And I said, you know, this is a fluke. They invited me to their next event, which was going to be in Las Vegas during DefCon, and I'm based in the UK. They offered me flights and a hotel at Defcon. Like, I was going to accept that,

no matter how much of an imposter I felt like I was.

But when I was there, having chatted with some of the other mentees, I realized this, like, I was slightly further ahead on that journey than they were. And I realized because of my experience previously, um, at, uh, the other life hacking event and being successful and finding something, I knew. And I must stress, not a lot more, but I knew a little bit more.

And that little bit, I realized, was really missing. So after I got home from that event, I actually decided, you know what, I'm gonna make a YouTube video talking about this, because this is a big problem that I spent a lot of my time talking to the other mentees about.

I'm gonna make a YouTube video on this.  Um, and it went really well. And I was like, you know what, I'm going to create YouTube videos on how to go from like a tutorial on how to use a piece of software to actually finding vulnerabilities in real software.

Because there is a massive gap there. And that's the kind of bridge I want to, uh, cover with my content.

So I did, I did that. And, you know,  Over the course of the pandemic, a lot of events went online, so I got the opportunity to speak at a bunch of different events that, you know, usually would require a flight over to the U. S. that I can now speak at. Um, and my channel just grew, and I hope I've kind of met that little middle ground between,

you know, um, Oh, I know how to use piece of software and oh, I can find a vulnerability in Uber.

  Yeah, and so Insider PhD is the name of the YouTube channel, is that correct?

  Yes.

 uh, so for people who haven't yet seen Insider PhD, the YouTube channel, what would be, can you like call out an episode that you think is like a good place to start? Would you start right at the beginning with the, uh, 

you 

know, with the insights from the convention?

Or, yeah, okay, yeah,  start, 

Don't start,

at the beginning

start   more recently then. Okay, please, all right. 

I'm well known for my API hacking I have a playlist that's called everything API hacking

and that is just like the greatest hits of API hacking.

And I have another one that's called, now that's what I call bug bounty  2020,

which is just a kind of beginner's playlist of going to, I don't know what bug bounty is, to I can find a bug.

So

those are the two kind of playlists I recommend. My video on API hacking, I just updated it. Um, a few months ago, it's very relevant, it's very current, and I have found, I've used like recent vulnerabilities that I've found to kind of inform that video, so I really like that video, but there are

playlists  for folks to actually follow along on something

that isn't just my worst videos.

   Okay, okay,    good, 

I made    them at the start, so they're bad.

   Yeah, absolutely. Well yeah, once you get, uh, invested in someone, you're like, well let's just see what they look like early on and then, you know, by then you're, you're, you're forgiving enough where you're like, eh, 

pretty good. deal with this, but yeah.  Oh no, trust me, we all started somewhere.

If you, if you saw the first episode. Roughly 27 episodes of this show,  it would, you, you would not have come onto the show. So,  uh, so yeah, so let's talk about API here because, uh, yeah, you received a series of grants from the UK government to examine the security, reliability, and accountability of interconnected systems and APIs.

So, uh, just to give a little background, I mean, API security's gone from what felt like a couple of years ago, like the sort of silent loophole, uh, you know, past guest Alyssa Knight said. That she, you know, was very good at hacking APIs and it was hard to even convince organizations that their insecure APIs were even a problem.

You know, and now it's a main area of research and development and obviously a lot of resource allocations in the present day. So, so tell us about some of your findings on this topic, Katie, what were your most interesting, worrying, or surprising findings about the state of APIs and interconnected systems? 

  I think what APIs really don't change.

Um, I, it's like,

I mean, a lot of,  yeah, a lot

of people tell me, Oh, Katie, can you remake your API hacking video? And I'm like, they haven't really changed though. I mean, I started developing like when I was a software engineer, I was writing XML APIs, right? Like, okay.

