A New API Security Solution – Techstrong TV
Traceable is introducing the industry’s first free API security solution. The solution works by applying insights of distributed tracing and ML to understand the DNA of applications and how they are changing in real time, as well as identify anomalies to detect and block legacy and new threats.
Announcer: This is Digital Anarchist.
Alan Shimel: Hey, everyone. Welcome to another segment here on Techstrong TV. My guest this segment is a repeat guest here on our show. You’ve seen him. He’s the founder of AppDynamics, he’s the founder of Harness, Harness, of course being a unicorn in the CI/CD space, AppDynamics now part of Cisco, and his latest company, Traceable AI.
Traceable AI we’ve been following here I think almost since they announced it or even before they announced it, is a player in the very rapidly expanding API security space, and we’re going to talk about that a little bit. Welcome, Jyoti Bansal. Hi, Jyoti. How are you?
Jyoti Bansal: I’m doing great. Great to be back here talking to you.
Alan Shimel: It’s great to have you on, Jyoti. It’s always great to have you on. So Traceable AI. Look, there’s some people in the world who just really are able to focus in on where there’s need, where there’s things that could be done better, and you’ve made your career over this, right? First it was how do we do APM and that kind of thing better, and then it was CI/CD. It was time for a change, right?
It was obviously a very important piece of the software development lifecycle, but it needed to be modernized. It needed to be better. And of course Harness is that. And then we look at Traceable, and again, you took kind of trace technology, which is not necessarily new or revolutionary, but you took this trace technology and applied it to really a problem that is I think a lot of people don’t even recognize how big a problem it is quite yet, and that is API security. We’ve seen a proliferation of APIs over the last, let’s say, five years, seven years.
APIs rule the world, right? Everything talks to each other and they all talk to each other via API. And I think we’re just beginning to recognize now the security implications of not adequately managing and securing these APIs. So again, uncanny ability to focus in on where there’s problems here. Congratulations to you with that.
Jyoti Bansal: Thanks, Alan. I think to me it’s about solving some of the bigger problems that as the software engineering organizations, as IT teams we face. I’m a huge believer that software is changing and transforming every business, every industry. We all know that by now. But you have to solve some of the bigger problems there. When I started AppDynamics I always talk like things slow down all the time in the software code, and it’s getting harder and harder to troubleshoot things and we need to have the right kind of tools to do that.
When I started Harness the reason was simple, that everyone hated their CI/CD systems, like no one had a good CI/CD that they liked. I was running software engineering teams and I hated it, and everyone I talked to hated it. So I said it’s time to rethink and redesign CI/CD. What we are doing at Traceable with the API security is very different. As you said, APIs are everywhere. APIs are the fundamental foundation of how modern software engineering is done.
It’s the foundation of cloud native, foundation of DevOps, foundation of microservices. The entire notion is that you can bake your code into smaller pieces that could be deployed independently, that could be run by small teams. It’s not monolith in terms of how your engineering teams are structured, but for these different smaller pieces of code to talk to each other you have APIs. And APIs are not just internal. You can extend it to the external APIs that if you want to talk to someone else’s software systems you talk to their APIs.
So we have APIs everywhere, which is great. APIs are beautiful. That’s what drives the velocity and innovation, that drives the reusability. But they create such a massive attack factor right now, a lot of people underestimate now much risk is out there if they can’t secure the APIs, if they don’t understand the APIs well, and I do think that’s a big, big challenge that needs to be addressed.
Alan Shimel: Absolutely. Traceable has made a lot of progress. Has it been a year? It was definitely a year, because I remember interviewing you and Sanjay and it was already COVID, so it had to be about a year, right?
Jyoti Bansal: Yeah, it’s about a year when we launched the company, and we made tremendous progress in the last year, lots of happy, successful customers and installations as we kind of have been developing our project in partnership with these early, early prospects and early customers. We also had investments from many of the CISOs themselves, like some of the top CISOs, which are part of the CISO Silicon Valley CISO Group invested personally in Traceable. That was a great validation for us and to work with them. We are very excited to really keep announcing new API capabilities into our offering, and that’s what I’m – especially this week. We made a big announcement which I would love to share.
Alan Shimel: Well, you’ve already let the cat out of the bag. You might as well go ahead with it. Share with us.
Jyoti Bansal: Well, the main thing is that we are making it free. We are offering a free version of the Traceable software. Like if you look at our technology, it’s extremely complex in the sense of that we could easily go and watch every single API call, we bring the foundation on distributed tracing to do that, but then we combine that with very, very powerful AI learning engines, which learns what is the normal behavior of every single API call, which users call those APIs, what is the pattern of invocation of APIs, what data gets transferred, which APIs are sensitive data, which APIs call third party backend systems and pass them around to them – all of that is in this kind of multidimensional AI learning model we learn it on. So that allows us to understand the behavior of the APIs, but then to protect them in real time, unlike any other product in the market that would do that.
