 Hi, this is your host, Saptan Bhartiya, and welcome to our Newsroom. Today, we have with us John Leon, VP of Ecosystem at Partnerships at Appero. John is great to have you on the show. Great to be here. Thank you so much for having me. Yeah, and today, we are going to talk about a partnership that you folks are having with Akamai to launch Technical Alliance for delivering code to runtime API. Before we go deeper into this partnership, this announcement, let's quickly remind our viewers about Appero, your platform, so that they understand the value of this partnership as well. Yeah, absolutely, Swapnil. Thank you so much. Again, great to be here. So Appero, let me talk a little bit about who we are, our focus area. We are an application security posture management platform. ASPM is the category. We focus on identifying the risk in the code base. Our intent, our mission is to connect into your repositories, understand developer activity, understand the complete application inventory itself to include the libraries, the languages, the data models, the security frameworks, the APIs and code. Everything, build a complete application inventory for the purpose of identifying high business impact risk. Where should I as an APSEC professional spend my time? But then also, very importantly, the remediation aspect, quickly correlating a risk back to a code owner. That's the key piece of what we're focused upon. It's very much a shift left story. And then we talk about, once again, shift left story, we are in 2024 now. We talked a lot about the whole shift left movement in the past couple of years, especially in the whole cloud native landscape or in general cloud. Talk a bit about, I just want to quickly understand, since it's like beginning of 2024, how do you see the security landscapes evolution? And by the end year, what were some of the pain points that when we do talk about shift left movement, that also means we are pushing a lot of things in developers' pipeline. But the fact is that there will always be security folks like you who kind of specialize. And so we cannot assume that there will be unicorn developers doing everything. There will still be soft silo within companies. So talk about the whole security landscape that you're seeing today. Yeah, absolutely. I think you've hit upon a few points, which is the notion of modern application development. It's very, very, it's fast, it's automated. The tooling that exists for developers and operations people, very mature, very quick in terms of what we can deploy into production. I think the gate has always been and still remains to be the security side. What should I feel good about in terms of promoting into production? And I think taking a step back, this whole notion of DevSecOps, we've talked about as an industry for a while, this shift-left concept. In practice, it's very difficult. You've got different organizations, different people utilizing different tooling. If we can embrace this concept of identifying at the earliest points in time, where might be the human inserted flaws, the design risks, as we write our first line of code, find at the earliest point of time those risks, address those concerns with the developers themselves, give them the tooling, the information, the context they need to remediate that risk and then progress thereafter. I think we've done something that can really help the velocity of the overall organization. So coming back to your question, it's a paramount problem. I, as the CSO, don't know all the developers on the staff, obviously. I've got onshore, offshore. We've acquired three companies in the last 18 months. I have a problem. I don't know everything that occurs in development, nor should I, right? But I should be able to equip my developers with the beans to promote good code and do it in a way that utilizes the tooling they have in-house today. Since we're talking developer, one more thing I want to ask, sometimes when we look at security, it kind of becomes gloomy where developers don't like to talk to security folks because security folks, they can slow things down, they can even stop things. But if you look at it from a different perspective, as you also said, enabling developers building right gorrills, sometimes actually enables them to actually freely innovate, to build applications. We don't talk about that aspect because like in general, yes, if you have very good security posture, if you have very good security tooling, developers have more freedom because they don't have to really worry about security slowing them down or stopping them. So can you talk about that aspect? Absolutely. So a couple of things, Swabnaud, you hit on a point here. We've talked about DevOps and DevSecOps, as I mentioned for years, as if it's an in-practice norm. It is not, as we know, right? It's still very, very difficult for organizations that have large development staffs, security personnel, people are very siloed, different tooling. I think if the successful companies, the successful vendors that can help to address organizational health will have the most success in our industry. And when I think about ASPM and the opportunity ASPMs have to address this longstanding pain point of bringing security teams and developers closer together, not necessarily in terms of working arm in arm, but providing them one another with contextual information that helps them make decisions in their normal day-to-day processes. If I don't have to have that meeting on Thursday afternoon at 3 p.m. with security, I as a