The Future of APIs in the Age of AI Agents: A Conversation with Postman

May 1, 2025
  • copy-link-icon
  • facebook-icon
  • linkedin-icon
  • copy-link-icon

    Copy URL

  • facebook-icon
  • linkedin-icon

In this episode of SecureTalk, host Justin Beals explores the evolving world of API technology and security with Sam Chehab, Head of Security at Postman - the platform used by over 35 million developers and 90% of Fortune 500 companies.

Episode Insights:

  • Postman's Strategic Position: Learn why Sam joined Postman in September 2024 and how they're positioned to be the connective tissue for the emerging AI agent ecosystem
  • APIs as Agent Infrastructure: Sam explains how Postman's catalog of hundreds of thousands of documented APIs creates the perfect foundation for AI agent interactions
  • Security by Design: Discover how Postman is embedding security throughout the API lifecycle - from conception to deployment
  • The Human Factor in Security: Why security remains a collaborative responsibility across organizations and how to foster a security-minded culture
  • Next-Gen Challenges: Sam's perspective on balancing innovation with fundamental security hygiene concerns like supply chain vulnerabilities

"I see such a larger ecosystem that's really going to get built here beyond what's out in the market today," says Sam, discussing how Postman will facilitate human-agent collaboration in building the next generation of applications.

Sam brings unique insights from his previous roles at technology giants like Palo Alto Networks and NVIDIA, where he once demonstrated an early chatbot prototype to Jensen Huang himself. His experience taking products through rigorous FedRAMP certification processes provides a valuable perspective on enterprise-grade security implementation.

This episode offers essential insights for developers, security professionals, and technology leaders interested in the intersection of APIs, AI, and enterprise security in today's rapidly evolving digital landscape.

 



 

 

View full transcript

Justin Beals: Hello, everyone, and welcome to Secure Talk. I'm your host, Justin Beals.


In today's increasingly connected digital ecosystem, APIs have become the essential building blocks that allow our applications to communicate and share data. 


They're so pervasive, they're literally a layer in almost every application we build. So even inside the software, the elements can communicate with each other in an effective way.


But as these critical pathways proliferate across organizations, they've created a new frontier of security challenges that few companies are fully prepared to address. 


When I was developing software years ago, I relied on a tool called Postman that functioned like an oscilloscope for API communications, allowing me to peer into the interactions between systems and troubleshoot connections. Today, that same tool has evolved into something are more powerful. And our guest is at the forefront of transforming how organizations secure their API ecosystems. 


Imagine a future where AI agents seamlessly communicate with each other, executing complex tasks and workflows without any human intervention. This isn't science fiction, it's already happening. Here at StrikeGraph, we are already rolling out agent-to-agent protocols.


And these agentic AI systems need secure pathways to interact with real-world systems. And what underlies any of those interactions? The APIs that we've already developed. 


Our guest today describes this revolution perfectly. Soon, it won't be software developers manually coding RESTful integrations, but power users wiring up agents to perform complex business tasks through available APIs.


The companies that master this transition will have a tremendous competitive advantage, but they'll also face unprecedented security concerns. How do we maintain visibility into hundreds of thousands of APIs or the transactions of data? How do we validate both their functionality and their security? And most importantly, how do we build trust with customers when we're the custodians of their most sensitive data connections? These aren't theoretical questions.


As our guest shares, when you hold the keys to the kingdom, all the interconnectivity of applications, data calls, access keys, security isn't just a checkbox. It's a foundational element of product and reputation. In our conversation, we'll explore the evolution of API security from the early days of basic functionality to today's more comprehensive governance framework.


We'll discuss the challenges of securing modern API ecosystems, the role of AI in transforming how we approach security, and the critical balance between enabling innovation and maintaining control. 


For anyone building digital products, managing technology infrastructure, or concerned about protecting data in our interconnected world, this episode offers invaluable insights from someone at the cutting edge of API security.


Today we're joined by Sam Chehab. Sam is a seasoned technology leader currently serving as head of security and IT at Postman. With deep expertise in cybersecurity, software engineering, and IT management, Sam excels at translating business requirements into robust security programs and driving technology operations to meet strategic goals.


Previously, Sam served as Senior Director of Enterprise and Data Security at Palo Alto Networks, where he led Zero Trust strategy deployment and governance initiatives. Prior to that, he spent over eight years at NVIDIA, advancing to Director of Application Development, where he managed more than 250 applications and led a team of 50 engineers. 


His key accomplishments include developing an adoptable security framework shared with S&P 500 customers, establishing machine learning capabilities, architecting cloud migration strategies, and transforming user experiences for critical business systems. 


