{"id":199,"date":"2021-05-05T18:50:12","date_gmt":"2021-05-05T18:50:12","guid":{"rendered":"https:\/\/connect-community.org\/\/2021-5-5-securing-apis-demands-tracing-and-machine-learning-to-analyze-behaviors-and-head-off-attacks\/"},"modified":"2021-10-14T03:54:54","modified_gmt":"2021-10-14T08:54:54","slug":"2021-5-5-securing-apis-demands-tracing-and-machine-learning-to-analyze-behaviors-and-head-off-attacks","status":"publish","type":"post","link":"https:\/\/connect-community.org\/2021-5-5-securing-apis-demands-tracing-and-machine-learning-to-analyze-behaviors-and-head-off-attacks\/","title":{"rendered":"Securing APIs demands tracing and machine learning to analyze behaviors and head off attacks"},"content":{"rendered":"<div\n        class=\"\n          image-block-outer-wrapper\n          layout-caption-below\n          design-layout-inline\n          combination-animation-none\n          individual-animation-none\n          individual-text-animation-none\n        \"\n        data-test=\"image-block-inline-outer-wrapper\"\n    ><\/p>\n<figure\n            class=\"\n              sqs-block-image-figure\n              intrinsic\n            \"\n            style=\"max-width:2500px;\n  overflow: hidden;\n\"\n        ><br \/>\n          <a\n              class=\"\n                sqs-block-image-link\n              \"\n              href=\"https:\/\/traceable.ai\/dana \"\n          ><\/p>\n<div\n              class=\"image-block-wrapper\"\n              data-animation-role=\"image\"\n          ><\/p>\n<div class=\"sqs-image-shape-container-element\n              has-aspect-ratio\n            \" style=\"\n                position: relative;\n                  padding-bottom:65.4800033569336%;\n  overflow: hidden;\n              \"\n              ><br \/>\n              <noscript><img decoding=\"async\" src=\"https:\/\/connect-community.org\/\/wp-content\/uploads\/2021\/10\/5_toptoptop.jpg\" alt=\"top top top.jpg\" \/><\/noscript><img decoding=\"async\" class=\"thumb-image lazyload\" data-src=\"https:\/\/connect-community.org\/\/wp-content\/uploads\/2021\/10\/5_toptoptop.jpg\" data-image=\"https:\/\/connect-community.org\/\/wp-content\/uploads\/2021\/10\/5_toptoptop.jpg\" data-image-dimensions=\"2500x1637\" data-image-focal-point=\"0.5,0.5\" alt=\"top top top.jpg\" data-load=\"false\" data-image-id=\"6092e6a64c5e4362887be73b\" data-type=\"image\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" \/>\n            <\/div><\/div>\n<p>          <\/a><br \/>\n        <\/figure>\n<\/p><\/div>\n<p class=\"\" style=\"white-space:pre-wrap;\">The burgeoning use of&nbsp;application programming interfaces (APIs) across cloud-native computing and digital business ecosystems has accelerated rapidly due to the COVID-19 pandemic.<\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\">Enterprises have had to scramble to develop and procure across new digital supply chains and via unproven business-to-business processes. Companies have also extended their business perimeters to include home workers as well as to reach more purely online end-users and customers.<\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\">In doing so, they may have given short shrift to protecting against the cybersecurity vulnerabilities inherent in the expanding use of APIs. The cascading digitization of business and commerce has unfortunately lead to an&nbsp;<a href=\"https:\/\/www.wired.co.uk\/article\/bc\/mastercard-cybercrime-ai\" target=\"_blank\" rel=\"noopener\"><strong>increase in cyber fraud and data manipulation<\/strong><\/a>.<\/p>\n<p>   <iframe class=\"embedly-embed lazyload\" data-src=\"\/\/cdn.embedly.com\/widgets\/media.html?src=https%3A%2F%2Fwww.youtube.com%2Fembed%2Fj1i5jYrd8FU&#038;display_name=YouTube&#038;url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3Dj1i5jYrd8FU&#038;image=http%3A%2F%2Fi.ytimg.com%2Fvi%2Fj1i5jYrd8FU%2Fhqdefault.jpg&#038;key=61d05c9d54e8455ea7a9677c366be814&#038;type=text%2Fhtml&#038;schema=youtube\" width=\"854\" height=\"480\" scrolling=\"no\" title=\"YouTube embed\" frameborder=\"0\" allow=\"autoplay; fullscreen\" allowfullscreen=\"true\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" data-load-mode=\"1\"><\/iframe><\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\">Stay with us for Part 2 in&nbsp;<a href=\"https:\/\/www.briefingsdirectblog.com\/2021\/04\/rise-of-reliance-on-apis-brings-new.html\" target=\"_blank\" rel=\"noopener\"><strong>our series<\/strong><\/a>&nbsp;where&nbsp;<a href=\"http:\/\/www.briefingsdirect.com\/\" target=\"_blank\" rel=\"noopener\"><strong>BriefingsDirect<\/strong><\/a>&nbsp;explores how&nbsp;<a href=\"https:\/\/en.wikipedia.org\/wiki\/API\" target=\"_blank\" rel=\"noopener\"><strong>APIs<\/strong><\/a>,&nbsp;<a href=\"https:\/\/en.wikipedia.org\/wiki\/Microservices\" target=\"_blank\" rel=\"noopener\"><strong>microservices<\/strong><\/a>, and&nbsp;<a href=\"https:\/\/en.wikipedia.org\/wiki\/Cloud_native_computing\" target=\"_blank\" rel=\"noopener\"><strong>cloud-native computing<\/strong><\/a>&nbsp;require new levels of defense and resiliency.<\/p>\n<p style=\"text-align:center;white-space:pre-wrap;\" class=\"\"><a href=\"http:\/\/traffic.libsyn.com\/interarbor\/BriefingsDirectMaking_APIs_Secure_Demands_Tracing_and_Machine_Learning_to_Rapidly_Limit_Damage_from_Attacks.mp3?dest-id=20179\" target=\"_blank\" rel=\"noopener\"><strong>Listen<\/strong><\/a><strong>&nbsp;the&nbsp;<\/strong><a href=\"http:\/\/briefingsdirect.com\/making-apis-secure-demands-tracing-and-machine-learning-to-rapidly-limit-damage-from-attacks\" target=\"_blank\" rel=\"noopener\"><strong>podcast<\/strong><\/a><strong>.&nbsp;Find it on&nbsp;<\/strong><a href=\"https:\/\/itunes.apple.com\/us\/podcast\/briefingsdirect-podcasts\/id85270006\" target=\"_blank\" rel=\"noopener\"><strong>iTunes<\/strong><\/a><strong>. Read a&nbsp;<\/strong><a href=\"https:\/\/www.briefingsdirecttranscriptsblogs.com\/2021\/05\/making-apis-secure-demands-tracing-and.html\" target=\"_blank\" rel=\"noopener\"><strong>full transcript<\/strong><\/a><strong>&nbsp;or&nbsp;<\/strong><a href=\"https:\/\/www.slideshare.net\/danalgardner\/making-apis-secure-demands-tracing-and-machine-learning-to-rapidly-limit-damage-from-attacks\" target=\"_blank\" rel=\"noopener\"><strong>download<\/strong><\/a><strong>&nbsp;a copy.<\/strong><\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\">To learn more about the latest innovations for making APIs more understood, trusted, and robust, we welcome&nbsp;<a href=\"https:\/\/www.linkedin.com\/in\/jyotibansal\/\" target=\"_blank\" rel=\"noopener\"><strong>Jyoti Bansal<\/strong><\/a>, Chief Executive Officer and Co-Founder at&nbsp;<a href=\"https:\/\/www.traceable.ai\/\" target=\"_blank\" rel=\"noopener\"><strong>Traceable.ai<\/strong><\/a>. The interview is moderated by&nbsp;<a href=\"https:\/\/twitter.com\/Dana_Gardner\" target=\"_blank\" rel=\"noopener\"><strong>Dana Gardner<\/strong><\/a>, Principal Analyst at Interarbor Solutions.<\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\">Here are some excerpts:<\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\"><strong>Gardner:<\/strong>&nbsp;Jyoti, in our&nbsp;<a href=\"https:\/\/www.briefingsdirectblog.com\/2021\/04\/rise-of-reliance-on-apis-brings-new.html\" target=\"_blank\" rel=\"noopener\"><strong>last discussion<\/strong><\/a>, we learned how the exploding use of cloud-native apps and APIs has opened a new threat vector. As a serial start-up founder in Silicon Valley, as well as a tech visionary, what are your insights and experience telling you about the need for identifying and mitigating API risks? How is protecting APIs different from past cybersecurity threats?