It's changed a lot in the sense that they're now JSON, but honestly, like API hacking is no harder. now than it was like five years ago, or even like eight years ago,

um, A lot of the fundamental things that people know from like a traditional application, they just don't end up implementing in APIs. So we often see APIs that don't require you to log in or use an API key. You can just request data. We see a lot of APIs that just don't That don't have permissions set correctly, so you can change somebody else's tweet, or somebody else's post, or somebody else's profile picture, whatever, or somebody else's pro Think about, like, really complicated apps, you think about You'll have    different permission levels, man. Is it easy to make a single mistake there? Like, and so, you know, you're an admin of one company. You don't have an account on the second company. You shouldn't be able to change it, but because you're seen as an admin, you can change the second company, even though you belong to the first. Things like that. It's the fundamentals. I mean, a lot of like business logic errors as well. What I always say about API hacking is look at what's in front of you. Like it is not a type of hacking that relies on payloads and, you know,  top vulnerabilities, you know, the James Kettle is presenting a black hat, right?

A lot of it is, Hey, what if I add negative one of an item to my cart? What does that do?

Does that break the application? Does that give me free money? Does that? Does that reduce the price of everything else? Cause I've now got a negative price. Like what happens when I do that?

And that's where API hacking is and has been for years.

It's very much the fundamentals. And I think there's a lot of reasons why this happens to APIs in particular, but.  Fundamentally, it tends to be that when developers are kind of thinking about security  with APIs, they're not thinking the same way about security. They're thinking, Oh, it's an API. No one would be able to use it.

Or it's just an internal only API,

or it's just, It's one of those kind of, okay, we don't need to secure this, comma, yet. Like, this will be in a different sprint,

or whatever. Tends to be why. It's that kind of technical debt that turns into, like, security technical debt.

  Mm hmm. Now, you said that, uh, hacking an API hasn't changed much in five or eight years. Has defending an API changed much in that time?

  Oh, 100%.

I actually feel so bad for the API defenders. Because on the hacking side, we kind of have the easy job.

API defense is capital H hard.

Like, we There are so many different ways to secure things, and there's lots of, like, good things like OAuth that have come out that really, really help in terms of, okay, standardizing how we authenticate. Um, but then you've got, okay, so what can we do for authorization? Oh, there's no standard for authorization. Authentication, we're good, we can use this. Authorization, eh,  middleware, maybe? Like, there are some things, and if you look at, like,  Security, like, vendors as well. Like, the company I work for is Traceable, but there are more security vendors.  the defense that everybody offers is, like, not, it's not super complicated. Because, at the moment, The difficult thing is, you know, you have all these APIs. Do you even know what's out there? No, you don't.  So the problem is still, you just don't know what APIs are out there, let alone if they're secure. So the API defenders are like, I don't even know what's out there. The API hackers are like, I'm going to change a one to a two. that is their skill.

  Right.  Yeah. Well, no, that's, yeah, that's, uh, that's interesting. Well, to that end, you wrote an article titled how to embrace API security with AI innovation. Uh, and in it, you noted that the exponential explosion of APIs and an app usage has significantly increased the attack surface of these still vulnerable entrance points and that quote, the days of securing APIs manually are gone.

So apart from the, uh, capital H hard aspect of securing the APIs anyway. Uh, tell us about where AI fits into this challenge and how it, how it'll work and what your recommendations are.

  Oh man, I have so many thoughts on it, on AI. So I'm going to,

I'm going to shorten them to three.

One is, um, obviously like, can we embrace AI in order to better secure APIs? I think the answer is yes. What that exactly looks like. I don't know if it's just putting chat GPT into security products,

I think it's, it's things like going deep into analytics and being able to pull data out of APIs.

APIs are so data focused, they're so much, you know, you know, they're pulling resources out of databases, there is already quite a lot of applications that are designed to monitor APIs from like a performance standpoint.  That's the kind of AI I foresee being like big in API security specifically.

I'm not sure about automated hackers though, to be fair, I'm, I would class myself as a bit of an AI skeptic now. Uh, like, My PhD I've just gone kind of, uh,  AI, like what's it even used for? Um, but I do think there's a lot of like data science lessons that can be learned.  Two is developers using AI, you know,  A lot of developers will be using AI to help them program. Unfortunately, we have 20 years of bad Stack Overflow answers that

the AI has been trained on

that are not up to date at all. And I foresee that we might see the reintroduction of things like SQL injection, where, you know, a lot of languages have kind of solved that with What are called prepared statements. And it's kind of like a different way of doing things.

