 Hello, folks, I'm Vijoy and welcome to KubeCon. And I'm here to ask Marvin about where my secure APIs are. It's also an ask for the community to step up our application security game. But before we begin, we have to ask, so who is Marvin? If you haven't read the Hitchhiker's Guide to the Galaxy, go and get a copy now. Marvin is a robot with a brain the size of a planet. By his own account, he's at least 50,000 times smarter than a human. But he's being made to park cars, pickpapers, check airlocks, not really job satisfaction worthy. Since he is built with genuine people personality or GPP tech, he also has human emotions. So he gets depressed with all of this mindless work. But most importantly, he is a paranoid android. And all of these properties make him very suited for the state of affairs around API security as you shall find out. But first, a little bit of historical context around the transformation to cloud native. As we all know, app architectures are changing from monolithic, bare metal, or VMs to composable or cloud native. Therefore, infrastructure is changing from monolithic to composable as well. And so are the operational paradigms and organizational structures. Over the last three cube counts, we have discussed how the network needed to evolve to handle this transformation to cloud native through the network service mesh project. And today, we're looking at this cloud native developer as she is building her new app, moving fast, utilizing the trove of APIs from public cloud providers, SaaS providers, and other services. She is faced with the dependency graph complexity of a modern globally distributed microservice-based app. Security in such an architecture is a modern brain-size problem. By the way, this is the microservice dependency graph of the Monzo banking app. And as she uses these globally distributed APIs, which are either homegrown or from external providers, the quality and security of these remote services is often unknown. The pivot on API reputation is not inherently part of the CI CD process, which might put your customer's data eventually at risk. This risk causes all kinds of unwanted behavior. Developers want convenience and velocity. Security, SRE, SecOps, and CISOs pound the table for reviews. And I'm still unsure whether the 2,000 APIs being used are safe or compliant. Platform and cloud engineers are always worried that insecure code has been pushed to prod. And all of these reviews and gates and meetings just add complexity and opacity to the simple job of developing and deploying fast. Seeing all of this, Marvin, the paranoid Android, with the weight of the world on his shoulders, steps in with this depressing quote. Wouldn't it be nice if there really was a Marvin with a planet-size brain who could be observing the entire application lifecycle from repo to runtime and identify the risks of using an API to all the teams concerned, report that risk to security, SRE, SecOps, and CISOs, and maybe even remediate that risk to customer data before it happens. Now that is indeed a Marvin-sized problem. But do not underestimate Marvin. He could simultaneously plan the entire planet's military strategy and solve all of these major problems of the universe three times over. And in parallel, also compose a number of lullabies. If you could do all of that, he could surely solve for the application and API security problem. So what would the app lifecycle look like if we had this Marvin? The developer would pick Marvin curated APIs and move fast, fast, fast. Marvin would notify security teams of possible issues and mediations continuously. And cloud platform teams could rest easy, knowing they can report compliance in a real-time manner. And how would we train this Marvin? What are its boundary conditions? What are its parameters? First and foremost, we have to realize that it's all about protecting your customer's data. The open internet is really the runtime for all modern cloud-native apps. Security attacks risk both clients, users, and other services, other applications. And the new perimeter of apps and security is really diffuse and almost narrows down to an API or data object. What would be some of the apps specific questions we could ask this Marvin? Is the correct in-house service, image, or artifact being used in creating a new app? Are we integrating with compliant third-party APIs? Are we tracking RPC calls to make sure we do not import nefarious data? And are we using MITRE and OWASP attack taxonomies to ensure safety for our apps? Some of the broader questions we have to ask ourselves as a community could be, if a distributed app does get broken into, do we have all the tooling to drive meantime to detect and debug down? Can we formally model and verify the correctness of the logic in our business apps, even across layers? Can we, the community, help spread the word on API misuse? If we aren't able to step up to the plate and answer these questions, I'm afraid Marvin has this to say to you. Thank you for listening. Please reach out to me. I would love to continue the conversation. Visit us at the Cisco booth, where we have demos on app security, app and infra observability, cloud-nated networking, and a lot more. And we are hiring. And we would love to have you on board. Thank you.