EP 30 — Postman's Sam Chehab on Three Unteachable Traits He Hires For

At Postman's scale of 40 million developers generating billions of API requests, Sam Chehab, Head of Security & IT, centers on three enforcement domains: authenticated and encrypted data paths, zero-trust inter-service communication, and runtime instrumentation. His vendor evaluation is just as precise, cutting past feature lists to one demand: show me the architecture diagram and walk through exactly how your solution addresses my threat models.Sam identifies why generative AI creates fundamentally new risk: the combination of private data access, untrusted content processing, and external communication capability. This trifecta explains why browser-based AI is nearly impossible to contain; it touches local machines, queries the open web, and executes actions on your behalf. Sam also covers how he screens for three traits he can't train: initiative to self-direct research, attitude to absorb constant setbacks, and aptitude to process how rapidly this field moves.Topics discussed:Implementing data path integrity, zero-trust inter-service authentication, and runtime instrumentation with immutable logsEvaluating cybersecurity vendors by demanding architecture diagrams and specific threat model solutions rather than feature listsManaging freemium platform security with anomaly detection, rate limiting, and abuse prevention across 40 million developersIdentifying AI security's dangerous trifecta: private data access, untrusted content processing, and external communication capabilities Building MCP generators that enable least-privilege API servers by allowing developers to select only required methods before deploymentUsing AI agents to generate security tests during development, shifting validation from security teams to automated testingApplying security hygiene fundamentals before adopting specialized vendor solutionsHiring security teams based on three unteachable traits: initiative, attitude, and aptitude