development team, to address some questions that are very, very material, very, very important to the organization, but frankly slow down our timelines, then that's a success. If we can equip the organization to do things in a more automated, contextual, real-time format, that's fantastic. And this is the promise of ASPM. I mean, this is the promise of why Piro was built, why we came to market was this specific pain point, this last mile, if you will, of application security and bringing automation to this and helping them understand what they're seeing with what's most important. Not every risk, as we know, or vulnerability is a paramount interest. Some never see production or public facing, right? But some are. And that's where we need to spend our limited time and where we need to enable our developers to do the job they need to do. Now let's talk about, as you're saying, enable, develop, bring the tools. Let's talk about this partnership and how it's going to help API security. And also let's talk about teams, but let's also talk about things from organizational level as well, from business perspective as well. Great, great, yeah. So let's talk a little bit about what both Piro and Akamai are bringing to market here. This API security, runtime API security market, fast growing. Certainly the proliferation of APIs has been dramatic. It's how apps communicate. It's how customers can access best and breed and offerings from key vendors. But it's a security gap. It's that there's a security posture element to API security. And certainly at runtime, through analyzing network traffic, through understanding the impact of business logic, right? These are all concerns that runtime security vendors address. But it's interesting, when you look at APIs from a runtime security perspective, one of the key problem statements our customers tell us is, hey, from a visibility standpoint, we didn't realize we had another 5,000 APIs in the code base. I don't have the complete visibility I thought. And so as we sat down with the Akamai team to address this notion of code to runtime, full scope API security, full landscape, if you will, understanding of where all the APIs are, not just in runtime and production, but also in the code base themselves and being able to then understand the posture as a whole. We hit upon something that we took to our customers early on and resonated quite well. Ah, now I've got end-to-end visibility of my APIs across all areas, every repo, great. Now I can understand contextually what I see at runtime as a risk, as a high business impact risk and how I can address that in a very fast format back to that code owner. There are a lot of other practices, other disciplines, other, of course, we can talk about personas also. I'm talking about observability. It has evolved from logging, monitoring, traffic. But we talk about zero trust, you know, the whole approach towards that also. Can you also talk about looking at things from a more of a holistic perspective? Because once again, you know, even if the cloud broke, old silos, now we are looking at these soft silos. You know, we are an observability player. We are a security player. We are, you know, we do platform engineering, we do. So how do you look at this and also because if you look at customers, you're not just looking at, hey, you know what, we offer the security solution, you go and find that observability solution or you go and get the, of course, Akamai, they acquire Linux. So they now have a whole, you know, just public cloud for their whole history with CDN security. But look at it all from a more holistic perspective. So to ease pain points of teams and where you can also either talk about partnering with other, the whole point is to reduce the pain points so that customers, yes, I like diversity, that more ecosystem players, that is better for the market, but it should not overwhelm your customers. Yeah, no, agreed, Swapnail. I think a couple of things here. If I just, if you think about it from the customer's perspective, the CSO's perspective, working in a large enterprise organization, the business drivers of what we can solve by looking at the complete STLC and the completeness of how do I secure my posture across design all the way to production or runtime. I think these are very, very key elements. Now to your point, it involves a lot of people. That's a lot of organizations and departments who are building code, shipping it properly, securing it, running it, et cetera, amongst a lot of teams. I think the notion of bringing more automation to those, to that problem statement to how do I get more value and ship code in a faster way into production? How do I reduce the MTTR in the meantime to remediation when I do discover a problem? Because inevitably I will find a problem. There will be a problem, many, many bad actors. What sort of resources can I put in place? What processes can I put in place to address this? And this is just some of what Akamai and Apuro are hitting upon as it pertains to code to runtime API security, is this notion that it's not enough just to know where's the risk at runtime. Now I have to go figure out who owns that and who can fix it. Well, right now that means, let's go look at Waflocks. Let's take some time and spend an hour trying to figure out where does that issue reside? Then I need to go contact the development team to figure out who is that contributor. If I can shorten that MTTR by saying in an automated way with the context that Apuro provides from ASPM, okay, this is