<\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\"><strong>Bansal:<\/strong>&nbsp;Protecting APIs is different in one fundamental way &#8212; it\u2019s all about software and developers. APIs are created so that you can innovate faster. You want to empower your developers to move fast using&nbsp;<a href=\"https:\/\/en.wikipedia.org\/wiki\/DevOps\" target=\"_blank\" rel=\"noopener\"><strong>DevOps<\/strong><\/a>&nbsp;and&nbsp;<a href=\"https:\/\/en.wikipedia.org\/wiki\/CI\/CD\" target=\"_blank\" rel=\"noopener\"><strong>CI\/CD<\/strong><\/a>, as well as microservices and&nbsp;<a href=\"https:\/\/en.wikipedia.org\/wiki\/Serverless_computing\" target=\"_blank\" rel=\"noopener\"><strong>serverless<\/strong><\/a>.<\/p>\n<div\n        class=\"\n          image-block-outer-wrapper\n          layout-caption-below\n          design-layout-inline\n          combination-animation-none\n          individual-animation-none\n          individual-text-animation-none\n        \"\n        data-test=\"image-block-inline-outer-wrapper\"\n    ><\/p>\n<figure\n            class=\"\n              sqs-block-image-figure\n              intrinsic\n            \"\n            style=\"max-width:200px;\n  overflow: hidden;\n\"\n        ><br \/>\n          <a\n              class=\"\n                sqs-block-image-link\n              \"\n              href=\"https:\/\/www.linkedin.com\/in\/jyotibansal\/\"\n          ><\/p>\n<div\n              class=\"image-block-wrapper\"\n              data-animation-role=\"image\"\n          ><\/p>\n<div class=\"sqs-image-shape-container-element\n              has-aspect-ratio\n            \" style=\"\n                position: relative;\n                  padding-bottom:100%;\n  overflow: hidden;\n              \"\n              ><br \/>\n              <noscript><img decoding=\"async\" src=\"https:\/\/connect-community.org\/\/wp-content\/uploads\/2021\/10\/JyotiBansalcopy.jpg\" alt=\"Jyoti Bansal  copy.jpg\" \/><\/noscript><img decoding=\"async\" class=\"thumb-image lazyload\" data-src=\"https:\/\/connect-community.org\/\/wp-content\/uploads\/2021\/10\/JyotiBansalcopy.jpg\" data-image=\"https:\/\/connect-community.org\/\/wp-content\/uploads\/2021\/10\/JyotiBansalcopy.jpg\" data-image-dimensions=\"200x200\" data-image-focal-point=\"0.5,0.5\" alt=\"Jyoti Bansal  copy.jpg\" data-load=\"false\" data-image-id=\"6092e6f032e85c222405421d\" data-type=\"image\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" \/>\n            <\/div><\/div>\n<p>          <\/a><br \/>\n        <\/figure>\n<\/p><\/div>\n<p class=\"\" style=\"white-space:pre-wrap;\">You want developers to break the code into smaller parts, and then connect those smaller pieces to APIs \u2013 internally, externally, or via third parties. That\u2019s the future of how software innovation will be done.<\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\">Now, the way you secure these APIs is not by slowing down the developers. That\u2019s the whole point of APIs. You want to unleash the next level of developer innovation and velocity. Securing them must be done differently. You must do it without hurting developers and by involving them in the API security process.&nbsp;<\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\"><strong>Gardner:<\/strong>&nbsp;How has the pandemic affected the software development process? Is the&nbsp;<a href=\"https:\/\/en.wikipedia.org\/wiki\/Shift-left_testing\" target=\"_blank\" rel=\"noopener\"><strong><em>shift left<\/em><\/strong><\/a>&nbsp;happening through a distributed workforce? How has the development function adjusted in the past year or so?<\/p>\n<h1 style=\"white-space:pre-wrap;\"><strong><em>Software engineers at home<\/em><\/strong><\/h1>\n<p class=\"\" style=\"white-space:pre-wrap;\"><strong>Bansal:<\/strong>&nbsp;The software development function in the past year has become almost completely work-from-home (WFH) and distributed. The world of software engineering was already on that path, but software engineering teams have become even more distributed and global. The pandemic has forced that to become the de facto way to do things.<\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\">Now, everything that software engineers and developers do will have to be done completely from home, across all their processes. Most times they don\u2019t even use&nbsp;<a href=\"https:\/\/en.wikipedia.org\/wiki\/Virtual_private_network\" target=\"_blank\" rel=\"noopener\"><strong>VPNs<\/strong><\/a>&nbsp;anymore. Everything is in the cloud. You have your source code, build systems, and CI\/CD processes all in the cloud. The infrastructure you are deploying to is also in a cloud. You don\u2019t really go through VPNs nor use the traditional ways of doing things anymore. It\u2019s become a very open, connect-from-everywhere software development process.<\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\"><strong>Gardner:<\/strong>&nbsp;Given these new realities, Jyoti, what can software engineers and solutions architects do with APIs be made safer? How are we going to bring developers more of the insights and information they need to think about security in new ways?<\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\"><strong>Bansal:<\/strong>&nbsp;The most important thing is to have the insights. The fundamental problem is that people don\u2019t even know what APIs are being used and which APIs have a potential security risk, or which APIs could be used by attackers in bad ways.<\/p>\n<h3 style=\"text-align:center;white-space:pre-wrap;\"><strong>Learn More&nbsp;&nbsp;<\/strong><\/h3>\n<h3 style=\"text-align:center;white-space:pre-wrap;\"><a href=\"https:\/\/traceable.ai\/dana\" target=\"_blank\" rel=\"noopener\"><strong>About Traceable.ai<\/strong><\/a><\/h3>\n<p class=\"\" style=\"white-space:pre-wrap;\">And so, you want to create transparency around this. I call it turning on the lights. In many ways, developers are operating in the dark \u2013 and yet they\u2019re building all these APIs.<\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\">Normally, these days you have a software development team of maybe five to 10 engineers. If you are developing using many APIs, each with augmentations, you might end up with 200 or 500 engineers. They\u2019re all working on their own pieces, which are normally one or two microservices, and they\u2019re all exposing them to the current APIs.<\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\">It\u2019s very hard for them to understand what\u2019s going on. Not only with their own stuff, but the bigger picture across all the engineering teams in the company and all the APIs and microservices that they\u2019re building and using. They really have no idea.<\/p>\n<div\n        class=\"\n          image-block-outer-wrapper\n          layout-caption-below\n          design-layout-inline\n          combination-animation-none\n          individual-animation-none\n          individual-text-animation-none\n        \"\n        data-test=\"image-block-inline-outer-wrapper\"\n    ><\/p>\n<figure\n            class=\"\n              sqs-block-image-figure\n              intrinsic\n            \"\n            style=\"max-width:288px;\n  overflow: hidden;\n\"\n        ><\/p>\n<div\n              class=\"image-block-wrapper\"\n              data-animation-role=\"image\"\n          ><\/p>\n<div class=\"sqs-image-shape-container-element\n              has-aspect-ratio\n            \" style=\"\n                position: relative;\n                  padding-bottom:60.76388931274414%;\n  overflow: hidden;\n              \"\n              ><br \/>\n              <noscript><img decoding=\"async\" src=\"https:\/\/connect-community.org\/\/wp-content\/uploads\/2021\/10\/logo.png\" alt=\"logo.png\" \/><\/noscript><img decoding=\"async\" class=\"thumb-image lazyload\" data-src=\"https:\/\/connect-community.org\/\/wp-content\/uploads\/2021\/10\/logo.png\" data-image=\"https:\/\/connect-community.org\/\/wp-content\/uploads\/2021\/10\/logo.png\" data-image-dimensions=\"288x175\" data-image-focal-point=\"0.5,0.5\" alt=\"logo.png\" data-load=\"false\" data-image-id=\"6092e7cd58f25278d414e4a5\" data-type=\"image\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" \/>\n            <\/div><\/div>\n<\/figure><\/div>\n<p class=\"\" style=\"white-space:pre-wrap;\">For me, the first thing you must do is turn on the lights so that everyone knows what\u2019s going on &#8212; so they\u2019re not operating in the dark. They can then know which APIs are theirs, and which APIs talk to other APIs? What are the different microservices? What has changed? How does the data flow between them? They can have a real-time view of all of this. That is the number one thing to begin with.