However, for 15 years, the answer was you write SQL queries and you try and remove, um, any punctuation from a user's input.  And fundamentally, I think for those. You know, we're going to see the reintroduction of vulnerabilities that we kind of thought were solved. And 3 is the kind of software that implements AI. So, if you think about your chat GPT enabled, whatever. You know, I use something called Descript to edit my videos. It makes calls to OpenAI in order to do some of its like fancy features. That's just an API call. That's all that is. That is an API call to OpenAI. Those I think are really interesting because think about your OpenAI, your ChatGPT, your Gemini or whatever, when companies implement AI, they're not training their own. They're using these services

and that is fundamentally an API call. One thing that we've done at Traceable,  um, is we look at that API call and secure at that layer, which is a different approach to perhaps, um, what you might see with some like other types of AI security, if you like. Um, but certainly, you know, looking at.

It's all APIs. Like if you look into AI, all it is is APIs, APIs, APIs, APIs.

And also APIs written by a bunch of academics who were never really expecting their work to end up in production

and who maybe didn't consider security the same way. You know,

I might, or somebody else in security might.

  Yeah. Um, so adding to that, you, you wrote another article for, for the fast mode where you discussed API key management. Uh, including regular API key rotation as part of a healthier API security plan. Can, can you talk about API key breaches and how they occur and, and how actions like key management rotation, scope limitation, and more are also necessary security actions for any organization in the present threat landscape?

  Oh yeah, a hundred percent. So API keys is just, you can generate a unique token that represents your user account.

it means, especially with things like paid APIs, that they can track kind of which account is accessing which data. Um, and usually it's because they bill you. Um, unfortunately what happens is that developers will take these keys, put them straight into their code, go into GitHub and then do, here's a commit, here's a Here's a commit message, here's the answer, and oh no, they've AWS key into the repository. I had this really interesting, um, reach out from a journalist who was talking about something and they said that, oh, their API, their AWS account had been used and someone racked up a bill of thousands of dollars. How do you think it was done? I was like, I don't know. I bet, I bet they committed their AWS key because this is so, so common.

Actually, fun fact, there was like this hacker dark web as well. This hacker dark web version of chat GPT that was just using like developers, chat GPT, open API keys that they had. Obviously they pay as well. So they

got this for free, um, which was quite funny. But again, it all happens in like committing stuff into GitHub.

GitHub,

using tools like Postman where it has API keys and accidentally, like it's very much accidental leaks. There's a great tool called Truffle Hog. It's free and open source that can actually, you can run on your own repositories and it will show you, um,  where you've committed API keys.

Accidentally. I really recommend it. It's completely free.

Um, Do that and feel bad about

when committed your keys.

Uh, but yeah, that's how it happens. And the output can be huge because a lot of APIs are already linked up to somebody's credit  card,

Mm 

 especially for something like AWS. If you don't have billing limits on, they will be able to spin up server after server after server and put a crypto

miner  on 

free API 

drain    your company's credit card.

Suddenly you've got a 20, 000 AWS bill

when it's usually, you know, 200?

 Yeah. Yeah, no, it's kind of like a, like a hyper extended version of like someone stealing your, your Netflix account or 

something like that. Like, yeah, yeah. Only the only you're, you're footing the bill rather than the, uh, the streaming company. So yeah, that's 

Yeah,    absolutely. 

   Now. Uh, so the, the hackers were, they sort of like scraping GitHub and finding sort of code sets that looked like they were probably keys and stuff.

Is that

 Yeah,

there's, there are some patterns for common keys, um, but also you could just look on github and search for like just the word key and then

You would just be able to get API keys. It's,

it's kind of crazy.

And of course, when we talk about key rotation, even if you do commit these, you want to be rotating your keys, you know, every few weeks.

So that way, when you do accidentally commit a key, you know, you've got a attack window. Of like, two weeks, not an attack window of, you know, two years in order to commit attacks. And some of

these do go unnoticed for years. Because especially, think about a big company,  you

Yeah. 

an    AWS bill, they Just pay it, they don't really think about what their usage is.