Sam holds an executive MBA from the University of San Francisco and completed MIT Sloan's Cybersecurity for Managers program. 


His core expertise includes cybersecurity incident response, governance, risk management, and compliance. And he has been recognized as an InfoSec Security Partner MVP.


Join me as we dive into the future of API security with Postman's Sam Chehab.



Justin Beals:  Sam, welcome to SecureTalk today. We're really lucky to have you on the podcast.


Sam Chehab: Thanks for having me. It's always fun to talk shop.


Justin Beals: So,  one of the things that really stood out to me when we were researching you for a guest is your work at Postman. So I'm just going to own that. I know this product Postman, fairly well. I've used it a bunch when I was a developer, and I have a real soft spot in my heart for it. It has solved me many problems over the years as a software engineer, where I was like, I do not understand why this API is not working for me.


You must similarly have worked with the tool for a long time before you started working at the company.


Sam Chehab:  Yeah, I was a big user of it long before I came to Postman in prior lives at Palo Alto Networks and Nvidia. It's kind of the de facto tool. When you're in the hands of like 35 million developers and probably like 90 plus per cent of the Fortune 500, you almost can't run into someone who hasn't used it in some capacity.


Justin Beals: Yeah. And if I were to describe what it did for me, you tell me if it resonates with you. 


I used to work in the telecom industry a long time ago, and the old school days where we'd want to put like an oscilloscope or something on the line to measure the frequency of transmission. It was kind of like that for API communications. Like I could peer into another system that I was trying to reach data in or provide data to, and really see what was happening in the back and forth at a detailed level.


Sam Chehab: I think that's probably the interesting part of any platform, really, is your journey can start in a couple of different places. Often it can start into the " I don't want to learn curl, but I just need to be able to call an API”. It can start into the “Wow, we have a lot of APIs and just how do we get a handle on the documentation to get it to someone?” Your journey could start on the “Hey, I need to test a lot of APIs”  as a QA engineer. And so your journey can start in a lot of places. 


It could even start from a security perspective in the “Wow, there are hundreds of APIs out here”. No one really has a good picture of everything. This seems like an opportunity for me to get a single control plane in order to understand what's going on and govern it. 


So there's a couple of different entry points depending upon your role and your profession. But we all kind of end up converging at the sum at the same point, at some reasonable distance, is the who's building what, how are they building it, how are we validating it, how are we securing it, things of that nature.


Justin Beals:  Yeah, and so you recently joined as the head of security at Postman, is that right?


Sam Chehab: Yeah, this would have been the September timeframe of 24.


Justin Beals: So I'm a little curious, like, what attracted you to coming and working at the company? Is there initiative that you see for this tool, the platform where they're going, that you're really excited about?


Sam Chehab: Well, I think the first piece of it probably is just the fact that security at Postman in the company's life cycle is an interesting inflexion point. From a security perspective, in series A, series B, your security guy is your developer, and it's just how do you take the company to the next level. In a Fortune 500, It's, hey, do your thing off in the corner and like write a policy and stay out of my way. 


We're at an interesting inflexion point at Postman right now, where security very much is transformational as we get deeper and deeper integrated into enterprises. How do we help them handle their workloads in a secure way, but at the same time, meet that spirit of collaboration? And to me, that was the exciting piece of, well, we're on the cusp of something great here.


And I want to be a part of that, and I want to bring my security and engineering expertise to take them on that journey, because there aren't very many individuals who can really shepherd that process. And so that was step one. I would probably be remiss because just about every podcast you have, someone probably says AI. 


I would be remiss to not mention AI in the sense that, and you saw this with Google's announcement for agent-to-agent, their agent to agent protocol and the model context protocol that Anthropic has rolled out is all of these agents that are now getting stood up need to interact with the real world and do something and invoke the verb, if you will, into the world. 


Well, that's going to be based on many of the APIs that we already have and have built. And so when you look at the entire Postman public network, where we have hundreds of thousands of APIs ready to already catalogued and indexed, documented and maintained by developers. And then your own internal APIs, there aren't a lot of better answers out there in the market that would even help you wire all those agents together. 


And that's really shepherding what I would see as a revolution in HR departments, in ID departments of the future, is it's no longer Sam the IT admin that clicks the checkbox, it's now Sam is the power user wiring up all of these agents to go perform complex business tasks for individuals because we're no longer just buying SaaS apps that plug it all together for us. 


And so I think that's the, if I had to give you like a token AI answer, like that would probably be the reason why I'm seeing that shift in the market. And that's just really what kind of attracted the moth to the postman flame, if you will.