<\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\">We like to call it a Google Maps kind of view, where you can see how all the traffic is flowing, where the red lights are, and how everything connects. It shows the different highways of data going from one place to another. You need to start with that. It then becomes the foundation for developers to be much more aware and conscious about how to design the APIs in a more secure way.<\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\"><strong>Gardner:<\/strong>&nbsp;If developers benefit from such essential information, why don\u2019t the older solutions like&nbsp;<a href=\"https:\/\/www.traceable.ai\/glossary#waf_\/_web_application_firewall\" target=\"_blank\" rel=\"noopener\"><strong>web application firewalls (WAFs)<\/strong><\/a>&nbsp;or legacy security approaches fit the bill? Why do developers need something different?<\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\"><strong>Bansal:<\/strong>&nbsp;They need something that\u2019s designed to understand and secure APIs. If you look at a WAF, it was designed to protect systems against attacks on legacy web apps, like a&nbsp;<a href=\"https:\/\/en.wikipedia.org\/wiki\/SQL_injection\" target=\"_blank\" rel=\"noopener\"><strong>SQL injection<\/strong><\/a>.<\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\">Normally a WAF will just look at whether you have a form field on your website where someone who can type in a SQL query and use it to steal some data. WAFs will do that, but that\u2019s not how attackers steal data from APIs. They are completely different kinds of attacks.<\/p>\n<blockquote style=\"margin-left:120px;\">\n<p class=\"\" style=\"white-space:pre-wrap;\"><em>Most WAFs work to protect against legacy attacks but they have had challenges. When it comes to APIs, WAFs really don&#8217;t have any kind of solutions to secure APIs.<\/em><\/p>\n<\/blockquote>\n<p class=\"\" style=\"white-space:pre-wrap;\">Most WAFs work to protect against legacy attacks but they have had challenges of how to scale, and how to make them easy and simple to use.<\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\">But when it comes to APIs, WAFs really don\u2019t have any kind of solution to secure APIs.<\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\"><strong>Gardner:<\/strong>&nbsp;In our last discussion, Jyoti, you mentioned how the burden for API security falls typically on the application security folks. They are probably most often looking at point solutions or patches and updates.<\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\">But it sounds to me like the insights&nbsp;<a href=\"https:\/\/www.traceable.ai\/\" target=\"_blank\" rel=\"noopener\"><strong>Traceable.ai<\/strong><\/a>&nbsp;provides are more of a horizontal or one-size-fits-all solution approach. How does that approach work? And how is it better than spot application security measures?<\/p>\n<h1 style=\"white-space:pre-wrap;\"><strong><em>End-to-end app security<\/em><\/strong><\/h1>\n<p class=\"\" style=\"white-space:pre-wrap;\"><strong>Bansal:<\/strong>&nbsp;At Traceable.ai we take a platform approach to application security. We think application security starts with securing two parts of your app.&nbsp;<\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\">One is the APIs your apps are exposing, and those APIs could be internal, external, and third-party APIs.<\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\">The second part is the clients that you yourselves build using those APIs. They could be web application clients or mobile clients that you\u2019re building. You must secure those as well because they are fundamentally built on top of the same APIs that you\u2019re exposing elsewhere for other kind of clients.<\/p>\n<div\n        class=\"\n          image-block-outer-wrapper\n          layout-caption-below\n          design-layout-inline\n          combination-animation-none\n          individual-animation-none\n          individual-text-animation-none\n        \"\n        data-test=\"image-block-inline-outer-wrapper\"\n    ><\/p>\n<figure\n            class=\"\n              sqs-block-image-figure\n              intrinsic\n            \"\n            style=\"max-width:2500px;\n  overflow: hidden;\n\"\n        ><\/p>\n<div\n              class=\"image-block-wrapper\"\n              data-animation-role=\"image\"\n          ><\/p>\n<div class=\"sqs-image-shape-container-element\n              has-aspect-ratio\n            \" style=\"\n                position: relative;\n                  padding-bottom:63.52000427246094%;\n  overflow: hidden;\n              \"\n              ><br \/>\n              <noscript><img decoding=\"async\" src=\"https:\/\/connect-community.org\/\/wp-content\/uploads\/2021\/10\/4_toptop.jpg\" alt=\"top top.jpg\" \/><\/noscript><img decoding=\"async\" class=\"thumb-image lazyload\" data-src=\"https:\/\/connect-community.org\/\/wp-content\/uploads\/2021\/10\/4_toptop.jpg\" data-image=\"https:\/\/connect-community.org\/\/wp-content\/uploads\/2021\/10\/4_toptop.jpg\" data-image-dimensions=\"2500x1588\" data-image-focal-point=\"0.5,0.5\" alt=\"top top.jpg\" data-load=\"false\" data-image-id=\"6092e7e9c1264828379eef25\" data-type=\"image\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" \/>\n            <\/div><\/div>\n<\/figure><\/div>\n<p class=\"\" style=\"white-space:pre-wrap;\">When we look at securing all of that, we think of it in a classic way. We think security is still about understanding and taking inventory of everything. What are all of the things that are there? Then, once you have an inventory, you look at protecting those things. Thirdly, you look to do it more proactively. Instead of just protecting the apps and services, can you go in and fix things where and when the problem was created.<\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\">Our solution is designed as an end-to-end, comprehensive platform for application security that can do all three of these things. All three must be done in very different ways. Compared to legacy web application firewalls or legacy&nbsp;<a href=\"https:\/\/en.wikipedia.org\/wiki\/Runtime_application_self-protection\" target=\"_blank\" rel=\"noopener\"><strong>Runtime Application Self Protection (RASP)<\/strong><\/a>&nbsp;solutions that security teams use; we take a very different approach.&nbsp;<a href=\"https:\/\/www.traceable.ai\/blog-post\/what-runtime-application-self-protection-rasp-doesnt-solve\" target=\"_blank\" rel=\"noopener\"><strong>RASPs also have weaknesses that can introduce their own vulnerabilities<\/strong><\/a>.<\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\">Our fundamental approach builds a layer of tracing and instrumentation and we make these tracing and instrumentation capabilities extremely easy to use, thanks to the lightweight agents we provide. We have agents that run in different programming environments, like&nbsp;<a href=\"https:\/\/www.java.com\/en\/\" target=\"_blank\" rel=\"noopener\"><strong>Java<\/strong><\/a>,&nbsp;<a href=\"https:\/\/dotnet.microsoft.com\/learn\/dotnet\/what-is-dotnet\" target=\"_blank\" rel=\"noopener\"><strong>.Net<\/strong><\/a>,&nbsp;<a href=\"https:\/\/www.php.net\/\" target=\"_blank\" rel=\"noopener\"><strong>PHP<\/strong><\/a>,&nbsp;<a href=\"https:\/\/nodejs.org\/en\/\" target=\"_blank\" rel=\"noopener\"><strong>Node.js<\/strong><\/a>, and&nbsp;<a href=\"https:\/\/www.python.org\/\" target=\"_blank\" rel=\"noopener\"><strong>Python<\/strong><\/a>. These agents can also be put in application proxies or&nbsp;<a href=\"https:\/\/kubernetes.io\/\" target=\"_blank\" rel=\"noopener\"><strong>Kubernetes<\/strong><\/a>clusters. In just a few minutes, you can install these agents and not have to do any work.