 Mm hmm. Okay. Well, so based on everything that you you've told us so far, API security is, is, is one really exciting right now. Two is genuinely challenging. And so three, I mean, I feel like it's going to appeal to. Part of our listenership who, who are like, you know, challenge accepted.

Let's do this, you know? So, uh, so for our listeners who are interested in doing this type of work and, and becoming these kind of skilled practitioners and cutting edge subject matter experts on API security, uh, like what kind of like study, learning, work, and experience should they be trying to prioritize in the first years of their security career?

Obviously, number one, go to insider PhD and, uh, look into. API security, but like, well, what, what do you think, um, people who are, are hiring for this kind of thing are looking for on resumes that indicate sort of a knowledge of this stuff.

  So my first piece of advice is learn how developers make APIs.

I think that gives you such a good view of why APIs end up broken, because as you like explore development aspects, you're going to make the same mistake developers do. And that can really help you understand one, how these mistakes end up happening, because they are usually just little mistakes. And to give you an idea of, you know, what a developer is actually looking at in their screens and why that differs from what you've got hacking wise. There's a great book by Cory Ball called Hacking APIs. If you know absolutely nothing about API hacking and absolutely nothing about APIs, that is a great place to start. If you know a little bit, it's probably a bit too basic.

Um, and, um, I would say you might get more out of a book called Designing Web APIs, which is, it's an O'Reilly book off the top of my head, but that goes into, it's like meant for developers, there's a nice chapter on security, but it's really great for security people because you probably know the security elements, you're probably missing the kind of like, how is API infrastructure, how does that work? 

Um,  I honestly, when it comes to books, I hate to recommend cyber security books because they go out of date really, really

quickly. Um, so I'm instead going to recommend API Security IO. It's a newsletter. Um, it's done by API security experts and it basically does a really good job of showing you like, API vulnerabilities, and like, news in API world, but also in API breaches.

  Yeah.

   Other places that I really recommend, um, things like, yeah, my YouTube channel, a lot of Alyssa Knight's work, like, she

is on the bullshit.

the three    podcast three times. I adore 

She's    fantastic.

  Yeah. Yeah. Yeah. 

Oh, Yeah. a hundred percent.

You could not ask for a better teacher in API

security than Alyssa, for sure.

   Okay.  Yay.

  courses, I don't tend to recommend courses because,

like, budget wise, they're not necessarily everybody's budget. If you want a more guided approach, go with Hacking APIs by Corey Ball. If you want something that's maybe a bit more loose y, kind of more engaging, like my videos, Alyssa's videos, it's a bit more kind of, you know, pull the pieces together yourself, but it's free,

Yeah, yeah. Absolutely. 

  Uh, but really design an API yourself,

like how they

go at making them, because I do, I really, every single time I learn about new vulnerability, I always implement it myself.

And part of that is because I am a developer, like by training, like

I've worked as an API developer.  But second because I think it really does let you understand these systems far more Than if you just read about them in a book or you have a go yourself And my number one piece of advice the thing you really need to do is actually hack apis actually have a go at

it So many people think there's like this critical mass of knowledge that you need to be able to reach In order to hack apis you don't you can start right now You don't need any fancy tools, you don't need to pay money, you use

Burp Suite, Community Edition, or Postman, and you just have a go. Like, I cannot stress this enough, you know, so people will say, I really want to learn about this, I really want to do this, I'm going to read this book. And I'm going to watch this interview and stuff like that and they never actually hack anything.

I promise you will learn far more in like 10 minutes of actually having to go yourself than I can teach you in like 10 to 100 hours.

Like you will learn so much about how things are actually done in practice.  Um, one thing I really like to do as well is I always keep My ear on the ground of what developers are doing.

There's a great site called Dev2. It's like this developer version of Medium. 

And it's really great for just seeing what developers are talking about and seeing where they're at.

It's more of like a recon aspect more than anything else. But those are my like top recommendations. Actually,

actually have a go.

