We all know that API threats are on the rise but a recent report from Traceable.ai shows that 74% of the respondents from their API Security survey who had stated they had suffered API breaches or exploits, had experienced three or more in a 24-month period. Yet, the responses for whose responsibility it is within the organization to secure the APIs and how to go about tackling the problems continue to be fragmented.
In this episode of TFiR: Let’s Talk About AI, Richard Bird, Chief Security Officer at Traceable, discusses the challenges of API security and takes us through the key findings from the 2023 State of API Security: A Global Study on the Reality of API Risk. He goes on to detail how Traceable’s security suite is helping protect enterprises’ data and helping organizations get ahead of bad actors.
Key highlights from the video interview:
- Bird introduces us to API security platform company, Traceable.ai and its founders Jyoti Bansal and Sanjay Nanda Raj. He talks about their success with application performance metrics platform, AppDynamics, and how this led to the creation of Traceable.ai, which aims to tackle API threats and risks.
- Bird talks about the progressions he has seen in security over his 35+ years career. He discusses the trend he has seen in virtualizing upward in compute, processing, storage, and now everything in layer 7. Although apps are interacting with each other using APIs nowadays, Bird explains that security in this area has struggled to keep apace.
- Findings from the survey were: of the companies who had reported a data breach in the past two years, 74% of them stated they had experienced more than three API-related exploits or breaches in that period. However, the majority of companies are not doing anything to combat this.
- Bird discusses the main reasons for the gap between the API security threats and taking action: lack of resources and money to address the problem, bad actors are opportunistic and security organizations are not agile enough, the need to rethink how technology is working today, and APIs represent a universal attack layer.
- One of the challenges with API security is that there is no governance, policy framework, or security guidelines that are being applied to the API space. Bird talks about solution providers, bad actors, and organizations are therefore learning on the job and how enterprises need to look at the different ways they can reduce the threat of attack.
- Bird explains the fragmentation of who people think is responsible for API security, according to the findings of the report, saying that 20% of respondents felt it falls under the CISO’s remit, 17% believed it belongs to CIOs and CTOs, but 1 in 5 believed its part of a much greater technology problem. He discusses how this is part of the problem.
- The report found that medium-sized enterprises will often say they do not have the same security budget as larger enterprises and Bird discusses why this is a flawed argument. He talks about third-party risk and how threats to a small company can have implications for larger companies in the supply chain when they cannot secure their APIs.
- Bird explains how Traceable is helping organizations with AI to go through the enormous amount of data about the APIs to pinpoint the moment of threat or to exploit a risk so that it can be presented to the security analyst with context. He goes into detail about the role of automation in Traceable’s solution and how leveraging the technologies in Traceable’s suite can get organizations ahead of the bad actors.
- Many enterprise organizations are working on how to protect their corporate data from being exposed to public or open AI engines and Bird talks about how Traceable is helping customers protect their data. He goes on to explain how they are leveraging computational AI to narrow down the window of variables and information associated with a specific threat.
This summary was written by Emily Nicholls.