<\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\">We then begin instrumenting your runtime application code automatically and assess everything that is happening. First thing, in just a minute or two, based on your real-time traffic, we draw a picture of everything -the APIs in your system, all the external APIs, your internal microservices, and all the internal API endpoints on each of the microservices.<\/p>\n<h3 style=\"text-align:center;white-space:pre-wrap;\"><strong>Learn More&nbsp;&nbsp;<\/strong><\/h3>\n<h3 style=\"text-align:center;white-space:pre-wrap;\"><a href=\"https:\/\/traceable.ai\/dana\" target=\"_blank\" rel=\"noopener\"><strong>About Traceable.ai<\/strong><\/a><\/h3>\n<p class=\"\" style=\"white-space:pre-wrap;\">This is how we assess the data flows between one microservice to a second and to a third. We begin to help you understand questions such as &#8212; What are the third-party APIs you\u2019re invoking? What are the third-party systems you are invoking? And we\u2019ll draw that all in Google Maps kind of traffic picture in just a matter of minutes. It shows you how everything flows in your system.<\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\">The ability to understand and embrace all of that is Traceable.ai solution\u2019s first part, which is very different from any kind of legacy RASP app security approach out there.&nbsp;<\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\">Once we understand that, the second part starts in our system that creates a behavioral learning model around the actual use of your APIs and applications to help you understand answers to questions such as &#8211; Which users are accessing which APIs? Which users are passing what data into it? What is the normal sequence of API calls or clicks in the web application that the users do? What internal microservices are invoked by every API? What pieces of data are being transferred? What volume of data is being transferred?<\/p>\n<blockquote style=\"margin-left:120px;\">\n<p class=\"\" style=\"white-space:pre-wrap;\"><em>We develop a scoring mechanism whereby we can figure out what kind of attack someone might be trying to do. Are they trying to steal data? We can then create a remediation mechanism, such as blocking that specific user or blocking that way of invoking that API.<\/em><\/p>\n<\/blockquote>\n<p class=\"\" style=\"white-space:pre-wrap;\">All of that comes together into a very powerful machine learning (ML) model. Once that model is built, we learn the n-dimensional behavior around everything that is happening. There is often so much traffic, that it doesn\u2019t take us long to build out a pretty accurate model.<\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\">Now, every single call that happens after that, we then compare it against the normal behavior model that we built. So, for example, normally when people call an API, they ask for data for one user. But if suddenly a call to the same API asks for data for 100,000 users, we will flag that &#8212; there is something anomalous about that behavior.<\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\">Next, we develop a scoring mechanism whereby we can figure out what kind of attack someone might be trying to do. Are they trying to steal data? And then we can create a remediation mechanism, such as blocking that specific user or blocking that particular way of invoking that API. Maybe we alert your engineering team to fix the bug there that allows this in the first place.&nbsp;<\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\">That\u2019s a very different approach than most of the traditional app security approaches, which are very rules-based. Using them you would have to pre-define the rules sets and use them with regular expression matching. We don\u2019t need to do that.&nbsp;For us, it\u2019s all about learning the behavioral model through our ML engine and understanding whenever something is different in a bad way.&nbsp;<\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\"><strong>Gardner:<\/strong>&nbsp;It sounds like a very powerful platform &#8212; with a lot of potential applications.&nbsp;<\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\">Jyoti, as a serial startup founder you have been involved with&nbsp;<a href=\"https:\/\/www.appdynamics.com\/\" target=\"_blank\" rel=\"noopener\"><strong>AppDynamics<\/strong><\/a>and&nbsp;<a href=\"https:\/\/harness.io\/\" target=\"_blank\" rel=\"noopener\"><strong>Harness<\/strong><\/a>. We talked about that in our first podcast. But one of the things I\u2019ve heard you talk about as a business person, is the need to think big. You\u2019ve said, \u201cWe want to protect every line of code in the world,\u201d and that\u2019s certainly thinking big.<\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\">How do we take what you just described as your solution platform, and extrapolate that to protecting every line of code in the world? Why is your model powerful enough to do that?<\/p>\n<h1 style=\"white-space:pre-wrap;\"><strong><em>Think big, save the world\u2019s code<\/em><\/strong><\/h1>\n<p class=\"\" style=\"white-space:pre-wrap;\"><strong>Bansal:<\/strong>&nbsp;It\u2019s a great question. When we began Traceable.ai, that was the mission we started with. We have to think big because this is a big problem.<\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\">If I fast-forward to 10 years from now, the whole world will be running on software. Everything we do will be through interconnected software systems everywhere. We have to make sure that every line of the code is secure and the way we can ensure that every line of code is secure is by doing a few fundamental things, which are hard to do, but in concept they are simple.<\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\">Can we watch every line of code when it runs in a runtime environment? If an engineer wrote a thousand lines of code, and it\u2019s out there and running, can we watch the code as it is running? That\u2019s where the instrumentation and tracing part comes in. We can find where that code is running and watch how it is run. That\u2019s the first part.<\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\">The second part is, can we learn the normal behavior of how that code was supp<br \/>\nosed to run? What did the developer intend when they wrote the code? And if we can learn that it\u2019s the second part.<\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\">And the third component is, if you see anything abnormal, you flag it or block it, or do something about it. Even if the world has trillions and trillions of lines of code, that\u2019s how we operate.<\/p>\n<p>   <iframe class=\"embedly-embed lazyload\" data-src=\"\/\/cdn.embedly.com\/widgets\/media.html?src=https%3A%2F%2Fwww.youtube.com%2Fembed%2Fj1i5jYrd8FU%3Ffeature%3Doembed&#038;display_name=YouTube&#038;url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3Dj1i5jYrd8FU&#038;image=https%3A%2F%2Fi.ytimg.com%2Fvi%2Fj1i5jYrd8FU%2Fhqdefault.jpg&#038;key=c6502efcb3c84824bc6c1f27d683be13&#038;type=text%2Fhtml&#038;schema=youtube\" width=\"854\" height=\"480\" scrolling=\"no\" title=\"YouTube embed\" frameborder=\"0\" allow=\"autoplay; fullscreen\" allowfullscreen=\"true\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" data-load-mode=\"1\"><\/iframe><\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\">Every single line of code in the world should have a safety net built around it. Someone should be watching how the code is used and learn what is the normal developer intent of that code. And if some attacker, hacker, or a malicious person is trying to use the code in an unintended way, you just stop it.