Justin Beals:  Yeah. Well, I think it's a real intersection. I think that those of us that have worked in machine learning for a longer period of time or been around, you know, large scale computing systems, when you have the data, right, and to your point, Postman has evolved from, I remember when it was a desktop app, and I would use it to hit APIs to like a more of a SaaS tool with a large database of information. And so you have all that data about APIs and how they work.


We have an understanding from an agentic perspective of things we want to do. So much of it is driven between getting data in and out. Mean, this is Zapier, right? Like, Zapier built a $100 million-plus year of business out of the fact that they'll get a light touch from one system to another. And if we can automate that through a real API perspective, it's very powerful.


Sam Chehab: Yeah, I just see so much more than what I would consider an automation engine, but really, how do we make a collaborative platform where agents and humans are collaborating to build out, kind of what I would say is the next series of SaaS applications. So I see such a larger ecosystem that's really going to get built here beyond kind of what's out in the market today. And that's the exciting part. 


And you mentioned kind of old school machine learning. It reminds me of a conversation that I had with Jensen Huang. This would have been 2016. We were trying to use long-term short-term memory to build the equivalent of a broad domain chatbot.


And I remember we worked on it for like six months, and we were just toiling on how to keep context and memories that you could keep like a long, contiguous conversation. And we had this demo all dialed out on their internal defect tracking system. And we presented it to him and he said, “Can I see your laptop?” And I slid the laptop over to him and he typed in, What is Jensen Huang's favorite barbecue sauce?


And that's clearly out of domain at that time. Like that was absolutely out of domain, and the bot replied back with, “Cannot answer this question”. And he's like, okay. Well, my expectations and just how far we've come and how far we're going to go, I think is just gonna be fascinating over the next couple of years.


Justin Beals:  Yeah, I think we're pretty bought into this concept too, even in our own work, because the way we see it is the agentic system to us is the old workflow that we might have found in it, like the Archer GRC tool or Service Now. Like, instead of having to decide what's got to connect to what and design that and have a whole technical suite of people, you're going to present the business problem.


And the AI system is literally going to develop the agent and integrations to run those processes for you.


Sam Chehab: And there's no one better positioned right now to kind of usher in pulling all of that together, which to probably a long way to answer your question, but really, why I joined Postman and where I see us taking it.


Justin Beals: You know, I was reading on the website at Postman that I think in recently, 2022, say to the API report, 50 % of the respondents reported API security is like a big reason that they're interested in Postman. 


Practically, how do you think about the product and security? What types of ways do you feel like you want to embed good security in the Postman product experience?


Sam Chehab: So there's a lot there today. I think there's a lot more that we want to do.


 With regards to what's there today, being able to have full visibility into your APIs, being able to have your test cases for functionality and security all in the same place,  just goes light years ahead of kind of where the industry is. Historically, in my past life, we fired up Burp Suite every single time we needed to test something in the security space. 


But now those test cases are completely devoid, and it's two humans talking to one another in order to run tools, and really it should just be that integrated stack together. 


So it pulls that collaboration element together from a governance standpoint, just ensuring that kind of your basic tick and tie for HTTPS is turned on, headers are properly set, secrets management is there, things of that nature, those are already there and available for you, but there's clearly more we want to be able to do in that platform to make it even easier, because as you'll see from the State of the API report, or you'll see from GitGuardian's state of secret sprawls, hygiene is the enemy in this space across the board. We need to be a great platform. We need to be able to help you kind of go from inception to deployment and take you through that entire lifecycle.


Justin Beals: Yeah, I do think like there's a guardrail factor, effective configuration. And it's interesting, I was interviewing somebody from TSA, and they were talking about how like in the TSA line, when people are looking at that screen and going back after back, they actually have to put in enough things to look for to keep the human's attention span, you know, looking at stuff. 


And I think that's where a lot of these control designs fail, where a human has to be in the loop because they're looking at the same thing every single quarter or every single month. They're going to miss when something is off, actually, because the brain is already expecting it. The machine won't. It never gets tired in that way. And I think that solves some of that baseline configuration challenges.



Sam Chehab: Yeah, in fact, I would argue that's probably what the successful manifestation of a frictionless system actually is, is now I need to introduce variants so that your human brain doesn't fall asleep at the wheel. Because otherwise it's frictionless in that I'm validating everything I can possibly validate, and you're only catching the anomalies, which is akin to just about every security problem on the planet. Like, how do I eliminate all the noise that I only see?

the truly meaningful things that require my human brain.


Justin Beals:  Yeah. You were at Palo Alto Networks before you joined Postman. Tell us a little bit about your role there and how it prepared you for the work.


Sam Chehab: Sure. So at Palo Alto Networks, I ran enterprise security. There's an interesting dynamic running security at a security company. 


