The API Hour

Christine Bevilacqua

The API Hour is your front-row seat to where APIs meet InfoSec. Hosted by Dan Barahona and brought to you by APIsec University, each episode dives into real-world breaches, testing tactics, and the tools shaping AppSec. Whether you're building, breaking, or securing APIs, you'll get practical insights from the experts redefining API security. Plug in, lock down, and decode what’s really going on behind the APIs—because in a connected world, security is everything.

Episodes

  1. 29 AUG

    Hacking AI and Retraining LLMs

    Artificial Intelligence is transforming every industry, but with that transformation comes new security risks. In this episode of The API Hour, host Dan Barahona interviews Robert Herbig, Senior Engineer at SEP and instructor of the APIsec University course, Building Security into AI, to explore the emerging world of AI attacks, data poisoning, and model tampering. From poisoned stop sign datasets to prompt injections that trick LLMs into revealing dangerous information, this episode is packed with eye-opening examples of how AI can be manipulated, and what builders and security teams can do to defend against it. What You’ll Learn Data poisoning in action: how mislabeled stop signs and manipulated datasets can cause catastrophic AI failuresWatering hole attacks & typosquatting: why malicious datasets and libraries pose a hidden riskPrompt injection & jailbreaking: real-world cases where LLMs were manipulated into revealing restricted informationBlack box vs. white box attacks: what attackers can infer just by observing model confidence scoresRetraining & RAG: how AI models ingest new information and why continuous updates create new vulnerabilitiesThe API connection: why exposing models via APIs ties AI security directly to API security best practices Episode Timestamps 00:45 – Stop signs, stripes, and poisoned training data07:00 – Data poisoning in Gmail spam detection17:00 – SEO hacks and AI summaries: a new frontier for attackers22:00 – Typo-squatting and malicious packages25:00 – Pliny the Liberator and “memetic viruses” in training data33:00 – Black box vs. white box attacks on computer vision models43:00 – Prompt injection and roleplay exploits52:00 – APIs and AI security: two sides of the same coin

    1h 2m
  2. Inside this Year's Biggest API breaches: Real Stories, Real Lessons

    18 AUG

    Inside this Year's Biggest API breaches: Real Stories, Real Lessons

    In this episode of The Appi Hour, Dan is joined by Dave, Head of Products at APIsec, to unpack some of the most eye-opening API breaches making waves. From leaked API keys at xAI, to McDonald’s exposing 64 million job applications, to logic flaws in Base44’s vibe-coding platform, and even a Volkswagen app that let attackers brute-force their way into cars—the stories are as shocking as they are instructive. Dave brings frontline experience from working with customers on API security, highlighting how seemingly small oversights—like hardcoded keys, weak authentication, or unchecked authorization—can snowball into massive vulnerabilities. Together, they connect each case to the OWASP API Security Top 10 and share practical steps to avoid these same pitfalls. Whether you’re a developer, security engineer, or simply curious about how everyday apps get hacked, this conversation offers valuable insights (and a reminder of how critical APIs are in today’s digital world). What you’ll learn: Why API keys remain one of the most common—and preventable—security leaksHow researchers accessed 64 million McDonald’s job applications via a simple IDOR flawThe hidden risks of convenience-driven platforms like Base44How a used Volkswagen exposed its owner’s data through predictable APIsBest practices for preventing brute force, excessive data exposure, and broken authorization Tune in, take notes, and walk away with actionable tactics to strengthen your own API security posture.

    34 min
  3. Breaking your Build Before Hackers Do

    7 AUG

    Breaking your Build Before Hackers Do

    API Security Meets DevSecOps with Scott Bly In this episode of The API Hour, cybersecurity expert Scott Bly joins host Dan Barahona to explore how integrating security into the DevOps lifecycle, aka DevSecOps, transforms API protection. From threat modeling and security metrics to the role of AI and gamification, this is a must-listen for teams aiming to balance speed with security. Learn how to embed security culture across development teams and build smarter, safer APIs.

    43 min
  • 3 Episodes

About

The API Hour is your front-row seat to where APIs meet InfoSec. Hosted by Dan Barahona and brought to you by APIsec University, each episode dives into real-world breaches, testing tactics, and the tools shaping AppSec. Whether you're building, breaking, or securing APIs, you'll get practical insights from the experts redefining API security. Plug in, lock down, and decode what’s really going on behind the APIs—because in a connected world, security is everything.

Information

  • Creator
    Christine Bevilacqua
  • Years Active
    2K
  • Episodes
    3
  • Rating
    Clean
  • Copyright
    © Christine Bevilacqua
  • Show Website
    The API Hour