<\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\">That to me is a no-brainer &#8212; if we can make it possible and feasible from a technology perspective. That\u2019s the mission we are on Traceable.ai &#8211; To make it possible and feasible.<\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\"><strong>Gardner:<\/strong>&nbsp;Jyoti, one of the things that\u2019s implied in what we\u2019ve been talking about that we haven\u2019t necessarily addressed is the volume and speed of the data. It also requires being able to analyze it fast to stop a breach or a vulnerability before it does much damage.<\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\">You can\u2019t do this with spreadsheets and sticky notes on a whiteboard. Are we so far into artificial intelligence (AI) and ML that we can take it for granted that this going to be feasible? Isn\u2019t a high level of automation also central to having the capability to manage and secure software in this fashion?<\/p>\n<h1 style=\"white-space:pre-wrap;\"><strong><em>Let machines do what they do&nbsp;<\/em><\/strong><\/h1>\n<p class=\"\" style=\"white-space:pre-wrap;\"><strong>Bansal:<\/strong>&nbsp;I\u2019m with you 100 percent. In some ways, we have machines to protect against these threats. However, the amount of data and the volume of things is very high. You can\u2019t have a human, like a&nbsp;<a href=\"https:\/\/en.wikipedia.org\/wiki\/Security_operations_center\" target=\"_blank\" rel=\"noopener\"><strong>security operations center (SOC)<\/strong><\/a>&nbsp;person, sitting at a screen trying to figure out what is wrong.<\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\">That\u2019s where the challenge is. The legacy security approaches don\u2019t use the right kind of ML and AI &#8212; it\u2019s still all about the rules. That generates numerous false positives. Every application security, bot security, RASP, and legacy app security approach defines rules sets to define if certain variables are bad and that approach creates many false positives and junk alerts, that they drown the humans monitoring those- it\u2019s just not possible for humans to go through it. You must build a very powerful layer of learning and intelligence to figure it out.<\/p>\n<h3 style=\"text-align:center;white-space:pre-wrap;\"><strong>Learn More&nbsp;&nbsp;<\/strong><\/h3>\n<h3 style=\"text-align:center;white-space:pre-wrap;\"><a href=\"https:\/\/traceable.ai\/dana\" target=\"_blank\" rel=\"noopener\"><strong>About Traceable.ai<\/strong><\/a><\/h3>\n<p class=\"\" style=\"white-space:pre-wrap;\">The great thing is that it is possible now. ML and AI are at a point where you can build the right algorithms to learn the behavior of how applications and APIs are used and how data flows through them. You can use that to figure out the normal usage behaviors and stop them if they veer off &#8211; that\u2019s the approach we are bringing to the market.<\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\"><strong>Gardner:<\/strong>&nbsp;Let\u2019s think about the human side of this. If humans can\u2019t necessarily get into the weeds and deal with the complexity and scale, what is the role for people? How do you oversee such a platform and the horizontal capabilities that you\u2019re describing?<\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\">Do we need a new class of security data scientist, or does this is fit into a more traditional security management persona?<\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\"><strong>Bansal:<\/strong>&nbsp;I don\u2019t think you need data scientists for APIs. That\u2019s the job of products like Traceable.ai. We do the data science and convert it into actionable things. The technology behind Traceable.ai itself could be the data scientist inside.<\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\">But what is needed from the people side is the right model of organizing your teams. You hear about&nbsp;<a href=\"https:\/\/www.traceable.ai\/glossary#devsecops\" target=\"_blank\" rel=\"noopener\"><strong>DevSecOps<\/strong><\/a>, and I do think that that kind of model is really needed. The core of DevSecOps is that you have your traditional&nbsp;<a href=\"https:\/\/searchsecurity.techtarget.com\/definition\/SecOps\" target=\"_blank\" rel=\"noopener\"><strong>SecOps<\/strong><\/a>&nbsp;teams, but they have become much more developer, code, and API aware, and they understand it. Your developer teams have become more security-aware than they have been in the past.<\/p>\n<blockquote style=\"margin-left:120px;\">\n<p class=\"\" style=\"white-space:pre-wrap;\"><em>In the past we&#8217;ve had developers who don&#8217;t care about security and security people who don&#8217;t care about code and APIs. We need to bridge that from both sides.<\/em><\/p>\n<\/blockquote>\n<p class=\"\" style=\"white-space:pre-wrap;\">Both sides have to come together and bridge the gap. Unfortunately, what we\u2019ve had in the past are developers who don\u2019t care about security, and security people who don\u2019t care about code and APIs. They care about networks, infrastructures, and servers, because that\u2019s where they spend most of their time trying to secure things. From an organization and people perspective, we need to bridge that from both sides.<\/p>\n<div\n        class=\"\n          image-block-outer-wrapper\n          layout-caption-below\n          design-layout-inline\n          combination-animation-none\n          individual-animation-none\n          individual-text-animation-none\n        \"\n        data-test=\"image-block-inline-outer-wrapper\"\n    ><\/p>\n<figure\n            class=\"\n              sqs-block-image-figure\n              intrinsic\n            \"\n            style=\"max-width:2500px;\n  overflow: hidden;\n\"\n        ><\/p>\n<div\n              class=\"image-block-wrapper\"\n              data-animation-role=\"image\"\n          ><\/p>\n<div class=\"sqs-image-shape-container-element\n              has-aspect-ratio\n            \" style=\"\n                position: relative;\n                  padding-bottom:66.68000030517578%;\n  overflow: hidden;\n              \"\n              ><br \/>\n              <noscript><img decoding=\"async\" src=\"https:\/\/connect-community.org\/\/wp-content\/uploads\/2021\/10\/4_top.jpg\" alt=\"top.jpg\" \/><\/noscript><img decoding=\"async\" class=\"thumb-image lazyload\" data-src=\"https:\/\/connect-community.org\/\/wp-content\/uploads\/2021\/10\/4_top.jpg\" data-image=\"https:\/\/connect-community.org\/\/wp-content\/uploads\/2021\/10\/4_top.jpg\" data-image-dimensions=\"2500x1667\" data-image-focal-point=\"0.5,0.5\" alt=\"top.jpg\" data-load=\"false\" data-image-id=\"6092e84bc1264828379f0102\" data-type=\"image\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" \/>\n            <\/div><\/div>\n<\/figure><\/div>\n<p class=\"\" style=\"white-space:pre-wrap;\">We can help, however, by creating a high level of transparency and visibility by understanding what code and APIs are there, which ones have security challenges, and which ones do not. You then give that data to developers to go and fix. And you give that data to your operations and security teams to manage risk and compliance. That helps bridge the gap as well.<\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\"><strong>Gardner:<\/strong>&nbsp;We\u2019ve traditionally had cultural silos. A developer silo and a security silo. They haven\u2019t always spoken the same language, never mind work hand-in-hand. How does the data and analytics generated from Traceable.ai help bind these cultures together?<\/p>\n<h1 style=\"white-space:pre-wrap;\"><strong><em>Bridge the SecOps divide<\/em><\/strong><\/h1>\n<p class=\"\" style=\"white-space:pre-wrap;\"><strong>Bansal:<\/strong>&nbsp;I will give you an example. There\u2019s this new pattern of exposing data through&nbsp;<a href=\"https:\/\/en.wikipedia.org\/wiki\/GraphQL\" target=\"_blank\" rel=\"noopener\"><strong>GraphQL<\/strong><\/a>. It\u2019s like an API technology. It\u2019s very powerful because you can expose your data into GraphQL where different consumers can write API queries directly to GraphQL.