runtime API sec with ASPM, this is the joint value. And I can go back and say, hey, ASPM, Apuro, tell me where in the code, where in the code base is it? Where in the repository? What are the dependencies around that API and code? Who was the contributor that wrote this line of code? If I can correlate all of that in a very, very fast real-time way, now I've done something very impactful for the CISO and for the organization because on the business standpoint, I've increased velocity. I've reduced MTTR. I'm taking something that used to be a manual triage process and I've created a velocity around it. And that's really what we're driving for at Akamai and Apuro in this unique value proposition. I haven't seen anyone else do the swap now. I think this is brand new to the market, what we're introducing here this mid-month. And so we think we've got something that really helps velocity at the end of the day. Can you also talk about why you chose to work with Akamai? So amazing question, great question. Akamai has been, well, as we all know, let's take a step back. A fantastic leader in the marketplace, right? Origins and CDN, content delivery networks, as we know, right? And so not the first to mind, right? Is, well, why don't we start here in terms of an API security story? I'll tell you that we've had an amazing engagement with Akamai by the way of our customers. Our customer base is made up of the Fortune 100 across every vertical, banking, insurance, financial services, oil and gas, manufacturing, consumer packaged goods, you find Akamai everywhere. And as we're talking with our customers about how they're deploying API security, runtime API security tooling, we saw a theme start to permeate here, which would be great for you, a period to understand better how we might take this context that you have and implement it with what we're doing with Akamai. Great, let's have that conversation. When we reached out to the team at Akamai, it was a great conversation over the last two quarters, to be frank, the last part of 2023. We did our homework swap now. We talked with customers over the last quarter and a half, brought the value proposition after the initial integration was built and the impact of response was significant, right? We were on to something you're very, very positive. But again, I think it's customer driven is the answer, the simple answer to your question, customer driven. And that's really what brought us together. Of course, the tools are there, technologies are there, but you can bring a horse to the lake but you can not make a drink. Can you talk about what advice you would have for enterprise customers when we look at, let's not just look at specifically the runtime, but in general, so that they can improve their security posture and not just improve the posture. If they don't have the right posture, they can not even leverage the tools and technologies or solutions that you can offer. So it's not just a technology, it's not a problem that can just be solved by technology, let's start there, right? You mentioned it's a people problem, right? And it really is, it's how we as humans interact, how do we get of our siloed mindset and so on and so forth? And we see this with customers time and again. This notion of building more mature security champions programs, right? I'm gonna insert this in the conversation, the maturity level of these programs, the good intent of trying to bring together developer and security and operations for the goodness of the organization as a whole. You know, the success rate is quite low in some cases, right? It's still a maturing effort and endeavor. I think more that technology vendors can work together as we are with Akamai to impact culture, to impact organizational health, human interaction, I think then you're on to something. Now you can start to realize the benefits of a security posture across the entire organization by bringing that automation piece, right? By bringing that understanding, that context, that real time context, which is really what we want as humans, right? It's why I look at my iPhone, I wanna know right now where's the best restaurant in the next five miles as I'm only here for 24 hours, right? And I'm an out of towner. Same thing when it comes to our security posture. I need to know as a developer, where is it that you have the concern? Where should I break from what I'm doing to address this? Which, of course, I as the developer wanna help my organization with addressing this concern, but help me understand where it is very, very quickly with context. And I think coming full circle back to your question, it really is more about the organization, the humans, can we enable a champions program internally, an API sec champions program, if you will, by the use of our tooling? And I think also just a final note on this, I think the stickiness aspect of providing this sort of code to context capability is really, really important because customers are making decisions on acquisition of technology. If I can show you from the full SDLC, the full life cycle designed to run time through this technology and how it's gonna benefit your champions programs and your organizational health, I think, boy, we've hit upon something that really matters. John, thank you so much for taking time out today. Talk about bureau, of course, the partnership and more importantly, the full security landscape. Thanks for all those great insights and I would love to chat with you again. Thank you. Thank you so much, sir. Appreciate your time.