When AI Goes Rogue: API Security in the Age of AI Agents | Guest Sam Chehab

Cyber Work #275 - Sam Chehab on Rogue AI agents and API Security
===

[00:00:00] chris-sienko--he-him-_6_04-15-2025_131842: Today on cyber work, Sam Shihab of Postman is going to talk to us about API security and the concept of rogue AI agents. The concept of the Rogue AI agent is multifaceted. It can include internal company policy, 

[00:00:13] sam-chehab_1_04-14-2025_124505: I'm not talking Skynet where agents build agents or anything along those lines, but that's kind of the, the, the first lens with which we have to look at, it's your well-intentioned developer trying to solve a problem or business user, and how do we get them to do the right thing?

[00:00:27] chris-sienko--he-him-_6_04-15-2025_131842: but on the more extreme side, of course, it can also be used. To talk about hackers using AI to create stronger, harder to detect malware, 

[00:00:35] sam-chehab_1_04-14-2025_124505: The bad guys are often using AI to come after us, and that's, I think, what a lot of people latch onto because it's sounds really sexy 

[00:00:45] chris-sienko--he-him-_6_04-15-2025_131842: but mostly we're talking about AI's role in creating improved API security, as well as the way that this task will require buy-in from different parts of the development and security team.

[00:00:54] sam-chehab_1_04-14-2025_124505: if you had to go talk to any developer off the street, like that would be one of their, one of their headaches, at which point they would try to [00:01:00] displace that back into the security team.

[00:01:01] sam-chehab_1_04-14-2025_124505: They'd be like, Hey, that's your job security team. How do we get those roles and those problems to converge, 

[00:01:07] chris-sienko--he-him-_6_04-15-2025_131842: And Sam discusses some ways that he thinks that the development and security job roles will change, expand contract, and become more democratized in the years to come. 

[00:01:16] sam-chehab_1_04-14-2025_124505: Your, your product managers are now able to build a prototype to hand back into engineering to go see, how it really functions and get better visibility into that. As the floor lowers, I just see the work shifting. I, software engineers will need to solve harder and harder complex problems.

[00:01:34] chris-sienko--he-him-_6_04-15-2025_131842: That's all today

[00:01:35] Chris Sienko: The IT and cybersecurity job market is thriving. The Bureau of Labor Statistics predicts 377, 500 new IT jobs annually. You need skill and hustle to obtain these jobs, of course, but the good news is that cybersecurity professionals can look forward to extremely competitive salaries. That's why InfoSec has leveraged 20 years of industry experience Drawing from multiple sources to give you, cyber work listeners, an [00:02:00] analysis of the most popular and top paying industry certifications.

[00:02:03] Chris Sienko: You can use it to navigate your way to a good paying cyber security career. 

[00:02:06] Chris Sienko: So to get your free copy of our cyber security salary guide ebook, just click the link in the description below. It's right there near the top, just below me. You can't miss it. click the link in the description and download our free cyber security salary guide ebook.

[00:02:20] Chris Sienko: Your cyber security journey starts here. 

[00:02:22] Chris Sienko: Now let's get the show started 

[00:02:30] Chris Sienko: Welcome to this week's episode of the Cyber Work Podcast. I'm your host, Chris sko. My guests are a cross section of cybersecurity industry thought leaders. And our goal is to help you learn about cybersecurity trends and how those trends affect the work of InfoSec professionals, as well as leave you with some tips and advice for breaking in or moving up the ladder in the cybersecurity industry. My guest today, Sam Chi Shehab, is the head of security and IT at Postman, bringing over 20 years of experience in entrepr enterprise, uh, engineering, application [00:03:00] management and cybersecurity. to Postman, he also served as Senior Director of Enterprise and data security at Palo Alto Networks, where he led company-wide initiatives in zero trust, risk management and customer trust. He also held leadership roles at NVIDIA, overseeing IT engineering efforts to address core security challenges such as automated asset management and defect tracking. SAM holds an executive MBA from the University of San Francisco. So when we first talk started talking, uh, Sam was telling me about. Something called Rogue AI Agents, uh, and their, and their role in creating, um, malware as well as, um, fighting AI enhanced cyber threats. So we're gonna see, uh, AI is gonna be both the, the possibly the good guy and the bad guy in this scenario, and I'm looking forward to finding out more. So, Sam, thanks for joining me today and welcome to Cyber Work.

[00:03:47] Sam Chehab: Thanks for having me, Chris. I love the opportunity to always talk shop with folks.

[00:03:52] Chris Sienko: Excellent. Well, we're, we're glad to have you here. So, uh, Sam, let's, let's start with a bit about you and your original interest in tech and security. Have you been a, a early tech [00:04:00] adopter and tech fan your whole life? What was the initial sort of spark to get into cybersecurity in tech?

[00:04:05] Sam Chehab: Uh, I guess going way back, this reminds me of, uh, when I

[00:04:12] Sam Chehab: laptop.

[00:04:16] Sam Chehab: I think it had like a 10 megabyte hard something and he tossed and say, I've game on. You can play games until dinner. And so like that very early inception, I was kind of indoctrinated to tech because it just fascinated me. And obviously it's progressed through Doss and then it later into basic and then off to web pages.

[00:04:38] Sam Chehab: And um, eventually, like most kids probably cheated, um, on tests my TI 85 calculator. And.

[00:04:45] Chris Sienko: Sure.

[00:04:49] Sam Chehab: This is, and this is long before great services like Hack the Box, um, but just writing scripts to use, um, file exchange protocol or FXP, uh, to [00:05:00] distribute software globally across the internet. So I've had lots of fun in lots of spaces in the tech world and, um, uh, needs to say I didn't fall in the footsteps of my father.