<\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\">Many developers who write these graphs to allow APIs, don\u2019t understand the security implications. They write the API, and they don\u2019t understand that if they don\u2019t put in the right kind of checks, someone can go and attack them. The challenge is that most SecOps people don\u2019t understand how GraphQL APIs work or that they exist.<\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\">So now we have a fundamental gap on both sides, right? A product like Traceable.ai helps bridge that gap by identifying your APIs, and that there are GraphQL APIs with security vulnerabilities where sensitive data can potentially be stolen.<\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\">And we will also tell if there is an attack happening. We will tell you that someone is trying to steal data. Once you have that data, and developers see the data, they become much more security-conscious because they see it in a dashboard that they built the GraphQL APIs from, and which has 10 security vulnerabilities and alerts that two attacks are happening.<\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\">And the SecOps team, they see the same dashboard. They know which APIs were crafted, and that by these patterns they know which attackers and hackers are trying to exploit them. Thus, having that common shared sense of data in a shared dashboard between the developers and the SecOps team creates the visibility and the shared language on both sides, for sure.<\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\"><strong>Gardner:<\/strong>&nbsp;I\u2019d like to address the timing of the Traceable.ai solution and entry into the market.<\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\">It seems to me we have a level of trust when it comes to the use of APIs. But with the vulnerabilities you\u2019ve described that trust could be eroded, which could be very serious. Is there a race to put in the solutions that keep APIs trustworthy before that trust gets eroded?<\/p>\n<h1 style=\"white-space:pre-wrap;\"><strong><em>A devoted API security solution<\/em><\/strong><\/h1>\n<p class=\"\" style=\"white-space:pre-wrap;\"><strong>Bansal:<\/strong>&nbsp;We are in the middle of the API explosion. Unfortunately, when people adopt a new technology, they think about its operational elements, and then security, performance, and scalability after that. Once they start running into those problems, they start challenging them.<\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\">We are at a point of time where people are seeing the challenges that come with API security and the threat vectors that are being opened. I think the timing is right. People, the market, and the security teams understand the need and feel the pain.<\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\">We already have had some very high-profile attacks in the industry where attackers have stolen data through improperly secured APIs. So, it\u2019s a good time to bring a solution into the market that can address these challenges.&nbsp;I also think that CI\/CD in DevOps is being adopted at such a rapid phase that API security and securing cloud-native microservices architectures are becoming a major bottleneck.<\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\">In our&nbsp;<a href=\"https:\/\/www.briefingsdirectblog.com\/2021\/04\/rise-of-reliance-on-apis-brings-new.html\" target=\"_blank\" rel=\"noopener\"><strong>last discussion<\/strong><\/a>, we talked about&nbsp;<a href=\"https:\/\/harness.io\/\" target=\"_blank\" rel=\"noopener\"><strong>Harness<\/strong><\/a>, another company that I have founded, which provides the leading CI\/CD platform for developers. When we talk to our customers at Harness and ask, \u201cWhat is the blocker in your adoption of CI\/CD? What is the blocker in your adoption of public cloud, or using two or more microservices, or more serverless architectures?\u201d<\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\">They say that they are hesitant due to their concerns around application security, securing these cloud-native applications, and securing the APIs that they\u2019re exposing. That&#8217;s a big part of the blocker.<\/p>\n<h3 style=\"text-align:center;white-space:pre-wrap;\"><strong>Learn More&nbsp;&nbsp;<\/strong><\/h3>\n<h3 style=\"text-align:center;white-space:pre-wrap;\"><a href=\"https:\/\/traceable.ai\/dana\" target=\"_blank\" rel=\"noopener\"><strong>About Traceable.ai<\/strong><\/a><\/h3>\n<p class=\"\" style=\"white-space:pre-wrap;\">Yet this resistance to change and modernization is having a big business impact. It\u2019s beginning to reduce their ability to move fast. It\u2019s impacting the very velocity they seek, right? So, it\u2019s kind of strange. They should want to secure the APIs &#8211; secure everything &#8211; so that they can gain risk mitigation, protect their data, and prevent all the things that can burn your users.<\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\">But there is another timing aspect to it. If they can\u2019t soon figure out the security, the businesses really don\u2019t have any option other than to slow down their velocity and slow down adoption of cloud-native architectures, DevOps, and microservices, all of which will have a huge business and financial impact.<\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\">&nbsp;So, you really must solve this problem. There\u2019s no other solution or way out.<\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\"><strong>Gardner:<\/strong>&nbsp;I\u2019d like to revisit the concept of Traceable.ai as a horizontal platform capability.<\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\">Once you\u2019ve established the ML-driven models and you\u2019re using all that data, constantly refining the analytics, what are the best early use cases for Traceable.ai? Then, where do you see these horizontal analytics of code generation and apps production going next?<\/p>\n<h1 style=\"white-space:pre-wrap;\"><strong><em>Inventory, protection, proactivity<\/em><\/strong><\/h1>\n<p class=\"\" style=\"white-space:pre-wrap;\"><strong>Bansal:<\/strong>&nbsp;There\u2019s a logical progression to it. The low-lying fruit is to assume you may have risky APIs with improper authentication that can expose&nbsp;<a href=\"https:\/\/en.wikipedia.org\/wiki\/Personal_data\" target=\"_blank\" rel=\"noopener\"><strong>personally identifiable information&nbsp;(PII)<\/strong><\/a>&nbsp;and data. The API doesn\u2019t have the right authorization control inside of it, for example. That becomes the first low-hanging fruit. Once, you put Traceable.ai in your environment, we can look at the traffic, and the learning models will tell you very quickly if you have these challenges. We make it very simple for a developer to fix that. So that\u2019s the first level.<\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\">The second level is, once you protect against those issues, you next want to look for things you may not be able to fix. These might be very sophisticated business logic abuses that a hacker is trying to insert. Once our models are built, and you\u2019re able to compare how people are using the services, we also create a very simple model for flagging and attributing any bad behaviors<br \/>\n to a specific user.<\/p>\n<blockquote style=\"margin-left:120px;\">\n<p class=\"\" style=\"white-space:pre-wrap;\"><em>The threat actor could be a bot, a particular authenticated user, or a non-authenticated user trying to do something that is not normal behavior. We see the patterns of such abuses around data theft or something happening around the data. We can alert you and block the threat actor.