And not just any company, but Palo Alto Networks, in that you're really a kid in a candy store. You have, I don't know what SKUs are. I don't know what the price is. I have all you can eat of everything. And when I need to go into the market,I first go to the engineering team and say, “Here's the problem I've got. How can you help me?” And so it was fascinating from that respect, because more often than not, I've always been on the other side of the house, like when I was at Nvidia. Like, well, do we really need this? What problem are we trying to solve? 


And Apollo is like the exact opposite. And so that was fascinating in that once you lived in a world where it was all you could eat, it's hard to leave security in a space like that, because they get security. 


What Palo sells is trust. And every company sells trust, but it's truly sacred at a security company. And what that taught me was when I ended up interviewing, I needed to make sure that Postman realized they were selling trust. And as a part of my interview, think my interview with Abhinav, our CEO, was about 15 minutes.


It wasn't a very long interview. But basically, came down to, I said, “Well, what's important to you?” And he's like, “SRP”. I'm like, I haven't heard that acronym. So, please educate me. And he's like, “security reliability performance”. And I was like, oh, well, I happen to think your priority is in the right place. If you get popped, no one's going to trust your platform. And how you handle being popped matters on how people trust your platform.


And that was top of mind for him. That was the first thing that he cared about. It wasn't feature, feature, feature, hey, you sit in the corner and try to tick and tie a checkbox for me. was, how do we, How do we live for the next 20 years? And when, when, when founders think that way, it just immediately resonated with kind of how Palo Alto Networks thought. And that really won me over.


Justin Beals: Yeah. You know, it's funny, I think sometimes I see that bell curve meme where the people that are just new to the knowledge in the space actually have the right attitude, you know, they're like, our customers got to trust us. And the ones in the middle are like, I'm just trying to buy a firewall. Then and then the ones on the other end are like, everything is security, right? Like if we're not resilient, if we don't provide a service that's in a repeatable fashion,

and they see it as an absolute critical. 


Palo is a security company. They talk to people working in security, and if you don't feel like mission aligned, they're not gonna buy, yeah.


Sam Chehab : Yeah. So now it, and I've spoken with, I don't know, no less than a hundred of our customers and EBCs. Once they spoke with someone who ran security, i.e. my job hinged on it, it immediately built rapport with, look, like I'm here to talk shop with you about how I solve problems. And I'm not interested in trying to say that I live in this panacea, and I work 10 hours a week, like I'm in the thick of it, just like you. 


And that immediately built a lot of rapport with them. And that's a lot of what I've taken to Postman from a cultural mindset of the, do we build trust with our customers? Because you have the keys to your kingdom with us. All the interconnectivity of your applications, your data, your calls, your keys.


We need that same level of seriousness at this company that Palo has. And that's the level of discipline and mindset that I've brought to Palo and or to Postman. And I wouldn't have brought it if we didn't have kind of that founder down mindset for security, reliability, performance.


Justin Beals: Yeah, I have a particular cybersecurity question. I'm an ex-Chief Technology Officer turned CEO, so always own that I'm not a deep cybersecurity expert, but I'm always asking, and since you're such a deep expert in the API space, I have this question about the agent-style integrations deployment.


I have struggled with them. They frustrate me a little bit, oftentimes because I don't have introspection on what that agent wants to do inside my system. I'm curious your take. I think we see tool sets like CrowdStrike that are, you know, agent-driven at the endpoint, close to the metal, but there were resilience issues, you know, and that motility.


Sam Chehab:  As far as agent, non-agent goes, there's pros and cons to both. I mean, it's just some of the cons being as often agents will conflict with one another, so you have kind of a management issue or like on endpoints. When you have 13 agents, you need a more powerful laptop, just merely the amount of instrumentation that you need on an endpoint overwhelms it. 


So,  I think it just comes down to kind of the balance for your org and what level of visibility and

control you need on that endpoint, which is highly predicated on the business. And so I think it turns into that, do you spend a million dollars worth of visibility to protect a shovel in a shed, or are you in a highly regulated industry in the fintech space where it's absolutely mandatory that you have that level of control? It's the secret sauce of security is trying to turn that dial up and down to find the right level of granularity of visibility and control verse.


For example, the common problem that DLP tools have. More often than not, DLP blocks the good guy from trying to do the right thing than it does the bad guy. And so I think that's just, there's a secret sauce there as a head of security or a CISO that you need to turn in order to make sure that you're enabling that business. Cause you can burn a lot of money really fast. You can ask for a lot of headcount really quickly to instrument everything. But what do you do with the data to enable the business outcome? I think is where we often struggle as we pile on more agents to get more control.