[00:05:09] Sam Chehab: I dumped civil engineering pretty fast and pivoted into tech.

[00:05:12] Chris Sienko: so, uh, I'm, I'm curious about the, uh, the original, um, spark there. He said, if you can find the game in the computer, was that his way of sort of teaching you to understand sort of like file access or just like the, the sort of nuts and bolts of how to make the, the computer work? Is that

[00:05:26] Sam Chehab: Yeah, just here's the manual. Go learn dos and then go find your game to play. And it was just, as a kid, just finding a way to gamify something and get you engaged was, was very powerful for me.

[00:05:37] Chris Sienko: That is so smart. I love that. Uh, so, um, yeah, thank you. That's, that's one of the better stories I've heard on here, I think actually. So, um, yeah, and, uh, certainly the, the names like TI 99 calculators and stuff, we've, uh, we've heard them before. Let's just say we're all of a certain agent era here that, uh, yeah, those were some of the foundational machines for us.

[00:05:57] Chris Sienko: So, uh, so Sam, you're. Career started. [00:06:00] Uh, basically I, I was looking at your, your LinkedIn, uh, profile, and I like to look at people's, um, backgrounds to get sort of an x-ray of their career. But you started in firmly in a software engineering and app development space, uh, with companies like Nvidia and Box Two Technologies before taking on, I. More security focused work in, uh, data security with Palo Alto and Postman. So was this a big change in your work to that point? And if so, what got you interested in moving into data security, uh, and what did you have to do to sort of get up to speed in that area?

[00:06:29] Sam Chehab: Yeah, so I, I think. I did probably what every classic developer did we, I screwed up just about everything that OAS Top 10 warned you about. I made that.

[00:06:41] Chris Sienko: yep.

[00:06:42] Sam Chehab: Back then, the way that security typically engaged with engineering was, is they printed out a PDF and said, here, here's what you, here's why you're terrible at your job and go do better. And I just kept thinking to myself, there's just gotta be a better way. And um, [00:07:00] obviously the tools have gotten better.

[00:07:01] Sam Chehab: Security has really, um, started to pivot into how do we engage the.

[00:07:12] Sam Chehab: A high degree of technical mastery and at the same time having business acumen and that intersection was just fascinating for me. And really what kind of drove drove my pivot from software engineering to the, how can I just do this better to be compliant and not have the security guy chase me? But how can security come to the table and say, if you just follow this pattern, or just use my secure base image, then you don't some precipice.

[00:07:39] Sam Chehab: Pivot out of, um, a classic engineering role and pivot into cybersecurity.

[00:07:45] Chris Sienko: Um, can you speak more on, I, I, I agree with you totally with regards to the, the intersection between safety and, and business acumen. But for our listeners, can you talk more about, uh, that aspect of cybersecurity, the business acumen part of it?

[00:07:59] Sam Chehab: [00:08:00] So I, I guess the, the analogy I often use when I first start chatting with someone is I wouldn't spend a million dollars in a security system to protect my shovel inside of a shed. I'm over securing it and with, if you extrapolate that analogy out back into the real world, it just, it turns into, well if using a secret.

[00:08:21] Sam Chehab: Isn't super painful and you unlock it with touch id. Well, that's a great way to protect your secrets. We don't need to go any further, and it's almost no friction on you as a user. And so that's kind of the, the, the path that we look for is how do we get the implementation to be frictionless for you as the consumer or just enough friction, but not enough for you to do it a different way.

[00:08:42] Sam Chehab: That's a. Would be consider wrong or more prone to risk. And that's, that's kind of the, the business acumen side of it, in my mind, of doing risk reduction, but not in a way where it feels overburdensome when.

[00:08:55] Chris Sienko: Yeah. Yeah. Oh, [00:09:00] absolutely. Now, um, I feel like those, those particular aspects of cybersecurity have maybe separated out a little more. Now you have sort of like the cybersecurity people who are entirely working on the sort of risk side and then, and then the ones who are maybe doing the implementation. Is that, is, would you say that that's a more the case now, or is it still, do you still have to be kind of fluid in all these different places?

[00:09:21] Sam Chehab: Um. If you're running a really strong security program, you can blur the line between, uh, a control says this and your implementation looks like this. And I think, uh, shops are on some end of that spectrum between being very dogmatic. The control says this and the security, the security individual saying, well, I know this technology's how I.

[00:09:51] Sam Chehab: If security looks at itself like most, um, back office functions, it has to figure out how to scale. And [00:10:00] I think AI has been a real game changer for us in that respect, in that how do I give you guidance upfront to make better decisions so that I don't need to be everywhere? And an example I'd pick on there would be, um, probably on the farthest end for most security programs would be like third party risk management.

[00:10:20] Sam Chehab: Well, I send you a questionnaire and you send me a questionnaire and I have my AI fill out your questionnaire and you have your AI fill out my questionnaire and like no one really ever reads anyone's, anyone's, uh, report at the end of the day. But, um, if I take third party risk management and I types the procurement process, and let's say Chris wants to go buy something.

[00:10:40] Sam Chehab: And I say, Hey Chris, I'm gonna take my expertise as a third party risk management specialist.

[00:10:46] Chris Sienko: Mm-hmm.

[00:10:47] Sam Chehab: going to give, um, an AI model, the prescriptive prompt to talk about competitors, how to evaluate the software package, and you give me the software package, then I can give you [00:11:00] as an end consumer, a lot of prescriptive guidance of what.

[00:11:04] Sam Chehab: It's the spirit of an RFP process, but I can use AI to drive it back into your space and you can start to translate kind of my need for, well, what does a vendor's security scorecard look like publicly? Well, if that vendor doesn't look very secure, I can process that and I can stack rank who I recommend you to go take a look at that are competitors in the space.

