 Hi, this is your host, Samil Bahartiya, and welcome to TFR Newsroom, and today we have with us once again, Rupesh Chokshi, SVP and GM of Application Security at Akamai. Rupesh, it's great to have you on the show. Great, Samil, really appreciate it. Happy New Year, and thank you for having me back on the show. Today we are going to talk about an alliance or partnership you folks have with the APRO that you folks announced today. But before we dive into that partnership, I would love to know a bit about the state of API security. Let's talk about how you have seen the whole evolution of threat landscape in, you know, the past one year. We are in 2024, but I just want to know where we are today when it comes to API security. As we have talked about it, this sort of modernization of applications and the digitally connected economy that we live in, APIs are the backbone of applications, and we're seeing continuous kind of expansion in this space. So then you say, okay, you know, how does API security sort of enable or help these business processes to be a lot more, you know, effective, efficient, secured, protected? And the work that we have done in the industry is a lot of focus on the detection, the discovery, you know, there's a lot of effort that goes on and trying to figure out, you know, where the abuse is taking place, what is the, you know, mitigation strategy, the mediation, etc. So the both the industry sort of, you know, coming together, obviously Akamai plays a big role, you know, Piro and others play a big role. And on the science and the technology side, you know, a lot of focus with, you know, AI and behavior analytics and other capabilities to really identify those, you know, threats and, you know, attack vectors, etc. And then we look at API security, how challenging, how difficult is API security versus traditional security? What are the challenges that are associated when it comes to detecting threats related to APIs? Definitely, we have seen a lot of different, you know, types of attacks that has been sort of, you know, data breaches that have been sort of, you know, malware put forward that has been situations where, you know, certain customer APIs are getting abused, which is sort of almost a mini, you know, denial of service attack kind of a capability, right? So what we are seeing is lots of different ways of disrupting the way customers utilize API do business and serve their end clients. Now, it is getting more and more difficult for sure, because just the massive expansion of it, right, in terms of there are so many B2B applications that are constantly communicating, just think about it, right, as a user, if I'm going through a banking application or a mortgage or a financial transaction, there is so much checks and validations that are happening behind the scenes and all of these are driven by API. So trying to go and figure out, right, from a behavioral perspective, from an anomaly detection perspective, from patterns, from looking at, you know, what is being abused, what is not being abused, what are valid transactions are not, and all of this is happening at a very fast pace, right? So you have to be sort of, you know, very, very robust on your detections and then from detections to mitigations and the remedies that we need to put forward. So this whole kind of life cycle, it's a multi-layered approach, you know, lots of focus in this space. And I think it's difficult, but we are here and the technologies that the folks are providing is continuing to kind of keep at pace and superior to what we need. Now, let's talk about what kind of solutions are there from Akamai and also the importance of kind of cultural aspect because you can bring a horse to the lake, but you cannot make a drink if it doesn't want to drink. So talk a bit about that part and also that when it comes to security, it's not an end product or a destination, it's a process and a journey. Absolutely. You know, it's definitely, it's definitely a journey and, you know, the bad guys are finding new ways to continue to kind of figure out what they need to do and monetize and the good guys and the government agencies across the board, working together, right? So companies like Akamai, Akamai security play a heavy role. So there's a couple of things, right? One is just the amount of sort of, you know, data and visibility that we have. We are able to discover the APIs. We're able to look at the traffic patterns and kind of do it in kind of big data sets and be able to utilize, you know, AI or behavioral analytics or other capabilities that our researchers put forward. There is also the ability to kind of store some of these granular historical data and then go back and do some more, you know, threat hunting or trying to figure out, right? Let's go study these patterns and what happened, what didn't happen. What I often see from a customer perspective is just even the discovery and the visibility. Just tell me everything that I have in runtime, right? Is a big step forward. And from there, tell me where I have problems or did I have a Bola attack or did I have any kind of, you know, blips and go help me understand where do I go all the way back from a shift left perspective into the code to the developer and have the ability to kind of remediate that, fix that. And you want to do all of these things in a very kind of rapid manner. So what we have been doing is, you know, we've deployed a native connector where we can take all of the traffic from the Akamai CDN from Akamai BAF from the edge into the detection cloud for our API security platform and be able to do so many different things very, very rapidly and report back to the customers, guide them on how you go about fixing these situations, the remediation that need to take place, etc. So it's becoming, again, it's a multi-layered, you know, strategy that we are working on deploying with the customers and it's very important because I think what customers don't realize is that a lot of times, you know, these things will hit you and just the sheer volume of API transactions that you're doing has a big impact on your business. Excellent. Thanks. Now let's talk about the importance of partnership and let's go deeper and talk about the partnership, the alliance that you folks announced with APIRO. Absolutely. So we are super excited for our technical alliance with APIRO. It stems from this kind of concept of sort of code to runtime, which is basically saying that, you know, Akamai API security has the ability to identify so many different situations, again, going back to discovery or abuse or detections, vulnerabilities, etc., and be able to alert and report into sort of, you know, what is happening in the runtime environment. What we wanted to do is sort of work with APIRO and say, hey, as a application security posture management provider or capability, they have the ability to identify that back to the actual owner of the API, the developer, the code base, and then connecting the dots for the customer. It's all about sort of, you know, speed of remediation, right? It's mean time to immediate. How fast can I know I have a problem? How fast can I go fix the problem? It's about efficiency. It's about productivity. It's about helping customers, again, going back to a multi-layered strategy, helping customers from code to runtime to go solve these problems. And that is the work that we have done with APIRO and Akamai APIRO together, taking this solution to end customers. What benefit does