Justin Beals: Do you see, I often viewed Postman as like a research and design tool for me as like an architect for code, where I could play with APIs and figure out what the sequence of conversation I wanted. As Postman evolves as a security tool, do you see it helping to provide those guardrails around how to develop these integrations in an effective way or build good network segmentation practices?


Sam Chehab: As far as network segmentation, I'm not sure I see us moving as much into that space, because just network is so nuanced. And everyone's got their own jalopy, if you will, of how they want to do it. 


But I think we do want to get more opinionated on how APIs are built, and helping you build more robust APIs out of the gate. And so I think that is definitely direction that we want to go. 


We want to help users and get more guiding hands down the best path so that you can start to Lego block APIs together in order to create those business outcomes. 


But I think diving into the network is going to be pretty thorny, and pretty challenging because there's so much nuance into this VPC chatting with this one, but not for these reasons. 


Having looked at a lot of networks from a lot of companies, how they get to a user device destination or app is a, that's a really hard problem to solve. And I don't think kind of the industry is there outside of a couple of providers already in the security space.


Justin Beals:  I'm probably pretty myopic in my viewpoint of it, too, where almost everything I build is like a restful web API. I don't think about the other modalities all that often, but you all support a lot of other modalities. I mean, to your point about some of the things that Anthropic has come out with about interacting with agents and things like that, you guys are probably keeping up with the marketplaces. They design these different methods of computers interacting with each other.


Sam Chehab: Yeah, in fact, just yesterday we announced MCP support. 


Justin Beals: That's great


Sam Chehab: So we're actively on kind of, I would say the, from a research perspective on the bleeding edge, what we're releasing out into product, kind of cutting edge, to make sure that it's integrated into the suite. You get everything you know and love about Postman, but you have good protocol support for how you move forward. 


But yeah, to your point, a large percentage of our ecosystem is going to be restful interactions, and it's going to be for a very long time because that's the majority of the APIs out there. 


Justin Beals:  Yeah, I mean, we've adopted it as a fundamental software architecture, even inside a single stack at this point, it's the default, right? It was a day when I did a lot of XML work, but now it's all JSON. They designed their own, yeah, I know. That's right. 


Sam Chehab: Good old soap.








Justin Beals: Tell me about first coming into Postman. Was there someone that had your job before you joined the team?


Sam Chehab: Yeah, I think as a company evolves, the type of security and IT leadership ends up shifting, the needs end up shifting. And I think my predecessor did a fantastic job of pulling together some technology for where Postman was. I think the glide path of where we're going with regards to compliance frameworks, with regards to compliance frameworks, with regards to 

what our path looks like for HIPAA and things of that nature, to build more trust with kind of our Fortune 500.


 I think that's the next level for us as a company, and obviously, the security underpinnings that make all of that real. And so at some point, you even see this is they will eventually shift towards what does steady state look like for security and IT and eventually, like at Palo, CISOs aren't really worried about day to day, they're worried about sales.


 And so this almost becomes kind of a complete sales gig, if you will, for how they're talking about the market and what's going on and the trends that they're seeing. And so I think there's just life cycles to CISOs within our respective journeys. And I think they were looking to enable kind of that mid-cycle, if you will.


Justin Beals:  I see. And so, you know, I've seen this a bunch, but it's confirming, you know, as you're expanding the marketplace, you want to service, you're expanding the credentials that allow you to enter that marketplace. It sounds like HIPAA is on the roadmap a little bit for you guys, or something you've already accomplished. Are you?


Sam Chehab: We're en route. We're in route towards moving that direction because that's where our customers are taking us, and it's if you're going to be a good steward of your customers data I not only want to follow those practices I want to make sure I'm getting the certifications in the third party out of stations that show you that I'm moving in that direction. 

So that's kind of the trajectory that we're moving because that's what our customers


Justin Beals: You seem comfortable with this idea that we're going to design some of our security around these frameworks that are coming at us and maybe in a legacy way that I think there was more resistance or we've certainly heard that from CESAs at times where they were like, I know what I'm doing. Has that been part of the transformation that the organization is going through a little bit?


Sam Chehab: I think it's more the scars that I've gotten as I've been at previous roles. I've seen the power of those frameworks to help shape and guide your thinking. And so I'm taking us on those journeys because our customers are asking for it. But if you follow the spirit of what many of those compliance frameworks are actually asking for, you should be doing all of the things on the appropriate prerequisites underneath the hood anyway. 


And so I'm creating a clean glide path to those certifications as opposed to what can often get lost in a certification is the, well, how do we all look the other way and try to get this certification? And that's just not the type of shop I want to run. I don't think that is the level of diligence that we really need as an industry. And I think it can often fall into that of just, do I get the badge?