<\/em><\/p>\n<\/blockquote>\n<p class=\"\" style=\"white-space:pre-wrap;\">This is what we call a threat actor. It could be a bot, a particular authenticated user, or a non-authenticated user trying to do something that is not normal behavior. We see the patterns of such abuses around data theft or something that is happening around the data. We can alert you and we can block the threat actor. So that becomes the second part of the value progression.<\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\">The third part then becomes, \u201cHow do we become even more proactive?\u201d Let\u2019s say you have something in your API that someone is trying to abuse through a sophisticated business logic approach. It could be fraud, for example. Someone could create a fraudulent transaction because the business logic in the APIs allows for that. This is a very sophisticated hacker.<\/p>\n<div\n        class=\"\n          image-block-outer-wrapper\n          layout-caption-below\n          design-layout-inline\n          combination-animation-none\n          individual-animation-none\n          individual-text-animation-none\n        \"\n        data-test=\"image-block-inline-outer-wrapper\"\n    ><\/p>\n<figure\n            class=\"\n              sqs-block-image-figure\n              intrinsic\n            \"\n            style=\"max-width:2500px;\n  overflow: hidden;\n\"\n        ><\/p>\n<div\n              class=\"image-block-wrapper\"\n              data-animation-role=\"image\"\n          ><\/p>\n<div class=\"sqs-image-shape-container-element\n              has-aspect-ratio\n            \" style=\"\n                position: relative;\n                  padding-bottom:66.68000030517578%;\n  overflow: hidden;\n              \"\n              ><br \/>\n              <noscript><img decoding=\"async\" src=\"https:\/\/connect-community.org\/\/wp-content\/uploads\/2021\/10\/hacked.jpg\" alt=\"hacked.jpg\" \/><\/noscript><img decoding=\"async\" class=\"thumb-image lazyload\" data-src=\"https:\/\/connect-community.org\/\/wp-content\/uploads\/2021\/10\/hacked.jpg\" data-image=\"https:\/\/connect-community.org\/\/wp-content\/uploads\/2021\/10\/hacked.jpg\" data-image-dimensions=\"2500x1667\" data-image-focal-point=\"0.5,0.5\" alt=\"hacked.jpg\" data-load=\"false\" data-image-id=\"6092e877c951a624ac28bf5b\" data-type=\"image\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" \/>\n            <\/div><\/div>\n<\/figure><\/div>\n<p class=\"\" style=\"white-space:pre-wrap;\">Once we can figure that abuse out, we can block it, but the long-term solution is for the developers to go and fix the code logic. That then becomes the more proactive approach. By Traceable.ai bringing in that level of learning, that a particular API has been abused, we can identify the underlying root cause and show it to a developer so that they can fix it. That\u2019s becoming the more progressive element of our solution.<\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\">Eventually you want to put this into a continuous loop. As part of your CI\/CD process, you\u2019re finding things, and then in production, you are also finding things when you detect an attack or something abnormal. We can give it all back to the developers to fix, and then it goes through the CI\/CD process again. And that\u2019s how we see the progression of how our platform can be used.<\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\"><strong>Gardner:<\/strong>&nbsp;As the next decade unfolds, and organizations are even more digital in more ways, it strikes me that you\u2019re not just out to protect every line of code. You\u2019re out there to protect every process of the business.<\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\">Where do the use cases progress to when it comes to things like business processes and even performance optimization? Is the platform something that moves from a code benefit to a business benefit?&nbsp;<\/p>\n<h1 style=\"white-space:pre-wrap;\"><strong><em>Understanding your APIs<\/em><\/strong><\/h1>\n<p class=\"\" style=\"white-space:pre-wrap;\"><strong>Bansal:<\/strong>&nbsp;Yes, definitely. We think that the underlying model we are building will understand every line of code and how is it being used. We will understand every single interaction between different pieces of code in the APIs and we will understand the developer intent around those. How did the developers intend for these APIs in that piece of code to work? Then we can figure out anything that is abnormal about it.<\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\">So, yes, we are using the platform to secure the APIs and pieces of code. But we can also use that knowledge to figure out if these APIs are not performing in the right kinds of way. Are there bottlenecks around performance and scalability? We can help you with that.<\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\">What if the APIs are not achieving the business outcomes they are supposed to achieve? For example, you may build different pieces of code and have them interact with different APIs. In the end, you want a business process, such as someone applying for a credit card. But if the business process is not giving you the right outcome, you want to know why not? It may be because it\u2019s not accurate enough, or not fast enough, or not achieving the right business outcome. We can understand that as well, and we can help you diagnose and figure out the root cause of that as well.<\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\">So, definitely, we think eventually, in the long-term, that Traceable.ai is a platform that understands every single line of code in your application. It understands the intent and normal behaviors of every single line of code, and it understands every time there is something anomalous, wrong, or different about it. You then use that knowledge to give you a full understanding around these different use cases over time.<\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\"><strong>Gardner:<\/strong>&nbsp;The lesson here, of course, is to know yourself by letting the machines do what they do best. It sounds like the horizontal capability of analyzing and creating models is something you should be doing sooner rather than later.<\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\">It\u2019s the gift that keeps giving. There are ever-more opportunities to use those insights, for even larger levels of value. It certainly seems to lead to a virtuous adoption cycle for digital business.<\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\"><strong>Bansal:<\/strong>&nbsp;Definitely. I agree. It unlocks and removes the fear of moving fast by giving developers freedom to break things into smaller components of microservices and expose them through APIs. If you have such a security safety net and the insights that go beyond security to performance and business insights, it reduces the fear because you now understand what will happen.<\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\">We see the benefits again and again when people move from five monolithic services to 200 microservices. But now, we just don\u2019t understand what\u2019s going on in the 200 microservices because we have so much velocity. Every developer team is moving independently, and they are moving 10 times faster than have been used to. We just don\u2019t understand what is going on because there are 200 moving parts now, and that\u2019s just for microservices.<\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\">When people start thinking of serverless,&nbsp;<a href=\"https:\/\/en.wikipedia.org\/wiki\/Function_as_a_service\" target=\"_blank\" rel=\"noopener\"><strong>Functions<\/strong><\/a>, or&nbsp;<a href=\"https:\/\/www.briefingsdirectblog.com\/2018\/01\/infatuation-leads-to-lovehow-container.html\" target=\"_blank\" rel=\"noopener\"><strong>similar technologies<\/strong><\/a>&nbsp;the idea is that you take those 200 microservices and break them into 2,000 micro-functions. And those functions all interact with each other. You can clip them independently, and every function is just a few hundred lines of code at most.