this alliance bring to developers DevOps and DevSecOps teams? So, you know, it's a very interesting thing, right? So, we are definitely in a DevSecOps model, and you talked about the cultural aspects, right? So, there's always within customer environments, there's an application security team, there's, you know, chief security office team, there is multiple developers that are application owners, there are folks who are responsible in production, but there are folks who are responsible early on in the design development, et cetera, phases of the application. So, it's this concept of shift left is saying, hey, if we know what is happening in the production runtime environments, can we bring some of these things forward? Can we go improve the posture when you are doing the development? So, if I told you that certain things are already compromised or have vulnerability and you can go and kind of set it up in a certain way that you can avoid those pitfalls, that is where the developer can do it right from the gate, which is another kind of prevention methodology. Now you are much, you know, early up into your shift left, you know, code to runtime capabilities, right? So, the idea is, hey, can we bring this insights together? Now, you want to be able to do it at scale, right? So, the automation, the tooling, all of that plays a very important role, right? A lot of times what happens is that internal to the customer, there might be some back and forth on, hey, you know, my job is to figure out and protect and detect and secure, but then somebody else is responsible for actually fixing that, right? So, kind of, how do you get all of these teams and you touched upon the cultural aspect, right? So, what we are doing is we're providing the automation, the technology, the tooling to help customers mitigate not only the cultural aspects and, you know, who's responsible for what, but also the speed because agility is so important in this space, in general in security, in cybersecurity, agility is so important. The work that we've done with, you know, Appiro and Akamai, the integration, I think it's first of a kind, right? In terms of truly demonstrating a code to runtime capability where the customer has the ability to have a production runtime view, take what they found over there, bring it back into the developer ecosystem, really execute on the DevSecOps, drive that sort of, you know, kind of risk based profiling, but also I think the biggest advantage is the meantime to remediate or the speed and the agility. And I want to stress on that because this whole ecosystem that we want in API security is all about that. And I want to make sure that that is well understood and that is the main driver behind this technical alliance. I cover security a lot and sometimes, you know, security seems like a very gloomy place. Developers, they don't want to talk to security folks because they can slow them down, they can stop things. But if you look at it from a different perspective, the way I look at it is that security is actually an enabler. If you look at, I mean, it may not be an ideal analogy, but look at cars knowing that there are brakes, airbags and all those other functionalities, features, technologies for security and safety, I feel more comfortable. Same thing, when you put those guardrails, all those mechanisms, technologies and tools around developers, they feel more confident, they feel more comfortable to write more challenging business applications because they don't have to worry about security. So talk about security as an enabler, which we sometimes don't talk about a lot. The whole concept of, you know, security as an enabler to the business processes, to the digitization is so important, right? Because you're right. Historically, there's always viewed as, hey, you know, the security team or the CESA team is going to come in and they're going to stop me and they're going to delay my project. And, you know, now I got to go do these 20 things. I don't agree with them, right? You spend a lot of time internal and back and forth, which impacts the productivity, the efficiency and just the cultural aspect of the team structures, etc. And I feel, you know, just the examples that you gave, right? You know, if you're thinking about a car that breaks the airbags like safety, security, the right kind of posture. So if, you know, preparing for all of that upfront from a design perspective is so important and inherent and these tools, these capabilities in the application security, posture management do exactly that, which are saying that, look, as you think about all of the work that you need to do in application development, these are some of the guide rails and guide posts that can help you. So you are a lot more efficient from the get go. You're a lot more faster from the get go. And I think this combination is going to really, really, you know, enlighten and delight customers and we're excited about it. I do want to ask this question because this was the hardest topic last year and this is still, you know, one of the hardest topic. Genitive AI, talk a bit about what does API security mean for Genitive AI and how Genitive AI can help with API security. So in general, sort of Genitive AI to your point, you know, is a huge technological advancement that has so many different use cases, right? So we are seeing those use cases deploy, you know, something as simple as a dad is trying to figure out what's the speech he's going to do for his daughter's wedding or graduation to, you know, how do you interact in a contact center, call center environment to how do you really kind of, you know, make it easy where you are processing a significant amount of data. So a lot of use cases for Genitive AI. Now, what is happening is that, you know, the same technology is available to the hackers and the bad guys, right? So how are they deploying that? So we are seeing a lot of, sort of, you know, uptick with kind of social engineering utilizing, right? So if I gave you a, you know, phone call or an email that made it look and feel that it is coming from somebody, you know, right? So socially engineering attacking, you know, senior citizens and consumers in general is a big thing that we're seeing similar to sort of, you know, phishing of websites, etc. Now, there are lots of positive use cases, right? That can be deployed in the same case where we are able to look at the data and translate some of those information. So it's easy to understand for the customer. Again, going back to if I took a lot of information, made it easy and made a recommendation that, you know, follow these two steps and you can take care of something immediately. That is the value utilizing generative AI back to the customer. So I think in the API security space, a lot of the same things are applicable and I feel, again, the next three to five years are going to be in the cyber warfare space more and more about the AI tools both on the good side and the bad side, right? So how do you combat the bad side with the right kind of, you know, AI tools and capabilities? And again, the industry has to come together for that, which is what's happening. Rupesh, thank you so much for taking the time out today and talk about this partnership. Give us a very good overview of the state of the API security. Thanks for all those great insights. And as usual, I would love to chat with you again. Thank you. Great. Thank you so much. Really appreciate you having me and look forward to it. Thank you.