And that isn't us. Like I said earlier, that's just not Abhinav, our founder. That's like, that's not his mindset.


Justin Beals:  Yeah, I think this is one of the things that I struggled with as a CTO at an early-stage business was that I didn't I needed to get the certification, but I didn't want the certification to be any different than the actual security that we did. 


That I didn't like. I didn't mind that we had requirements placed on us. You know, they felt like they had the right amount of wiggle room for us to find our right work in that. 


But I didn't like the idea that I was just going to get a badge, but what I thought, you know, we these two different gears we're trying to run in at the same time.


Sam Chehab: And it shouldn't be. And if it is, we're doing it wrong. Because if I think I helped take probably 30 plus some odd products through Palo to FedRAMP High, I was responsible for that as a part of the enterprise and CMMC compliance. And if you do it right and you translate control language into technical implementation and vice versa, you can get there.


But it does take more work. And if you just lean on the, is technically how I understand something, I'm going to go implement it the way that I understand it. You can often miss nuance that the control is requesting. 


An example being provisional access. Well, if you don't know how to set that up in your environment or you don't know identity access management well enough, well, maybe a fixed role is good enough because that's what I know how to do. But in a compliance framework, they'll often say, Look, you need provisional access, like how long do you really need this? 


Now we can translate it and say it's zero trust, least privilege, and then we can kind of work our way back in. But at the end of the day, it's provisional access. I need X amount of time for this permission and this role to perform this task.


Justin Beals:  Yeah, so, FedRAMP is just mind-blowing. I think you're the first person I've ever talked to that's owned that they've taken an organization through, say, a couple of mediums throughout my career. Yeah, that's a brutal type of assessment and methodology process, but just a high bar to meet and maintain that trust for your company, yeah, your customers.


Sam Chehab: Yeah, and you've, it's a different sport at that level. And as you move into the D.O.D., the sport just gets complex, even more complex. And I think that's when you move, when you start to find a blend as a practitioner of I know my space, to the now I am defending in layers, and every layer needs to be able to work in unison to adequately protect the attacker or stop the attacker. That's why these controls exist. 


And we still had our red team dance through us at times. And we needed to keep upping our game because blue is hard. Blue is really hard.


Justin Beals:   Yeah. I've told folks that I think the sports metaphor works here. It's like soccer. You know, you're going to lose some matches. Like, there's an opponent on the field. They're constantly trying to figure out how to get around you. And it's a hard job, right? Because one goal scored against you is really difficult. Yeah.


Sam Chehab: When I was at Palo Alto Networks, we used to set up challenges, the head of offensive security and myself. And we would set up challenges. 


The first year, that individual had to send an email to the CIO saying that engineering is amazing, and we, as security, failed because I had won the challenge, they weren't able to break in. 


And the second year, me being kind of my classic type A, I'm like, we got to up the ante. Winner gets to pie in the face the other person. And well, they won and there's a video of me getting pieed in the face with a couple of folks in the background watching because I was like, you're not going to break and I beat you last year. I'm going to beat you this year. And they broke out a very novel technique and pie in the face.


Luckily, I got to pick the pie. I went kinda lemon meringue, because you know, there's like a pie density problem I was worried about, so I went lemon meringue and it didn't hurt as much.


Justin Beals:

Also temperature, you be able to come with a cooler temperature.


That's epic. It is important to kind of respect the community around you and the challenges that they have when you're doing this kind of work. That's hard sometimes to see, but certainly my old boss at British Telecom was like, if we don't get hacked this year, Justin, they'll cut our budget. That was the old school way. I think just being aware of the hard work of security. 


Although I think that the certifications have changed the ROI analysis because it's a revenue thing. It's not security is no longer a cost center. It's like I get this market if I get this level of security. Yeah.

Sam Chehab: Yeah. And I think that is what changes the mindset. But as long as you don't lose the fun along the way, it's a wild ride. This industry is always changing. And the running joke right now is in MCP, the S is for security. And it's like, it's kind of an afterthought. Like, what is this agent that I've just downloaded off of GitHub? Like, what does it do?


It interacts with the file system. You're like, well, how do I know? But that was, this is in the last like seven weeks. So like that, that's the wild part about this industry and the part that like just wakes me up every morning and just gets me pumped and ready to go.



Justin Beals: Yeah, it is exciting. There's a lot of innovation going on. I think, how do you think about perhaps both the security side from an operations perspective of AI and Postman? Also, do you influence the product side a fair bit? Are you cycling through what you might consume, or you might recommend being in the marketplace for security-minded options?