But one thing we did realize was that to serve the entire developer community much better we should bring a free version of our product in the market and get people an easy way to get started. So over the last six months or so our team worked very hard on making it extremely easy to consume. So the offering that we launched this week, in less than 10 minutes you can get full visibility inside your API. So you will discover your install out agents will automatically discover your APIs, will give them a risk score on hundreds of different factors, which APIs have what kind of risk based on vulnerabilities, based on what kind of dataflow do they have, what is the usage pattern do they have, how they are secured, how they are authenticated – all sort of factors. They will provide these are the risk factors associated with every API.
We’ll also give you insight, like which APIs have sensitive data, how the sensitive data flows from one API to another to another, and you start getting production right away. These APIs are productive against the most common attacks that happen. And all of that in less than 10 minutes and available for free so that we can get a lot of the engineering teams and a lot of the application security teams to become much more aware of API security challenges and get them democratized access to API security from there.
Alan Shimel: I love it. I love it on multiple levels, Jyoti, and I’ll tell you why. We’ll discuss the free aspect of it in a moment, but let’s talk about the fast aspect. Free and fast, right? Two Fs. The fast aspect of it is really important. Because when we’re talking about API securities, we were on a – I appeared on the Traceable video conference around this launch last week, and what to me – and I still believe this as I sit here today, the biggest issue we have around API security is that people don’t know what they don’t know. They don’t know how many APIs they’ve got out there.
They don’t know what the settings on those APIs are. You can’t defend something if you don’t know it’s there. And to me these APIs represent just a huge new attack surface that the bad guys can use, and if you’re not aware of what that surface is and what it looks like, you’ve got trouble. And so the ability to in 10 minutes turn on and understand and visualize your attack surface, and more even just see the pure surface but to really understand where the vulnerabilities are, where the holes are, that is incredibly powerful. Because forewarned is forearmed, right? That to me is just incredible.
Jyoti Bansal: Definitely. And you’re right, that is the number one challenge that we see. Because what has happened in almost every company, they’ve allowed developers to go and create a lot of API, which is really great because now you’re moving fast and they’re shipping new code fast and everything is getting more microservices with APIs. But the challenge is people don’t understand which APIs are there.
Like many of these companies, when we talk to our customers, they are like, “Our number one problem is we don’t even know how many APIs we have, which APIs have sensitive data or which APIs are risky, which APIs are authenticated properly, which APIs are not, which APIs are designed properly, which APIs are not.” So that’s where we have to start with. That’s the first starting point.
Alan Shimel: No doubt about it. It is. That to me is – and if you can do that in 10, 15 minutes, my god, how great that is. But let’s talk about the free aspect for a moment, Jyoti. And that is again another reason why I love this new release. In today’s world, it used to be that people thought open source was free as in beer and free as in freedom in that the code was free for you to change and look at and do, but it was also free in beer in that it didn’t cost anything.
But the fact of the matter is the lessons we’ve learned in open source over the last 20, 25 years is that there is a total cost of ownership to software. Whether it’s open or free or not, there’s a TCO involved. And quite frankly, that TCO can be many, many more times than just the pure cost of the software. Right? The operations of it and everything else. And so I think people recognize that.
They understand that lunch isn’t free. We give you a free piece of software. It’s not that, oh, you got one over on me and what a great value. Really what it’s about is lowering the barrier to people getting their hands and seeing if this is valuable or not.
And I think the way the world works today is if you give me the software in my hands and I delivers delight, I see the value in it, I don’t mind paying for it. I should pay for it. Someone worked on that. They’re entitled to make a dollar on their effort.
Jyoti Bansal: Definitely. And the market understands that.
Alan Shimel: Yeah.
Jyoti Bansal: But people want to get started for free without committing something to it. Say if you don’t know the software is going to work for you or not, and you have the process of you get a week trial, a two-week trial from the vendor and that’s a very curated handhold process, and you go and now you can decide you want to buy something or not and you have to go through a long implementation cycle after that. That’s what we want to completely change, that you can get started for free. The developers, the app security engineers, the product security engineers, they can sign up and in 10 minutes they can get started and they can start using our product.
And if they’re seeing the value, they see if it works, they see it’s doing what they thought our product would do, now they can go and buy more advanced capabilities and more scale _____. So for us obviously free is the way for people to get to started, and we want to make sure that people do get the value and they get comments and the friction and the barrier to entry gets lower and lower, and then if people like the products people don’t mind paying, as you said. So at some point people will pay for sure.
Alan Shimel: I think back when I was founding companies and involved in a lot of open source stuff. There was a lot of controversy back then about is there a successful open source or free software business model, because they used to say Red Hat’s the only company that was successful with it. But of course that’s not true anymore. There are plenty of business models that involve free or open source software that are very successful. And again, I think the fundamental switch that changed is people understand if they get good value out of software it’s worth something. Because there was that other school of thought, an older school of thought, Jyoti, where people used to say, “I value what I pay for it, so if I didn’t pay for it I don’t value it.”