  Yeah, and then going back to one of your previous recommendations, I imagine if you have a go and then you are able to document it, like put it on a blog, put it on a YouTube 

channel, show what you did. Uh, yeah, especially when you're looking for that first job, I feel like people want to see something other than your academic career or your certifications or whatever.

They want to see Like you thinking, that's the thing we keep hearing is that they want to see your thought process more than they want 

to see a solution that actually works a hundred percent of the time. So, yeah, I think that's, I think that's awesome advice and just get your hands dirty immediately because yeah, we, we did, we did like a little walkthrough where, uh, you know, um, Ketron, our, our, our head instructor, you know, put the marketing department through, uh, you know, trying to find, well, when, when did a breach occur, you know, looking at log files and things like that, and Yeah, my brain got real sort of overheated, but you know, I was in It    you know? 

helps. It

helps. And I think as well, you know,  when, and I think this is personally really important for me and why I make content, you know, I have gotten so much out of this community. Like every single person who's ever watched any of my videos, I owe part of my success to them.

And I want to give back to a community that has given me so much.

And I'm sure other people feel the same. You know, you look at, you know, top, I'm going to,  Influencers, and you look at what they're doing, and for a lot of people, it is not about, you know, making themselves famous. It's about giving back

to a community that has kind of given them, uh, and actually the fame ends up being this, like, weird second part of really what is, you know,    giving

it's almost a distraction in certain cases. They're 

like, I just want to do the actual work. Why am I having to, you know, go to these interviews and stuff like that? But, uh, no, I think that's, that's, that's awesome advice. Can you talk, I mean, just off the top of my head, can you talk about the ways that you, you sort of engage with your community?

Do you go into your like comment sections and answer things personally? Do you have like a forum?  Where are you getting these kind of input points, like, is it just, uh, reading comments and going, okay, that's a, that's a good idea. 

  I mean, kinda, yeah. So, I keep, like, a physical notebook, and

every single one of my videos I actually plan out as a mind map. I start out with

a general topic, and I always finish with, what do I want people to get out of this video? 

So, often when I see a Uh, kind of suggestion that's like, Oh, talk about this tool or this tool. I'm thinking, okay, but what do I want someone to get out of that?

Um, I think it's about taking inputs from lots of different places. Fundamentally, for any video I create, and this, if you're creating anything, I think this is, like, really helpful, is, You've got to choose something that you didn't know, that you had to learn

  Okay. 

 because when you

come from it from that angle, you will always find stuff, one, that you didn't really know about,

and two, you'll be able to make content that actually resonates with somebody. And that actually makes them think, Oh yeah, I can do this. Or, Oh, I didn't think about using that tool in that way. So it's very rarely I see a video suggestion. I'm like, add it to the list. It's very much a kind of, Oh, a topic around tooling. What tools do I use? Oh, I don't really tend to use any tools. Actually, the idea of not using tools is probably an interesting video.

And that's how it ends up on my list. I very much use kind of like, My community, not necessarily like a sounding board, um,  I tend to engage mostly on Twitter. I kind of have, like,

tiers, so if people want solely, like, insider PhD news and updates, subscribe to YouTube.

You get the videos, you'll get

replies to comments that are on topic, and my community posts are me telling you to go somewhere else because I'm doing a talk for another company or another on another page. 

If people want a little bit more of, like, Katie the human being

They can then go to my LinkedIn where it has, yeah, all of the previous, but I also have things like I'll retweet my students work, for

example, and I'll share what they're working on and I'll share a post that they've written.

It's a little bit more personal, but again, it's very much on topic. And then you kind of go through to Twitter where it is far more about me and like what I'm up to. And it's very much Katie, not insider PhD, the brand.

Um, yeah. But that's where, actually, like, networking wise, I've met so many more pe so much more people on Twitter

than I have from making, like, my YouTube videos

alone. Um, and having a kind of, like, oh, it sounds really marketing, having a funnel about how you

communicate to people. Um, but when it comes to, like, how to choose what to talk about, I mean, I suggest pick something you didn't know, and And have an idea of what you want someone to be able to do after. Like, they watch your video and they should be able to,  you know,

do an API scan.