Sam Chehab:  So I'll answer the back half of your question first. I am customer zero at Postman. In IT and in security, we use our product for agents and to solve our workflows. When the product doesn't work or work the way we interpreted it, we go back and say, “Hey, here's my use case. Here's what I'm trying to solve. Where is this on the product roadmap?” 


We have to eat it. The drinking your own champagne, if you will, as the analogy, like we are customer zero from a usage standpoint that then allows us to bump into security use cases. We use Postman to protect our own APIs and test our own APIs because we're at we're at front and center. And so we often look at it through a security lens from a development standpoint. 


Operationally, we look at it as well. What flows into our scene? How can it be better? How can we get logs more more specific so that we can take more more action? How do we make our secret scanner more and more actionable when it comes in? 


Many security tools, when they are built or when people build security features, they're great at throwing an alert at you, but not helping you actually solve the problem. Kind of the classic security tool issue. 


We're taking that mindset operationally and shoving that back into the postman team to make sure that those changes get done. So we're looking at it from soup to nuts across the entire ecosystem. How do you consume it? How do you better help enable workflows? And third, how do you make it more secure out of the gate?


Justin Beals: Yeah, I also love this idea that we can chain together these models or agents and get them through a process like that of work. But it does open up access to things that we would have a human or expect a human, their guard rails that we've tried to install to them to operate with it. 


But it does feel like kind of the if-then loop of memory. know, like we're going from a model that could summarize information into a do this, then check that, then look at the next step. And for us, we think it's gonna push back on the analyst role in some cases, where the machine can read a certain set of practices and be an expert analyst, recommended changes from an operations perspective, perhaps even go and execute those changes broadly in the org. Yeah, it is exciting.


Sam Chehab:  Yeah, I think there's going to be a promotion path between AI collects the information, analyzes the information, provides recommended action, human takes action. And then at some point there'll be an evaluate. We will elevate beyond the well; I've always take the same three actions when this problem comes up. Here's the decision criteria. Now let's flip the switch and hopefully we don't turn on Skynet and it take over the world.


Justin Beals: I don't think we're quite there yet, but it's fun to touch me. 


Sam Chehab: No, not quite. We're a couple years out.


Justin Beals: Yeah, it is a little uncanny at times, but yeah. Speaking of the future, how do you think about? I'll ask you where you might be focused. Are you more worried about certain security issues cropping up in the future, or do you think a lot about the opportunities that some of these new technologies are providing?


Sam Chehab: Well, from a threat landscape standpoint, think security still has the hygiene problem across the board. And so I'd be remiss if I didn't say, I wake up every morning and worry about our supply chain risks. Log4j wasn't that long ago.


And I remember as soon as I realized our impact, I called my mom and said, Well, I'm not going to be making it for Christmas. Love you, so supply chain risks are top of mind. And I still don't think we as an industry have really solved that well. I think SaaS-based risk is still a problem. We can TPRM each other for days. 


But how do I visualize and manage my SaaS-based risk is a challenge for newer companies. 


More legacy companies have a lot of things in-house that they run, but I have a massive SaaS risk that still keeps me up. And then there's that tertiary risk that is still nascent and forming around agents. And how do I get fit-for-purpose connections from my agent back into the ecosystem of APIs that I have?


That is a risk of mine. Just, if I had to, I had to look at what's going to put me out of business every day first, it's still kind of the classic tried and true supply chain risks, SaaS based risks. And then, well, then it's agents in the grand scheme of things.


Justin Beals:  Yeah. There's a lot more like near-term known issues that feel like they need the resolution, maybe before we get to future-proofed.


Sam Chehab: Yeah, I just, I feel like it's AI shiny and hot and it, it could be easy to just say, well, I'm going to block everything. I'm going to block the whole internet and let you go to your favorite news site and Postman.com. But I would, I would, I would cripple the company. 


And that's where I think I'm allowing the risk because this company needs to grow to stay at the forefront of API collaboration. But at the same time, I know I've got a lot of hygiene work that I need to go do because every see so if they look themselves in the mirror or they have good visibility, they know they need to go do as well. 


And that's the balance that I've got to find. But it's probably those three in that order as far as what keeps me up at night.


Justin Beals: I think the configuration thing is interesting. We've only had any challenges, yeah, when someone just made a mistake. They didn't secure a document the right way or send it to the wrong email, or something like that. 


I haven't had, not in a long, long time, had any big like cybersecurity issues, knock on wood, of course. And it is fun to think about the future disasters, think more than the ones that I need to solve today.


Sam Chehab: Yeah. It's that old version of jQuery laying in your code that's probably going to kill you long before someone wires up an agent and it becomes a data X fill bot.


