Three Things Every Ciso Should Know About API Security
F5, September 30,2025
In the third episode of the F5 Global CISO: For defenders by defenders, I was joined by Corey Ball, one of my favorite API hackers. Corey's been active in IT and cyber security for the past 15 years, and literally wrote the book on hacking APIs when he found that there really wasn't much in the way of collected knowledge on the topic, and this is when we first met.
The book is Hacking APIs: Breaking Web Application Programming Interfaces, which provides a crash course in web API security testing. Corey also was a founder of APIsec University, a free resource for learning about API security, and is founder and CEO of hAPI Labs, which performs API security and web app penetration testing.
Corey is clearly an expert on API security, so I asked him the question of the day: What are the three things every CISO should know about API security? In particular, I wanted to know what he thought defenders could learn from looking at API security from the attacker's perspective.