They should be able to access an API endpoint. They should be able to understand what an API key is, whatever.

  Yeah, now, yeah, I, I, I think even apart from just, uh, the way you structure something that you, if you learn something you didn't know before, I think there's also, for people who watch these kind of videos, there's, there's a different energy around a teacher who's teaching you something that they had to learn for that thing versus just imparting information that they already knew and they're just telling you this thing and they don't, they're not even really sort of like connecting with it and stuff.

So I, yeah, I think people really do react to that, that level of. Of intensity that that that comes when you really had to like, you know, dig the answer out of the dirt with your fingernails, you know

  I mean there's a really good quote, and it's like, a traditional lecture is about a lecturer reading a book and imparting information of a student, but without that information entering their student's brains, or their own. It is very much a quote. regurgitate information, not,

you know, actually think about the learning process.

Yeah   now, um moving to other other ways of sort of Uh making your name or learning things or even making a little money You've you've uh, you've done some freelance ethical hacking bug bounty. We talked about that a little bit Can you talk about some of your experiences doing this type of? Of bug bounty freelance work how you got your foot in the door I mean you talked about uber first, but like how have you sort of continued it, uh since then 

  Yeah, so, um, my first vulnerability I found because I was a developer. So I had this like realization, it's like, if I, if I had built this API, I would have broken it by doing X. And I tried X and it worked. And that's really been my approach to all kinds of bounty hunting. I very much focus on what would I have done wrong? If I was building this and that very much informs a lot of my hacking So a lot of the kind of bugs I tend to find are permission related Aka you can access information You shouldn't be able to either because it's not your account Or you can edit something that you shouldn't be able to edit with your permission level that would probably describe like 60 percent of my findings 20%  is then business logic related.

So, it's working as intended, but when they built it, they weren't really thinking about the security outcomes of how they built it. Um,  And then the other 20 percent is, honestly, like, helping people with  their bugs. Um, a lot of bug bounty hunting is very,  very communal. Um, working with other hackers

to, um, actually help them find bugs where maybe they don't have the, the skills or experience, or they're not

sure, or they just want someone to sound it off.

Actually, I find a lot of other bugs with other people. Um,  So yeah, a lot of my findings are permission and business logic related. Uh, I don't tend to find a lot of cross site scripting. A lot of people recommend that for beginners in bug bounty hunting. I don't.

I think you need to hack what's in front of you.

Um, and I found vulnerabilities in like the US military, in major social media companies, um, all the way to, you know, Things like, uh, um, major retailers as well that, you know, I can hack household names. And that's always a really fun thing to say at family gatherings. 

   Yeah, I'm pleasantly surprised to hear that because I think of bug bounties as being this kind of, uh, you know, almost like a, like a game of like rugby or something where like everyone is just like just thrashing each other to try and get to the, get to the vulnerability or whatever. So I'm interested to hear that it's, it's so much more collaborative and it's not just this kind of like race to limited resources.

Mm 

I  think that actually was one of the most surprising things for me as well. Like, I very much thought, you know, money's involved. People are gonna be really secretive. They are

not gonna want to share things. And I, honestly, I couldn't have been more wrong.

Like 

the people I've met in the bug bounty community, you will not meet a more welcoming community.

I get asked a lot, how was it like as a woman in bug bounty trying to get, I can honestly say it's been great. The community is really nice.

Every top hacker I've ever spoken to is a genuinely good person. I mean, literally like last weekend, somebody was like, Oh, I forgot to pay you for that vulnerability that you found two years ago or that you helped me with.

And I

just. They just paid me money from I'd forgotten about it.

They'd forgotten about it.

But they still paid me because it was the right thing to do.

And that's the kind of community spirit I always see in bug bounty hunting. Like, yeah, there are going to be people who are going to be, like, secretive.

And that's fine, because it's kind of expected. You know, a lot of

people, this is their full time jobs.