[00:11:24] Sam Chehab: And so that's a bridge between kind of the old way of doing it and kind of the new way of doing it and how I see that intersection.

[00:11:32] Chris Sienko: Yeah. Yeah, I feel like this has been the ultimate, um, ambition of, of creating AI in the first place is to take out, 'cause a lot of that would otherwise just be the dredge work of you going on the internet and just looking up numbers and adding numbers to a spreadsheet and adding this and adding that. That's not the part that, you know, you should be wanting to do. That just takes up time. Uh, whereas you can, once you have all those numbers [00:12:00] in front of you, then you use your, your non-AI brain to sort of evaluate all this. All this raw data that's come at you in, in organized form like that, is that right?

[00:12:08] Sam Chehab: Yeah. And but, but the business side of it is, is if I create friction on end as a user.

[00:12:14] Chris Sienko: Mm-hmm.

[00:12:15] Sam Chehab: Well, you just swipe a credit card and go do your own thing until you get caught. At which point we have a risk problem. So I, I think it's, well, how do we, to borrow the, the analogy that we used earlier with regards to development and, and my own path.

[00:12:29] Sam Chehab: How do we meet you where you are to go solve the problem that you've got with or with ai? Without ai? That's, that's kind of the spirit of it and, and, and what I see kind of unfolding currently.

[00:12:40] Chris Sienko: Yeah, that makes sense. That makes sense. Uh, okay, so we're gonna be getting to the, uh, the AI agents in a moment, but I want to jump back to your career a little bit, if you don't mind. Um, so one of the projects in your previous work was defining and leading a zero trust strategy deployment for Palo Alto. Uh, can you talk about what that experience was like? Like what the challenges were, what you learned from the [00:13:00] experience? Because, you know, we hear a lot of, uh. Especially with the government, there's, you know, zero trust by X date and things like that, and it's always these sort of ticking clocks and so forth.

[00:13:10] Chris Sienko: But what was, what was developing a zero trust strategy for Palo Alto like.

[00:13:13] Sam Chehab: Uh, I, I think developing a zero trust strategy at a security company was, was, was very interesting 'cause, um, security companies obviously have their own pre definition of, of what Zero Trust was. Um, there's a lot of great articles out there from other thought leaders, from a lot of vendors, um, n.

[00:13:36] Sam Chehab: Academic, but principled way DOD has their own cut at it. Um, what I struggled with was how do we get all of the subject matter experts within their respective domain on the same page? And I think that's what is why industry has kind of taken this term zero trust and, and [00:14:00] kind of morphed into kind of their own definition.

[00:14:04] Sam Chehab: It all the distills down into kind of the same format. Make sure that you secure all of your identities, whether this be a, a contractor account, do they use MFA as an example, make sure that you're hardening all your devices and, and my definition of hardened may be the center, the center of internet security level two for you.

[00:14:23] Sam Chehab: It may be a system technical implementation guide, um, because you're working in the, but some definition of hardening that device. Hardening your applications. So, for example, have you walked all of your SaaS applications and ensured that, uh, they all log to your sim, make sure that, um, you ha do responsible, um, access management for third party plugins, things of that nature.

[00:14:50] Sam Chehab: Um, then you kind of go to that next tier, that next pillar if you'll, and it's really now that I've hardened my identities, hardened my devices.[00:15:00] 

[00:15:03] Sam Chehab: Easily in English language, go just talk to anybody and explain to them what enforced least privilege looks like and talk them on that journey. And they, they get it and then they go off to their respective worlds and, and figure it out. But if I start from an academic of policy enforcement point and try to talk you through kind of the, the, the academic definition of a policy enforcement point and how it applies in your world, you can lose a lot of people really quickly.

[00:15:26] Sam Chehab: So just go enforce lease privilege on your applications. Then you move into that third pillar, and this is really manifests itself, uh, from a network inspection, seeing who can talk to what, um, doing this on the wire, but also being able to do this via identity and how the security controls layer on one another and why we kind of have those pillars shape the way that we do.

[00:15:51] Sam Chehab: But who can talk to what. Then you go one more level down, which is I think probably one of the hardest layers is data security. [00:16:00] Ensuring visibility into all data movement, whether it be in memory, whether it be at rest, whether it be over the wire, making sure that you see how data is moving and making sure that it doesn't move outside of a boundary or just accessed by the right individual of that nature.

[00:16:16] Sam Chehab: And I feel like this where a lot of framework really fall apart. Security typically doesn't operate for a failure state, but it's that operational excellence component. If I did the first four pillars beautifully, then I track deviations. Uh, an example being, let's say, um, we have a secure VPN, but you're disconnecting from it.

[00:16:44] Sam Chehab: There's a reason you're disconnecting from. Now we could say that you're not allowed to disconnect from the VPN at all. And, and, and from a technical control standpoint, but let's say hotel wifi spotty and you need to troubleshoot something or you need to, maybe your job role [00:17:00] entitles you to go places that maybe are considered off-roading on the internet a little bit.

[00:17:04] Sam Chehab: Um, looking at those deviations of when the first four pillars fail or those exceptions of those first four pillars. Uh, let's say I'm working for the federal government and I have to go into a skiff. Well, I can't bring a USB stick into a skiff. Clearly, I'm going to need another way to access corporate collateral when I'm inside the skiff if permitted.

[00:17:26] Sam Chehab: Um, but I, I can't bring, uh, I can't bring a USB stick. So it's looking at those exceptions and then looking back at operational policy to see, do we need that deviation? Do we need that exception? And refine the technical rules that you have in place when you're securing identities, devices, apps, when you're looking at enforcing least privilege, things of that nature.