Justin Beals: 

I haven't heard that name in a long time, jQuery.


Sam Chehab: It's out there. 


Justin Beals:  It’s out there. Yes, I was talking to a friend the other day, and I was like, he's still running our old JVMs, and he's like, oh yeah, they're still on there, just they're going strong.


Sam Chehab: So it's not as sexy, and that's probably not the exciting answer that catches a lot of headlines. But if you asked me about what's evolving and what I worry about, it's really those things today because agents are tomorrow's problem.



Justin Beals: Well, and I think one of the things we've seen, and I wonder if this resonates with you, is that too many organizations place all their trust in security in, like you, Sam, you know, as the head of security. 


But my philosophy is like, this is an operational characteristic, like everyone participates across the board. And I think we tried to solve this with like security training, but the thing I've gotten to do more and more has been like, this is in your job description, you own this part of security. This is your bit. Yeah. And that's helped.


Sam Chehab:   I think the success of heads of security and CISOS for longevity are directly correlated to how much they align the company to the mission of security. And physical use cases more often than not resonate with folks a little bit easier, but it's just the, if I'm walking into a building and everyone needs the badge. Did you at least look at Sam's badge? If so, then security is part of your job. You just subconsciously did it. 


And in a digital space, it gets a little sloppier and not quite as clean, but the physical use case really helps, hopefully resonate with people. And then you kind of extrapolate from cyber back into that for email. Like, do you need to be a clicker? Do you need to click on everything? So, rewarding behaviors like when people report. Like, you've reported a fish. Like, that's awesome. Good job. 


You raised something to our awareness. And maybe that is a new attack campaign that we haven't seen yet. Like, thank you. Good job, as opposed to slapping them on the hand and saying, You fool. You're a clicker. So I think just culturally, when you can pull the entire organ, you create a lot more longevity for the organization to minimize a breach that is inevitably going to happen. 


Justin Beals:  Yeah, Sam, we're really grateful for you sharing your expertise. I'm grateful for your supporting a product that I love. I know they're giving you a paycheck, too, but I really appreciate that you guys at Postman are keeping this really great tool rolling and continuing to give us a lot of value. I know my team uses it day in, day out. I talk to them all the time when we do integration work. I'm like, can you show me how you built that in Postman? They're like, yeah, OK.

Sam Chehab: Awesome.

Justin Beals: Yeah, thanks for joining us today.

Sam Chehab: Well, thanks for having me I really appreciate the time. It's fun to talk shop.




 

About our guest

Sam ChehabHead of Security and IT Postman

Sam Chehab is a seasoned technology leader currently serving as Head of Security and IT at Postman. With deep expertise in cybersecurity, software engineering, and IT management, Sam excels at translating business requirements into robust security programs and driving technology operations to meet strategic goals.

Previously, Sam served as Sr. Director of Enterprise and Data Security at Palo Alto Networks, where he led Zero Trust strategy deployment and governance initiatives. Prior to that, he spent over eight years at NVIDIA, advancing to Director of Application Development, where he managed more than 250 applications and led a team of 50+ engineers.

His key accomplishments include developing an adoptable security framework shared with S&P 500 customers, establishing machine learning capabilities, architecting cloud migration strategies, and transforming user experiences for critical business systems.

Sam holds an Executive MBA from the University of San Francisco and completed MIT Sloan's Cybersecurity for Managers program. His core expertise includes cybersecurity incident response, governance, risk management, and compliance (GRC). He has been recognized as an InfoSec Security Partner MVP.

Justin BealsFounder & CEO Strike Graph

Justin Beals is a serial entrepreneur with expertise in AI, cybersecurity, and governance who is passionate about making arcane cybersecurity standards plain and simple to achieve. He founded Strike Graph in 2020 to eliminate confusion surrounding cybersecurity audit and certification processes by offering an innovative, right-sized solution at a fraction of the time and cost of traditional methods.

Now, as Strike Graph CEO, Justin drives strategic innovation within the company. Based in Seattle, he previously served as the CTO of NextStep and Koru, which won the 2018 Most Impactful Startup award from Wharton People Analytics.

Justin is a board member for the Ada Developers Academy, VALID8 Financial, and Edify Software Consulting. He is the creator of the patented Training, Tracking & Placement System and the author of “Aligning curriculum and evidencing learning effectiveness using semantic mapping of learning assets,” which was published in the International Journal of Emerging Technologies in Learning (iJet). Justin earned a BA from Fort Lewis College.

Keep up to date with Strike Graph.

The security landscape is ever changing. Sign up for our newsletter to make sure you stay abreast of the latest regulations and requirements.