I think that’s history. That’s a dinosaur kind of model. I think the other thing is that people also recognize that when they do pay for it they get versions or features – you want to call it open core, you want to call it freemium, whatever – but they get features that you don’t get in the free version that give you even more functionality and perhaps more enterprise-type functionality. And I know that’s the case with the Traceable product. You want to give us some examples?
Jyoti Bansal: Yeah, yeah. So what we do is our free product is very, very powerful, that it gives you a lot of the capabilities around API discovery. It gives you API DNA around when we learn the anomaly for every API. We provide risk coding, we provide protection there. But some of the more sophisticated professional abilities would be in the paid editions. The second is scale.
Our free product will be limited to about 40 API endpoints. So a software engineering team with maybe somewhere around 5 to 10 microservices, maybe 5 to 10 developers, they can start getting visibility into their APIs. If they want to get into sort of a much wider visibility with many more API endpoints then you have to upgrade to our paid editions as well. The main thing that we wanted to solve was what I found very strange is that in cybersecurity the products don’t have that motion as much in the world of DevOps.
I come from the world of DevOps with AppDynamics and Harness, and in the world of DevOps, we want to get the product in the hand of the developers and software engineers and get them to use it, try it, and people want to do that before they talk to a salesperson. The world of cybersecurity, most products don’t do that. Most products are in a much more top down, you talk to the CISO and the CISO will go and sponsor a POC, and it’s a much more heavy rate cycle. But you can see that switch happening. Now you’re moving to a DevSecOps world where the world of DevOps and the world of cybersecurity is starting to collide together.
And now your security folks are asking the same questions, like why can’t – because they’re coming from the DevOps world. They’re really closer to the DevOps side of things and they’re starting to see how the products on the DevOps side are completely – there’s a free open source code data directly to the practitioner, directly to the engineer, give the product in their hands. That’s a very common approach. That’s how it works –
Alan Shimel: That’s a dominant approach.
Jyoti Bansal: Yeah, exactly. So what we are doing is let’s bring the same approach to cybersecurity as well, especially when we look at API security and app security. That’s how we should be thinking of. Even though these are security engineers they are starting to really adopt the similar kind of model. Some people will come and tell us, “Hey, no that’s not how it works in security.
You have to design it to go to the CISO statically always.” And people don’t download and sign up and try products on their own. We don’t believe in it.
Alan Shimel: I don’t agree with that too.
Jyoti Bansal: We want to change that.
Alan Shimel: So Jyoti, I’ve been in security 25 years – over 20 years, and as I mentioned last week there was a long history of open source software, tools like Nmap, which was really kind of the first scanner. Nmap. Nessus. Snort for IPS. ClamAV was one of the first – not one of the first, but a very successful antivirus endpoint.
There was great open source tools in every kind of silo of security. But the same dynamics that were at play in DevOps and in the development and testing world, is the same dynamic that we’re seeing in security now, which is there’s not enough security people. Hiring good security people’s hard. You pay them a lot of money. And it’s more than money.
They want to be in an environment where they get to pick their tools. Right? They want to work with good tools that they like to work with. And you’re paying these people and putting them in trusted positions. So when the CISO needs to pick a security tool, he can go to Gartner or Forrester or one of those kind of places and see what they say, but he’s just as likely – he trusts these people that he’s paying hundreds of thousands of dollars a year to be a security person.
And if that’s the tools they’re saying these are the tools I want to use, the CISO would be a fool not to want to use those tools. So I do think – I agree with you. It’s changing. It can’t happen soon enough.
Jyoti Bansal: Yeah. And that’s what we are driving. So that’s why we’re very excited. A simple, easy offering that goes directly to the developers, DevOps engineers, app security engineers, DevSecOps engineers, because it’s also the boundaries are getting blurred.
Alan Shimel: Oh, yeah.
Jyoti Bansal: Like who’s secured the applications, who’s secured the APIs? So whoever it is, if you’re an engineer who are concerned about those we encourage you to –
Alan Shimel: Check it out.
Jyoti Bansal: Yeah, check it out, sign up. No cost to you. In less than 10 minutes you’ll start understanding visibility, insight, what’s happening with your APIs.
Alan Shimel: Jyoti, for people who want to do it, where do they go?
Jyoti Bansal: Go to Traceable.ai, our website for sign up.
Alan Shimel: Right on the front page.
Jyoti Bansal: Yes.
Alan Shimel: Fantastic. Hey, I’ll say it for the third time. I love this. I love this release, I love this model, I like what you guys are doing. I can’t wait to see how successful it is. Best of luck with it. Come on and keep us posted though, okay?
Jyoti Bansal: Definitely I will. Thank you.
Alan Shimel: Alrighty. Thank you as always. Jyoti Bansal here on Techstrong TV. Go check out the free version of Traceable AI. Find out what you don’t know about your APIs out there. We’re going to take a break. We’ll be right back with another guest.
[End of Audio]