[00:17:46] Sam Chehab: So that's kind of the framework that we built, and then we took ourselves on that journey. And then obviously we went out and, and helped customers because they're at varying places on that journey, depending upon, um, what [00:18:00] external forces in their environment forced them to shift. So if you were popped, for example, you may be very worried about data security almost immediately, but maybe not hit some of those precursor steps hard, your device, hard applications.

[00:18:13] Sam Chehab: It probably should be a linear journey to some degree, but it's security and you can bounce around a lot at times Needed.

[00:18:24] Chris Sienko: Yeah. Now, um, what was your, did you have a, a, a team of people that you were working with on this? What was the sort of, uh, you know, the implementation or the, you know, the, the, the, the design team and the implementing implementation team for this incredibly complex multi-layer sort of strategy? Like, did you have people who were taking care of, you know, sort of lower level things for you, or were you the head of the whole show?

[00:18:48] Sam Chehab: Uh, I, I, I was running the whole program. I was meeting with, uh, the Chief Product Officer Lee, uh, weekly to provide updates. Um, but it, Palo Networks being a security company. [00:19:00] Running security within Palo Alto Networks, it was a very cross-functional endeavor across product teams, PMs, engineering and InfoSec, and even the, um, the marketing teams to kind of understand the security use case, why we were using the product a certain way or where the product needed to flex or where the product had absolutely.

[00:19:22] Sam Chehab: Why we weren't worried in a particular area. We're investing in others, and so it was interesting initiative across the entire company on.

[00:19:33] Chris Sienko: Heck yeah. No, that's, uh, you know, again, because so many of our listeners are. Thinking about what they want to do within cybersecurity. I feel like that was a really good, concise definition of what, you know, something as large as that. Uh, implementing a zero trust strategy across an entire security company, uh, would be like, and what kind of thought process.

[00:19:54] Chris Sienko: 'cause it's, you know, when you're still in the student phase, it's hard to imagine like, where would you even start with something like that? And [00:20:00] I think that was a, a great summary. So, um, one more thing here with regards to your current job. Like what is. What are your responsibilities as head of security and it for Postman?

[00:20:09] Chris Sienko: Like what does, what does that role entail and what are some of your common tasks and responsibilities?

[00:20:14] Sam Chehab: So it's actually very convenient that it and security are merged together. Um. Classic it is concerned about availability. With a CIO hat on, I care less about version 11 and, and version 10 compatibility issues. I, I only care about availability. I don't care about the security patch. Well, being responsible for security, I have to care about both and so it short circuits a lot of the risk that we postman.

[00:20:51] Sam Chehab: So.

[00:20:56] Sam Chehab: Pretty much changed overnight as a result of just the amount of flexibility that [00:21:00] we've got. It also helps that it's 850 people, not 20,000. Um, so there's definitely a, a scope and scale to it. But, um, I think that's the, the first component of kind of having those two, those two units merged 'cause I've seen and in other, other organizations or in past lives, um.

[00:21:20] Sam Chehab: Or vicariously through friends. Uh, within my network there's always that struggle between it and security of the, I need to apply a patch now. Uh, I only take downtime on Sundays and, and, and things along those lines. And that risk trade off of availability and security are, are, are often highly spirited debates and I get to fight with myself.

[00:21:39] Sam Chehab: And so that's kind of convenient. Um, so I think that's, uh, with regards to kind of overall mission, I.

[00:21:49] Sam Chehab: We own product security, therefore how do we make the Postman product as secure as possible? Um, we also drive an initiative of Postman at [00:22:00] Postman. So we use Postman prolifically within the IT space in order to scale, but we also look at the Postman tool or platform from a, um, a security perspective of what do I need to make Postman secure?

[00:22:17] Sam Chehab: To protect myself. And so we drive a lot of feature requests back into engineering. Um, all of the engineering heads are my peers, so it's very convenient. Um, I don't have to work with another organization to drive that change, but, um, postman at Postman is a very powerful thing for us to kind of drive product improvement.

[00:22:36] Sam Chehab: And then lastly, just from an IT perspective, uh, continually looking at employee productivity and how we scale. In this, in this new AI based agent world to keep up with the speed with which engineering is moving and the company's moving as a whole. And so I think that's kind of the broad responsibilities, um, at kind of a 50,000 foot [00:23:00] level.

[00:23:00] Chris Sienko: Awesome. Love it, love hearing about it. So, um, Sam, the, the topic you chose to discuss today is, uh, the concept of what you called rogue AI agents and how these AI agents are becoming an, an integral part of malware development. So before we start, set the table for us. What's, what's happening here? What are these rogue AI agents and what are they doing, uh, that's new in this, in this, uh, threat landscape?

[00:23:22] Sam Chehab: So there's a, there's a couple, um, there's a couple. Rogue AI agents are probably a lot like how people see shadow it as one definition. And the Sam is the well-intentioned user who's trying to accomplish something, but. He's built an agent that would be considered rogue from a governance standpoint, and he's hurdling things out in an, uh, out to random APIs in order to kind of accomplish his mission.

[00:23:50] Sam Chehab: Um, I'm not talking Skynet where agents build agents or anything along those lines, but that's kind of the, the, the first lens with which we have to look at, uh. What I would call a [00:24:00] rogue AI agent. It's your well-intentioned developer trying to solve a problem or business user, and how do we get them to do the right thing?

[00:24:08] Sam Chehab: Um, that's kind of the first front that we have to look at and worry about. The second front is the industry is continually changing, and so then it turns into, well, um, MCP is great. Or model context, uh, protocol is great. Um, but if model context protocol doesn't take into security, into consideration, well then how are we properly governing what gets built?

