It won’t be wrong to say we live in an API-driven world, as organizations are increasingly building microservices-based applications that are all stitched together by API. It means that APIs have become a low-hanging fruit and a massive attack surface for bad actors.
Andrew Wesbecher, VP of Worldwide Sales at Traceable AI, believes that the ‘traditional’ way many security vendors approach API security through web applications firewalls is not enough. Traceable has a three-pronged approach to the problem: visibility into APIs a company is using, modern web application firewalls and third, a SIM or Splunk built for API and microservice security. In this episode of Let’s Talk, Wesbecher discusses the approach Traceable has taken to API security.
Key highlights of this video interview are:
- An increasing number of applications are stitched together using APIs, particularly as developers turn to microservices, but this is quickly becoming the new attack surface. Traceable AI aims to help organizations secure app APIs. Wesbecher talks about Traceable AI and what problem it is trying to solve.
- Many organizations are shifting their workloads from servers they owned in traditional data centers to the cloud, which has presented new challenges for security. Wesbecher explains how the traditional perimeter of network and perimeter firewall has vanished and been replaced by a software-defined perimeter, and how Traceable AI fits into this new model.
- Wesbecher describes how the majority of spending in the marketplace to address the API security challenge is on web application firewalls (WAFs) from vendors like Akamai, or Cloudflare. He explains how WAFs let through potentially malicious web traffic. Wesbecher discusses how the new crop of API security vendors are approaching these challenges differently, and specifically the three key ways Traceable AI’s product tackles these API security problems.
- Traceable AI’s product helps customers in two different ways, by helping security teams know how many APIs are running externally and internally behind the parameter with an inventory, and secondly, to help security teams understand the risk profile of the API inventory.
- Wesbecher takes Swapnil through the scenarios where APIs are left potentially vulnerable, such as organizations that front their applications with APIs, and organizations that connect to companies like Amazon payments, Shopify pay, or Facebook pay. He goes on to discuss the typical customer they are focusing on helping.
- While part of the challenge of API security is with having the right technological solution, the other side is around the cultural aspect. Wesbecher discusses the two main approaches to security within organizations: security for compliance and active security. He goes into detail about the sorts of organizations that fall into these categories.
- Wesbecher explains that every six or seven years a new security industry is created. He believes that API security is the next security market. He explains the market is still in its early stages and what he predicts for the future.
- API security’s customers are very much still the early adopters like those in heavily regulated industries like finance, insurance, and healthcare. Wesbecher discusses the risks of insecure APIs for companies in these sectors and how they can be affected if they fall victim to an attack.
- Wesbecher shares his predictions for the trends for the rest of 2022. He believes although there is a potential downturn in the economic environment, the threat actors will continue to attack so it is critical to solve the problem of API security.
The summary of the show is written by Emily Nicholls.