90 percent of the community is so welcoming. Is. So engaging, wants nothing more than to get more people in the community. Um, and the, you know, may not want to share all their skills. Might be a bit like a magician, you know,

can't, can't give away everything, but certainly, and just chatting with me and like sharing their knowledge and experience. I wouldn't say mentorship, cause it's not very formal, but I know for a fact, if I was stuck on a bug, I would be. I know like 10 people I could easily reach out to for help, who would be absolutely like fine to help without any kind of share of the reward, and even then, like, they would want basically nothing, they just enjoy it and they want to help and they're good people.

    That's fantastic to hear and yeah, and I hope our, our, our listeners will, uh, take advantage of that and, and jump into that community. Uh, now I, I have one more question before we get into the sort of the, the wrap ups here, uh, as if we haven't already talked enough about all the different things you do.

Uh, you are also, uh, a tech marketer for traceable. So, uh, you know, like I said, many of our listeners use our podcast to kind of window shop their potential careers. Can you talk about what a technical marketing manager? Does on a day to day or week to week basis. What, what are the sort of like skill sets that you're putting to use over there?

  That's a great question. I don't know. 

So technical marketing is about being the person on the marketing team who knows absolutely nothing about marketing.

I work day in, day out with

people who live, breathe and eat marketing.

Like they, they do positioning and messaging and I write blogs.

Um, technical marketing is, you know, it's a very specialist job. The idea is, is that you kind of become. The liaison between the marketing team and the customers for like a very technical product.

So my job involves things like writing blog posts, presenting webinars, going on shows like this and talking about the company. Um, doing media opportunities that maybe have nothing to do with the company. Um,  Running, like, in person events, going to conferences, speaking at events. Um, my job is a whole bunch of things. Uh, I travel a lot for my job as well. But the idea is, is that, you know, the people who use Traceable are security engineers. And  It's very hard to market to a technical audience if you yourself aren't technical

because you kind of don't really know the audience, like, super well.

Um, so you have someone like me who kind of is the in between.

Um, so I write blogs both on things like how to use the product, what uses people get out of the product,

um, but also What we might call like evangelism for security,

talking about API security, talking about how to secure your APIs.

I would say it's a great job if you love writing content and making stuff.

For me, that's a major element. Um, if you're okay with travel, I travel to the US monthly. Um, I'm like perpetually jet lagged, uh, when I get home and

when I get there, I'm also jet lagged And I'm not sure how that one works. Um,  And it's something if you are kind of somebody who naturally likes to present, if you are quite comfortable in front of a crowd or a camera,

uh, because there is quite a lot of, you know, standing up in a conference talking about why API security matters.

Um, but it's a job that, Includes the, uh, networking element, so the kind of talking to people aspect. The technical, being able to understand complex technical ideas. And the explainer part of actually how do you help somebody else understand those, and create something that helps them on that journey.

It's kind of like a weird mismatch of all these things put

together. It's kind of like being a professional YouTuber,

but for a company.    Okay.

that was the connection I was going to say is that I feel like it seems like a natural extension of what you like to do anyway, or, or would be doing sort of just for the joy of it, but you're also 

getting to do it for the specific thing here. So that's awesome. So, uh, so before we go with Katie, we're about to wrap it up here, but I wanted to ask, uh, do you have a piece of career advice that you've received that's been, uh, influential in your life?

Whether it's like a parent or a mentor or a teacher, or it's just something you read in a book.

  my lecturer when I was at college, I was 16, said, Katie, go do a PhD.

And I was like, why? And he said, you'll never have to work with anybody ever. You'll just work on the one thing that you enjoy for the rest of your life.

  Yeah.

  Three years later, after I finished my PhD, I know he completely lied to me. That is not at all what doing a PhD is like. But that piece of advice, the whole. Do a PhD and, you know, somebody who comes from, you know, I didn't do well at school. I was really only interested in computing. I kind of had this passion for computing, but literally no other academic skills whatsoever. You know, I had to fight tooth and nail to learn formal writing and mathematics and stuff like that.  Believing that I could do it and I could do a PhD as well and that there wasn't a big barrier for me other than, you know, getting a good grade in my degree and wanting to do a PhD.  That was fun, like that had changed my life fundamentally and I still keep in contact with him every single year. We meet awkwardly at a restaurant and I give him my yearly update on what I'm doing and, uh, yeah, he's made such an impact on my life.