[00:24:34] Sam Chehab: So when Chris runs out to his favorite GitHub repository, rips an mp. MCP server off the internet and now wires it up into a product. Well, that would be very bad. There'd be no governance around that. Um, I separate out that use case because that's a very engineering specific case versus kind of the first case, which more business, um, business enablement.

[00:24:55] Sam Chehab: And then there's the last one, which is. The bad guys are often using AI to [00:25:00] come after us, and that's, I think, what a lot of people latch onto because it's sounds really sexy and, um, we clearly see it with regards to how well phishing emails are crafted and things of that nature. Um, so I, I see kind of three legs to that, um, AI conversation.

[00:25:19] Chris Sienko: Okay. I wanna linger a moment on the first of the three there because I wanna make sure that I'm you correctly. So, say for instance, you know, your engineer or your security person, or even your marketing person though, uh, is, you know, tasked with, okay, you can use this particular AI device, copilot, whatever, uh, your in-house one. You know, but just stick, just stick to that one, stick to these prompts and you're saying, well, I'm not getting what I need, and so what if I of go over here and use this other one that's not part of our approved list, but it got the job done. Is that what, is that what you're saying? So [00:26:00] you're adding this extra kind of, uh, layer of, of, you know, and justifies the means, and then adding that extra sort of, uh, potential garbage into the network.

[00:26:09] Sam Chehab: Yeah, and I think that just comes down to who's building what, how are they doing it, how are they validating it? How does security get eyes on it?

[00:26:19] Sam Chehab: Uh, push Postman, but that's, we've thought a lot about that problem and we've been in that space for 35 million developers.

[00:26:26] Chris Sienko: Mm-hmm.

[00:26:27] Sam Chehab: so, uh, if I'm able to see the collections that you're working in, we've abstracted away the model. We let you pick models, but. We've abstracted away a lot of that access and, and, and, and kerfuffle of, of trying to validate that we let you compare models for performance.

[00:26:42] Sam Chehab: Um, it's a safe place for you to play where we can get full visibility from a security perspective into everything that you're doing and all the APIs that you're calling. Seems like a win-win across the board as opposed to someone, uh. Off to some particular API that we don't necessarily see [00:27:00] it or it's stuck in a firewall log somewhere that, so I think that's the one of the constructs of, we can look at this from a rogue AI standpoint, or we could just look at this.

[00:27:11] Sam Chehab: This is a classic collaboration problem. And how do we pull it all together and then give you the guardrails to do it safely? Uh, where we have collections to structure what does and doesn't get seen. We help you generate documentation that way. It's very up to date. As you change your API, it gets auto updated.

[00:27:27] Sam Chehab: How do we scan it for secrets in case you are leaking? We tell you, um, things of that nature.

[00:27:34] Chris Sienko: Okay, so you, you mentioned, uh, that old, uh. Very, very common, uh, acronym these days. APIs, we, we talk about a lot on the show and it's, uh, you know, we had someone come on and talk, talk about a, you know, API hacking and so forth, but obviously, uh, APIs, uh, which act as the portal between e-commerce and the customer, uh, and our exceptionally prone to compromise.

[00:27:58] Chris Sienko: Uh, we had Katie Paxton fear on a while to [00:28:00] talk about, uh, you know, this very thing. And she hacked an API on the episode and as she put it, uh, it's incredibly. Hard for security professionals to secure APIs and incredibly easy for hackers to compromise them. So, uh, I'm guessing that these aspects of these AI agents and the number of them could make API compromise easier.

[00:28:20] Chris Sienko: But is is it also the case that like the ap you know, AI tools could be used in the defense of APIs and, and being able to find flaws and APIs faster? Is that, is that also the case?

[00:28:30] Sam Chehab: Yeah. Uh, so we, we use, we have a couple of tools built internally, um, where we fuzz our own APIs internally within the Postman ecosystem to make sure what we're building, uh, ties back to, um, kind of our best practices. But. In general for just API hygiene, I, I think there's a, there's a lot of opportunity, uh, for developers and, and for those of us who are creating [00:29:00] guardrails and forcing best practices, uh, to help with solve versioning.

[00:29:04] Sam Chehab: Air handling, like, don't give me a stack trace, don't give me more insight into what your application is doing. Uh, better input, validation, um, thinking about how to build APIs better. Um, those are, those are kind of the guardrails underneath the hood that, that we're trying to continually think about. And how do we help developers kind of do it right with.

[00:29:24] Sam Chehab: The least amount of friction possible. That way they come out the gate better and that's what we wake up every day and worry about and talk about. And kind of what I, when I mentioned Postman at Postman, what we're looking to do to.

[00:29:36] Chris Sienko: Yeah. Yeah. Now, um, in our pre-show you said quote, AI agent security is not rocket science, and it's in fact defined by typical enterprise security steps. So I think that's kinda what we're talking about. uh, do you want, can you talk a little bit about that gap? Obvi, obviously, uh, postman's one way, uh, to close the gap, but what, what is, is this a more of a [00:30:00] policy issue?

[00:30:01] Chris Sienko: Is this a tech issue? Is it all of the above? Is it something else?

[00:30:05] Sam Chehab: I, I definitely say it's all of the above. I think if, um, specs open, AI specs. We're, we're created, managed, and, and we followed those open API specs, um, and we coded to them. I think the world would be a, a better place in general. Um, I think if fuzzing tools were, uh, more prolific and they were integrated into the normal, uh, suite of functional tests.

[00:30:37] Sam Chehab: Common shop will say, okay, I've built it. I run my functional tests, I kick it over to security, and then security lives within Burp suite. Well, that's another human talking to another human to then perform an action and then provide feedback. It's like, well, why aren't those API? Tests automatically integrated into, uh, the stack from top to bottom.[00:31:00] 

[00:31:00] Sam Chehab: You have to pass the entire litany of tests and you don't have to custom build something in order for that integration to take place. So I think that's where we can continue to raise the bar on hygiene. Um, but it is a policy problem. It's a tooling problem. There's a couple of problems kind of compounded there, which make it harder for developers to do the right thing out of the gate.