<\/p>\n<p>   <iframe class=\"embedly-embed lazyload\" data-src=\"\/\/cdn.embedly.com\/widgets\/media.html?src=https%3A%2F%2Fwww.youtube.com%2Fembed%2Fj1i5jYrd8FU%3Ffeature%3Doembed&#038;display_name=YouTube&#038;url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3Dj1i5jYrd8FU&#038;image=https%3A%2F%2Fi.ytimg.com%2Fvi%2Fj1i5jYrd8FU%2Fhqdefault.jpg&#038;key=61d05c9d54e8455ea7a9677c366be814&#038;type=text%2Fhtml&#038;schema=youtube\" width=\"854\" height=\"480\" scrolling=\"no\" title=\"YouTube embed\" frameborder=\"0\" allow=\"autoplay; fullscreen\" allowfullscreen=\"true\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" data-load-mode=\"1\"><\/iframe><\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\">So now, how do you start to understand the 2,000 moving parts? There is a massive advantage of velocity, and reusability, but you will be challenged in managing it all. If you have a layer that understands and reduces that fear, it just unlocks so much innovation. It creates a huge advantage for any software engineering organization.&nbsp;<\/p>\n<p class=\"\" style=\"white-space:pre-wrap;\"><a href=\"http:\/\/traffic.libsyn.com\/interarbor\/BriefingsDirectMaking_APIs_Secure_Demands_Tracing_and_Machine_Learning_to_Rapidly_Limit_Damage_from_Attacks.mp3?dest-id=20179\" target=\"_blank\" rel=\"noopener\"><strong>Listen<\/strong><\/a><strong>&nbsp;the&nbsp;<\/strong><a href=\"http:\/\/briefingsdirect.com\/making-apis-secure-demands-tracing-and-machine-learning-to-rapidly-limit-damage-from-attacks\" target=\"_blank\" rel=\"noopener\"><strong>podcast<\/strong><\/a><strong>.&nbsp;Find it on&nbsp;<\/strong><a href=\"https:\/\/itunes.apple.com\/us\/podcast\/briefingsdirect-podcasts\/id85270006\" target=\"_blank\" rel=\"noopener\"><strong>iTunes<\/strong><\/a><strong>. Read a&nbsp;<\/strong><a href=\"https:\/\/www.briefingsdirecttranscriptsblogs.com\/2021\/05\/making-apis-secure-demands-tracing-and.html\" target=\"_blank\" rel=\"noopener\"><strong>full transcript<\/strong><\/a><strong>&nbsp;or&nbsp;<\/strong><a href=\"https:\/\/www.slideshare.net\/danalgardner\/making-apis-secure-demands-tracing-and-machine-learning-to-rapidly-limit-damage-from-attacks\" target=\"_blank\" rel=\"noopener\"><strong>download<\/strong><\/a><strong>&nbsp;a copy. Sponsor:&nbsp;<\/strong><a href=\"https:\/\/www.traceable.ai\/\" target=\"_blank\" rel=\"noopener\"><strong>Traceable.ai<\/strong><\/a><strong>.<\/strong><\/p>\n<h2 style=\"white-space:pre-wrap;\"><strong>YOU MAY ALSO BE INTERESTED IN:<\/strong><\/h2>\n<ul data-rte-list=\"default\">\n<li>\n<p class=\"\" style=\"white-space:pre-wrap;\"><a href=\"https:\/\/www.briefingsdirectblog.com\/2021\/04\/rise-of-reliance-on-apis-brings-new.html\" target=\"_blank\" rel=\"noopener\"><strong>Rise of APIs brings new security threat vector &#8212; and need for novel defenses<\/strong><\/a><\/p>\n<\/li>\n<li>\n<p class=\"\" style=\"white-space:pre-wrap;\"><a href=\"https:\/\/traceable.ai\/dana\" target=\"_blank\" rel=\"noopener\"><strong>Learn More About the Technologies and Solutions Behind Traceable.ai.<\/strong><\/a><\/p>\n<\/li>\n<li>\n<p class=\"\" style=\"white-space:pre-wrap;\"><a href=\"https:\/\/www.traceable.ai\/blog-post\/what-threat-vectors-get-addressed-with-zero-trust-application-security?utm_source=partnersite&amp;utm_medium=podcast&amp;utm_term=episode-01&amp;utm_content=&amp;utm_campaign=gardner\" target=\"_blank\" rel=\"noopener\"><strong>Three Threat Vectors Addressed by Zero Trust App Sec<\/strong><\/a><\/p>\n<\/li>\n<li>\n<p class=\"\" style=\"white-space:pre-wrap;\"><a href=\"https:\/\/www.traceable.ai\/blog-post\/web-application-security-is-not-api-security?utm_source=partnersite&amp;utm_medium=podcast&amp;utm_term=episode-01&amp;utm_content=&amp;utm_campaign=gardner\" target=\"_blank\" rel=\"noopener\"><strong>Web Application Security is Not API Security<\/strong><\/a><\/p>\n<\/li>\n<li>\n<p class=\"\" style=\"white-space:pre-wrap;\"><a href=\"https:\/\/www.traceable.ai\/blog-post\/does-sast-deliver-the-challenges-of-code-scanning?utm_source=partnersite&amp;utm_medium=podcast&amp;utm_term=episode-01&amp;utm_content=&amp;utm_campaign=gardner\" target=\"_blank\" rel=\"noopener\"><strong>Does SAST Deliver? The Challenges of Code Scanning.<\/strong><\/a><\/p>\n<\/li>\n<li>\n<p class=\"\" style=\"white-space:pre-wrap;\"><a href=\"https:\/\/www.traceable.ai\/blog-post\/everything-you-need-to-know-about-authentication-and-authorization-in-web-apis?utm_source=partnersite&amp;utm_medium=podcast&amp;utm_term=episode-01&amp;utm_content=&amp;utm_campaign=gardner\" target=\"_blank\" rel=\"noopener\"><strong>Everything You Need to Know About Authentication and Authorization in Web APIs<\/strong><\/a><\/p>\n<\/li>\n<li>\n<p class=\"\" style=\"white-space:pre-wrap;\"><a href=\"https:\/\/www.traceable.ai\/blog-post\/top-5-ways-to-protect-against-data-exposure?utm_source=partnersite&amp;utm_medium=podcast&amp;utm_term=episode-01&amp;utm_content=&amp;utm_campaign=gardner\" target=\"_blank\" rel=\"noopener\"><strong>Top 5 Ways to Protect Against Data Exposure<\/strong><\/a><\/p>\n<\/li>\n<li>\n<p class=\"\" style=\"white-space:pre-wrap;\"><a href=\"https:\/\/www.traceable.ai\/blog-post\/traceai-machine-learning-driven-application-and-api-security?utm_source=partnersite&amp;utm_medium=podcast&amp;utm_term=episode-01&amp;utm_content=&amp;utm_campaign=gardner\" target=\"_blank\" rel=\"noopener\"><strong>TraceAI : Machine Learning Driven Application and API Security<\/strong><\/a><\/p>\n<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p class=\"\">Learn how APIs, microservices, and cloud-native computing require new levels of defense and resiliency.<\/p>\n","protected":false},"author":1,"featured_media":195,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":"","_bbp_topic_count":0,"_bbp_reply_count":0,"_bbp_total_topic_count":0,"_bbp_total_reply_count":0,"_bbp_voice_count":0,"_bbp_anonymous_reply_count":0,"_bbp_topic_count_hidden":0,"_bbp_reply_count_hidden":0,"_bbp_forum_subforum_count":0,"content-type":"","footnotes":""},"categories":[16,17,411,24,43],"tags":[80,206,207,4,48,208,7,8,15,204,203,53,124,205],"coauthors":[],"class_list":["post-199","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ai","category-big-data","category-blog","category-devops","category-security","tag-ai","tag-api","tag-api-first","tag-briefingsdirect","tag-cloud","tag-cyber-security","tag-dana-gardner","tag-digital-transformation","tag-interarbor-solutions","tag-microservices","tag-secops","tag-security","tag-technology","tag-traceable","category-16","category-17","category-411","category-24","category-43","description-off"],"_links":{"self":[{"href":"https:\/\/connect-community.org\/wp-json\/wp\/v2\/posts\/199","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/connect-community.org\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/connect-community.org\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/connect-community.org\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/connect-community.org\/wp-json\/wp\/v2\/comments?post=199"}],"version-history":[{"count":0,"href":"https:\/\/connect-community.org\/wp-json\/wp\/v2\/posts\/199\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/connect-community.org\/wp-json\/wp\/v2\/posts\/195"}],"wp:attachment":[{"href":"https:\/\/connect-community.org\/wp-json\/wp\/v2\/media?parent=199"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/connect-community.org\/wp-json\/wp\/v2\/categories?post=199"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/connect-community.org\/wp-json\/wp\/v2\/tags?post=199"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/connect-community.org\/wp-json\/wp\/v2\/coauthors?post=199"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}