I really can't thank him   enough.

Oh, that's fabulous. Uh, that's, I love the, the personal aspect of that as well. But yeah, that's, uh, yeah, he, he, he lied to you, but he also told you the truth. He, 

   the right thing for me to do, but it wasn't what was advertised.

 Yeah, yeah, he might, he might not even known that that was what he was doing, but that's how it turned out. So, uh, so yeah, but it's about time to wrap up here before we go.

Uh, you, you mentioned that one part of your, your, your job as a tech marketer is that you want to tell people like us about traceable. So talk about some of the products you work on with traceable, what your provide for your clients, any other, any other aspects of, uh, of the company that you want to talk about.

  So Traceable is kind of an all in one API security solution. So for our customers, we find APIs they didn't know about, test those APIs for security vulnerabilities, like the OWASP top 10, um, enable you to look at the analytics and logs of your APIs. So when you have an attack, you can do a retrospective look at what happened before and after an attack. And, uh, finally being able to protect your APIs against attacks, being able to set rules and conditions in play. We also have. A, uh, a AI API security solution now. Um, and we also have, uh, a tool called Sonar, which allows you to find even more APIs that you may not know about. So if you are interested in API security, I can really recommend having a look at traceable and, uh, adding us to your list of potential a p security vendors.

  Nice. Uh, all right. Well, let's, uh, let's, let's do some, some plugs here. If people want to know about Katie Paxson fear, some of the things you're working on, tell them, uh, where to find you on YouTube, on Twitter, on, on LinkedIn, all the you find you on uses and, and also where, where traceable is online.

  Yeah, absolutely. So you can follow me individually. I am on Twitter as InsiderPhD, or you can just look up my name, Katie Paxton Fair. It's like the top result. I'm very proud of the fact you can Google me now.

Um, I have a YouTube channel. You can follow that if you just want to learn. Cybersecurity things traceable also has a YouTube channel.

We put a lot of webinars together, which are all about learning API security.

Um, but you can find everything traceable at traceable. ai. Um, and you can find us under like the blog and then you'll see the post that I've written there as well.

  Awesome. Well, Katie, this was such a fascinating and wide ranging discussion. I really, really appreciate you giving me the whole hour here. Thank you so much.

Yeah. Thank you very much. It's been a pleasure to be here. And

of course, if anybody wants to connect with me post event, please feel free to add me on LinkedIn 

or send me a message on Twitter.

  Wonderful. Yeah. Our listeners are very active in that regard. So, uh, uh, check your inbox sometime soon here. Uh, and as always, I want to thank everyone who watches and listens and writes into the podcast with feedback and suggestions as well. If you have any topics. Or guests you'd like us to cover on the show just drop in the comments I read all of those and we do what we can to give you everything you want So before we go don't forget info second stoop comm slash free This is the page where you can get a whole bunch of free and exclusive stuff for cyber work listeners that includes a preview of our new security awareness training series work bites a Smartly scripted and hilariously acted set of videos in which a very strange office staffed by a pirate a zombie and alien  Vampire and others navigate their way through the age old security struggles of yore.

Whether it's not clicking on the treasure map someone emailed you, making sure your nocturnal vampiric accounting work at the hotel is VPN secured, or realizing that even if you have a face as recognizable as the office's terrifying IT guy, Boneslicer, We still can't buzz you in without your key card.

So go check out the trailer. It's awesome. Uh, it's also the best place to go. InfoSec Institute. com slash free is where you can get your cybersecurity talent development ebook. You'll find our in depth training plans and strategies for the 12 most common security roles, including SOC analyst. Penetration tester, cloud security engineer, information risk analyst, privacy manager, secure coder, ICS professional, and more.

One more time, that's infosecinstitute. com slash free. And yes, the link is in the description below one last time. Thank you so much to Katie Paxton fear. And thank you all for watching and listening. Uh, this is Chris Senko signing off until next time. Keep learning, keep developing, and don't forget to have a little fun while you're doing it.

Bye for now.