[00:31:19] Sam Chehab: Uh, a an analogy of where I would say it's very seamless is if I was to take a really hardened base image. Well, if, if I could only pull from secure base images in a registry, well then it's really hard for me to go out to the internet and go grab an alpine image that may not be as well maintained. I have to grab the one that's blessed and that's where policy and enforcement can very cleanly be solved.

[00:31:44] Sam Chehab: But we don't really have that in the API space as good as we could have it, and I think developers still have to jump through some hoops to what we, what we worry about and what we. We build into the platform, but other people still have to worry about in other, in [00:32:00] other ecosystem.

[00:32:01] Chris Sienko: Yeah, it, it sounds like we're kind of, uh, could be on the cusp of sort of API 2.0 in the sense that like we've just sort of whistled past the graveyard for so many years about the fact that these are so easy to compromise and so easy to jump into. Um, and you're saying that, you know, if you have sort of built in set of tests, you know, up and down the stack, uh, can you talk about like what. I mean, 'cause it almost sounds like a new, a new sort of way to think about these particular portals. Can you talk about like, what that would look like in terms of like, data going through an API or, or, or things like that? With these, these new tests, what, what, how, how would that change things?

[00:32:41] Sam Chehab: Um, I would look to examples like RAC testing.

[00:32:47] Chris Sienko: Mm-hmm.

[00:32:48] Sam Chehab: it's tricky to test. You've got two users. One has higher permission, one has lower permission. How do you exercise programmatically? User A, can't do what user B can, [00:33:00] and how do you wire that up so that I as a user, don't have to think a lot about that, but you could generate those tests programmatically.

[00:33:08] Sam Chehab: So that we could explore a lot of those scenarios. It developers have to worry about that and struggle with that. And that's probably, if, if you had to go talk to any developer off the street, like that would be one of their, one of their headaches, at which point they would try to displace that back into the security team.

[00:33:22] sam-chehab_1_04-14-2025_124505: They'd be like, Hey, that's your job security team. How do we get those roles and those problems to converge, I think is is, is an, is an interesting space that that hasn't been played with enough. And that's, that's kind of what I see as kind of 2.0 and, and, and where the industry is going and needs to continue going.

[00:33:39] Chris Sienko: Can you, you sort of suggest, uh, the, the way that a conversion like that would work?

[00:33:45] Sam Chehab: Uh, so if I was to see your source code, if I was to then be able to see all of your endpoints, how would I generate your [00:34:00] o Os top 10 checks?

[00:34:02] Chris Sienko: Mm-hmm.

[00:34:02] Sam Chehab: How would I, it it, how would I, in your tooling generate, um, a spec for how your API should behave and then enforce that spec against you to ensure that you're following the right procedures?

[00:34:16] Sam Chehab: That's kind of where I see, see the industry going and, and see where we're all trying to put the right guardrails in place to ensure that the right thing gets done. I'll borrow the term shift left as, as close to the developer as possible, as opposed to, um, what it sound like in one of your previous podcasts where someone said, ah, let me show you.

[00:34:36] Sam Chehab: Um, broken iis authentication on the fly here and.

[00:34:41] Chris Sienko: Yep. Yeah, yeah. Just, just adding, adding negative quantities of things and finding ways, and next thing you know, you've got someone else's credit card and so forth that, uh, so obviously, uh, cyber work, uh, is, you know, work is half the name of our, our podcast and, and we wanna talk about, you know, careers in this space.

[00:34:57] Chris Sienko: So, for listeners who might be interested in [00:35:00] learning about. Uh, either being the sort of policy person that deals with the sort of rogue AI agent threat or their influence in malware development or especially API security and building toolboxes, like what are some, uh, current things you'd recommend they learn?

[00:35:14] Chris Sienko: Are there particular people reporting or covering on these topics that you follow that you think are especially worth? Um, uh, keeping on top of.

[00:35:20] Sam Chehab: Yeah. So I'd, uh, I'd say, um. The Hacker News is probably the best place for kind of what's happening at a high level. Um, I would say, uh, the CEO of Acquia. Um, Chris I think is just doing a phenomenal job of kind of being at the forefront and talking about what's going on and, uh, I would be remiss if I didn't mention, uh, unit 42 from AL Network.

[00:35:49] Sam Chehab: I just think they're doing a fantastic job in the space of documenting. How things are being exploited and what they're seeing in the wild. And you'll find a lot of use cases [00:36:00] there around how the attackers are using AI to reverse engineer, um, builds and find gaps and then build zero days based off of what they see.

[00:36:11] Sam Chehab: And so I think those are just probably three. Right there of kind of what I would, um, in order to kind of get a pulse and build out network, who they

[00:36:20] Sam Chehab: l.

[00:36:26] Chris Sienko: Nice. Uh, so because, uh, a lot of these skills that hiring managers want employees to have are still pretty new. There's some challenge in, in presenting these, these new skills, uh, you know, that you're, you're learning, uh, in, in sort of keeping it, you know, in these kind of bleeding edge technologies. Or maybe you, you know them, but you don't really have a chance to sort of like use them in your. Current day-to-day work or your student who's, you know, trying to get their first job. Like what are some skills and especially keywords for those skills that you would wanna see on a resume that shows, that would show you, you know, say I'm the hiring uh, [00:37:00] manager, that a candidate is keeping up with the latest innovations and skills and isn't gonna be, you know, a dinosaur in two years.

[00:37:06] Sam Chehab: Well, I think there's the, uh. Keyword bingo component of it, which, um, low end certifications like your security plus and things along those lines. I think that's just good. Um, it proves that you have some level of fundamentals and you're willing to endure some level of pain. Um, but. The world has changed so much from, from when I was coming up.

[00:37:29] Sam Chehab: Um, hack the Box is fantastic and being able to showcase some of the work that you've done and hack the box and talking about it in a meaningful way, um, where you weren't potentially doing things that were illegal. Like that's, that's fantastic. Work experience that you can pivot a lot of questions into that, um, you can write about in your resume, but you can that interview question, I think that's just huge.

[00:37:52] Sam Chehab: Uh, probably a second dimension that I would look at. Um, third dimension. [00:38:00] Um. I mean, there's, there's always, uh, and, and I do this for, for candidates, usually early to mid-tier is I'll look at your GitHub links. Uh, what code are you forking? What are you working on? What are you tinkering? Have you made any pull requests?

[00:38:15] Sam Chehab: Like, what are you trying to do in the space? And it doesn't even have to be recent, but it just shows me that passion for security and for engineering that really sets a lot of candidates apart and. In, in my career, probably no less than probably 50, 60 interns and almost always, those are the ones that help show me passion, and those are the ones who usually do the strongest in interviews.

[00:38:41] Sam Chehab: So they have kind of what I would call those extracurriculars, if you will, and not just a phenomenal GPA or computer science student or read a.

[00:38:50] Chris Sienko: Yep. Yeah. Understand it sort of academically, uh, you know, oh, I, I, I, I read this book over and over and over, but you've never actually, [00:39:00] like, touched, you know, the tools or actually, you know, even if you're not doing it. I know, I, we've heard plenty of hiring managers say that they just want to see that you're thinking about it and that you're, you're trying to break things and put them back together.

[00:39:13] Chris Sienko: You don't necessarily have to have the solution. You just need to be knowing that there's a problem to look for. So, um, so because skill learning happens. Steadily. And, you know, it can be hard to kind of boil the ocean sometimes. Let me ask you this, uh, once our listeners are done with this episode, they turn the, you know, YouTube off.

[00:39:31] Chris Sienko: Obviously want 'em to go look at Postman, uh, website. But what is, what is one skill no matter how small that they should try to learn today? It could be as small as proficiency in a single type of AI prompt or a productivity hacker or whatever you like. What, what's a small thing that you think, uh, everyone should sort of like as soon as possible?

[00:39:49] Sam Chehab: Um,

[00:39:54] Sam Chehab: basic scripting. I, I, I, I, I, I don't wanna, I don't wanna shove you into [00:40:00] APIs, but just be dangerous a concept. Uh, do a little coding to get some code out, understand what it does, augment it, and just hurling some packets across the wire. A thing done and then get a response back. I, I think there's just such a powerful concept and whether that's playing with MCP, uh, whether that's firing off a restful service, whether that's just writing something to the disc, manipulating some data.

[00:40:29] Sam Chehab: Just wherever you are on your technical journey, um, I think can pull you into cybersecurity. You're dealing with io, you're dealing with memory, you could be dealing with network. Um, there's just a controls that protect real. The, the world will require more and more scripting, um, for people to be successful cybersecurity professionals.

[00:40:54] Sam Chehab: And, uh, I'm not saying that you shouldn't vibe code, but you need to understand the code that it's [00:41:00] generating and being able to manipulate it. And I don't see Skynet coming anytime soon. So get comfortable with code and using that as an extension of you to go perform actions.

[00:41:10] Chris Sienko: Can you talk about that? we, we skynet's obviously been, uh,

[00:41:15] Sam Chehab: That's my theme.

[00:41:16] Chris Sienko: on this podcast a number of times. Uh, so sort of speak to that because you know, I, I know it's, it's, it's said in jest and, and so forth, but you know, boy, you sure get a, a, a spectrum of. Opinion across the internet, surprise, surprise that you know, well, it's the only matter of time, or it's this, or it's that, or, oh, sure.

[00:41:33] Chris Sienko: You know, these things look stupid now, but they're gonna be real smart in about 50 years and what have you. Like, can you, what, what are your thoughts on, on, on the future of this particular type of, of thinking and interconnectedness and, you know, thinking and in quotes and whatnot.

[00:41:46] Sam Chehab: Uh, well, I, I would, every technology revolution we've ever had. People have said that the world will, will never be the same and some [00:42:00] class of work will go away and we won't need humans to do the thing anymore. The technology will take over and whether it was the locomotive or electricity, like just the work shifted and we're gonna see the same thing with ai.

[00:42:14] Sam Chehab: If the, I still need skilled engineers.

[00:42:21] Sam Chehab: Create is getting lower. 

[00:42:24] sam-chehab_1_04-14-2025_124505: Your, your product managers are now able to build a prototype to hand back into engineering to go see, 

[00:42:31] Sam Chehab: um, 

[00:42:32] sam-chehab_1_04-14-2025_124505: how it really functions and get better visibility into that. 

[00:42:35] Sam Chehab: So as, 

[00:42:36] sam-chehab_1_04-14-2025_124505: as the floor lowers, 

[00:42:39] Sam Chehab: um, I see. More the democratization of development, but 

[00:42:44] sam-chehab_1_04-14-2025_124505: I just see the work shifting. I, software engineers will need to solve harder and harder complex problems.

[00:42:50] Sam Chehab: It won't be that, ah, I don't need a software engineer anymore. The code will write the code and I just have to tell it like, okay, that's cute. I grabbed lovable just like everybody else, and I spun up a, [00:43:00] a DocuSign clone within like 30 prompts. It's not a real DocuSign solution, but it has the spirit and, and look like one, but it is, it isn't hundreds of thousands of hours building a SaaS platform that I think I could, I could prompt my way out of, but I got close.

[00:43:19] Sam Chehab: And so I think it's just, it's gonna democratize that skillset. So a lot of other people are able to contribute and help software engineers focus on the more intractable problems that. They can't solve as easily today 'cause there's a lot oft that they need to work through. And that's when I joke about Skynet, the machine, building the machine and taking it all over.

[00:43:38] Sam Chehab: Um, I, I, I, I don't think that's the case. I just think that, uh, the world, the things that we're gonna be doing in the future are just gonna be different.

[00:43:47] Chris Sienko: Yeah, I agree. Uh, do you have any, uh, did you ever get like a piece of career advice that was especially influential to you, whether it was from a parent or a past boss or anything like that? Do you have anything you can pass [00:44:00] on?

[00:44:01] Sam Chehab: Uh, I'll keep it anonymous. Um, when I was at Nvidia, and I think I went through like six CIOs when I was at nvidia. Um, so they shall remain nameless, but they said. The faster you give away your job, the faster you will go up in a diligent way. There's like that little, that little asterisk at the end of it in a diligent way, what.

[00:44:27] Sam Chehab: Really took that to heart really early on in my career. And how could I build something amazing, package it up, evangelize it, teach others, do the change management, and then hand it off so that I could create, um, space for myself to go tackle the next challenge. And if you go look at my LinkedIn, I, I believe that one piece of advice has helped prepare entire career, just mindset of how.

[00:44:56] Sam Chehab: With a bunch of people around me, package it up, [00:45:00] move it on so that we can go do something amazing together. And, and I just, I've always tried to embody that as much as I humanly can. So that would be my one piece of advice that I got that has really resonated with me. And that asterisk at the end is always the most important thing in a diligent and responsible way.

[00:45:15] Chris Sienko: Yeah, yeah, yeah. Definitely don't shovel it onto someone else's plate until when they're not ready. Uh, so as we wrap up today, you've talked a little bit about Postman, but, uh, tell our listeners about a little bit more about your company. I.

[00:45:26] Sam Chehab: Sure. Uh.

[00:45:31] Sam Chehab: The API collaboration space is at a real inflection point due to ai and you will hear many thought leaders talk about how AI now has arms and legs. Those arms and legs for to go perform activities into the world are via APIs and postman really is. Million developers and.[00:46:00] 

[00:46:01] Sam Chehab: Be their arms and legs into the ecosystem. And as that AI wave continues to walk through our entire ecosystem and change what we do, I just see Postman as just a beautiful opportunity for everyone to get in, start experimenting with affecting change into their world for their workflows, and make the world a better place.

[00:46:23] Chris Sienko: Fabulous. Alright, well, uh, that sounds like someplace people would want go. So if you could tell our listeners where to find more about Postman and Sam she had while they're at it. Any other events or things you'd like to promote about yourself? Uh, let her rip.

[00:46:38] Sam Chehab: Sure. Yeah. So, uh, just go to Postman. If you're not one of those 35 million developers. Um, hopefully you go to postman.com and you sign up for a free account and just start experimenting and, and continue on your, your journey. Um, as far as just. Plugs in general. Um, there is a [00:47:00] event in June, it's called Post Con.

[00:47:03] Sam Chehab: It's down in Los Angeles. It's June 3rd and June 4th. Um, we're talking about everything that is API. So come on down. We'll be talking about, hey. How AI intersects with it. There'll be a lot of vendors there. There'll be a lot of hands-on workshops. This isn't just kind of the classic, uh, here's a talk at the 50,000 foot level, but there'll be SMEs talking about how they solve problems.

[00:47:26] Sam Chehab: Uh, yours truly, uh, will be there as well, talking about security at Postman and how we're using our tools and our SDOC and things of that nature. And I'd love to come wrap with you. So come on down to post Con.

[00:47:41] Chris Sienko: Post 10 in in June, June 3rd. Did you say

[00:47:45] Sam Chehab: Uh, yeah, June 3rd and June 4th. And if you just find your favorite social engine or go to perplexity if, uh, you're not using search engines anymore. And just type in post Con 25 and, uh, hope, hopefully I'll see you there.

[00:47:58] Chris Sienko: It'll all be there. All right. [00:48:00] Well, Sam Shiha, thank you for talking me through, uh, this new aspects of API security and the, and the new landscape. I really appreciate it.

[00:48:07] Sam Chehab: Thank you so much. I really appreciate it.

[00:48:10] Chris Sienko: All right. And thank you to everyone who watches, listens, and writes into this podcast with feedback. If you have any topics you'd like us to cover or guests that you'd like to see on the show, drop 'em in the comments as always. Uh, and before we go, don't forget that InfoSec institute.com/free uh, contains a whole bunch of free and exclusive stuff for cyber work listeners. Uh, it's here that you can find in your free cybersecurity Talent Development Playbook. You'll find our in-depth training plans and strategies for the 12 most common security roles, including stock analyst, penetration tester, cloud security engineer. Information Risk analyst, privacy manager, secure coder, ICS, professional and more. Uh, if you wanna know more about what a career in cybersecurity pays, you can also find our free cybersecurity salary guide for the latest, latest data on popular certifications and their related roles. Uh, there's also security awareness posters, eBooks, and you can sign up for a hundred [00:49:00] plus free courses on our InfoSec skills platform. You can learn incident response, forensics, security, architecture, and more. That's all@infosecinstitute.com slash free. And yes. There will be a link in the description below. One last time, thank you to Sam Shihab and Postman, and thank you for watching and listening. This is Chris Sanko signing off. Until next time, keep learning, keep moving forward.

[00:49:20] Chris Sienko: Keep one step ahead of the story and don't forget to have a little fun along the way.