 Hi, this is your host Soplin Bhartiya and welcome to another episode of TFR Newsroom. And today we have with us Ori Bach, Executive Vice President of Product at Salt Security. Ori is great to have you on the show. Thank you so much. I'm really happy to be here. Yeah. First of all, congratulations for joining Salt Security as Executive Vice President of Product. As before this interview started, we were talking about, hey, what we used to do before that. So I would love to talk a bit about your background, your experience in the ITN, especially security space. So my career started in a way that's not necessarily original for somebody from Israel. It started in the Israeli Defense Forces. I was recruited into one of the technology units and the skill set that I acquired there was actually very attractive for the growing startup industry. And I worked for a number of companies that dealt with cybersecurity and risk management. And through that, I really became in love with great technology that can help companies avoid being breached. And I found that that is like a very powerful thing that you can do for people. If you look at the security landscape today, landscape is changing, workloads are changing. Where we run our workload is changing. How we run our workload is also changing. The whole developer pipeline is also changing. So can you talk about the evolution of security from the evolution of the whole IT landscape? I think that's a great question and one that's often missed. So I think the biggest change, if you kind of take a step back in terms of how software is being developed, that it's being assembled and generated more than it's been written. And with the use of AI, with the use of cloud technology and microservices, a lot of the work that's being done today to create software is creative work. It's assembling different things or asking different engines to build code for you. That is fundamentally changing security and in a good way because being able to use best of read components, being able to ask a machine that doesn't make mistakes, doesn't make human mistakes, it may have other limitations to write code for you is actually a great opportunity to build better software and more secure software. And now I would like to know what attracted you to join Sol Security? I've always been attracted to companies that deal with disruptive technologies and I think with Sol it's the first time that's actually more than one disruptive technology. First of all, look, the world is changing and historically the world, we had a bunch of desktop applications and hardware. I think the world is moving to applications and APIs and Sol is really focused on solving the challenge of how do you effectively utilize APIs without taking on risk. The second really disruptive thing about Sol is the way that it does it, the very powerful machine learning that's being put to bear to take trillions, trillions of requests of data and coming up with a small subset of insights that help people manage risk. And the third reason I think that Sol is extremely disruptive has to do with the fact we don't treat APIs as just another attack surface. We treat APIs as an opportunity for better security. APIs are a choke point. All of the data goes for APIs. Any attacker must go for an API if he's attacking an application, if it's an API first application. That's a great opportunity to actually improve security and not just secure the APIs themselves. As Exeter Weiss President of Product, what is going to be your role at the company? I see my role as really making our vision into reality and our vision is securing the connected world, making sure that as people adopt APIs they're not slowed down by security concerns. And this is a real thing. A lot of cool technologies were actually used in a negative way by hackers and it caused the industry to slow down and put a lot of fences around their adoption. We do not want that to happen with microservices and APIs. So that's our vision. The way to get there is really my job, which is understanding the evolving threat landscape and it is changing. It's even changed the last three months, six months. Make sure that we are evolving our technology to meet the growing needs of our customers and for me it's all about the automation. Our customers are telling us something very simple. We're not looking to have people spend a huge amount of time on security. We're not looking to have manual processing. You need to automate this for us. You need to make it easy and the combination of all the technologies that we're utilizing I think makes that into a real possibility. Then a lot of things are manual. They also go on a back burner because something else takes priority and then you really cannot do a lot of things manually. So yes, automation is a key. Earlier you also mentioned AI and today one of the hottest topic is generative AI. People talk about chat GPT. Can you also talk about once again going back to your point of automation AI. How is AI, I mean we have been using AI in security for ages, but once again generative AI is new. What impact do you see of generative AI on security now? We can look at it from two perspectives. One is generative AI is a workload that you have to secure and generative AI as a tool to enhance security. So what does it mean for security in general? And then we can also talk about what is all security doing in this space. I think for security it means two things. One that you mentioned which is that anything can be potentially hacked and the guys on the other side, the threat actors are so smart and so innovative in looking at every new technology and trying to figure out ways to manipulate it. I think the biggest risk with AI is that information that was historically kept on-prem is suddenly going to the cloud as we look to leverage those powerful engines like open AI and others. So that's definitely a concern that customers are talking to us about and they want to make sure that they are aware of what data is flowing into those powerful gen AI engines and that that data is secured end to end. The other is an opportunity and the opportunity is this. Historically we spent a lot of time trying to educate developers and other people about security best practices and to a large extent we failed. People still open phishing emails. People are still using passwords that are easy to guess. They're doing a lot of mistakes. I think if I especially look at what we're doing by being able to teach AI and generative in AI to write secure code, we are actually able to significantly enhance application security. Can you also talk about how you're seeing the API security landscape evolving and also if you can also talk about in the same way, how is API security a little bit different from when we talk about security in IT context? API security for me is going through a natural maturity cycle. Like any new technology and it is still new for some companies, the first thing that happens is that those companies realize that they lost visibility. So they have great visibility into their legacy applications and they've built some tools to make sure that they're secure. But the move to the cloud and the move to an API first architecture essentially meant that they lost that visibility. So first of all, really what they're asking us, hey, tell me what I have. Tell me what data is flowing through it. Tell me how people are trying to compromise it. I am seeing some companies kind of move away from that and moving to a more mature place and say, OK, we know what we have. We understand the risks. Now we really want to minimize them. And the way to minimize them is to monitor that attack surface, find out your biggest risks and make sure that those posture gaps are being addressed. So we're kind of seeing that natural maturity and we're seeing people. It's not just a technology thing. People, practitioners on the other side, are starting to gain a lot of competency in API security. So we're meeting people that are actually really smart about API security on the customer side. And it's great partnership because that shows us that the organizations are taking API security so seriously that they're hiring smart people and telling them, you need to be my group. You need to be my expert about API security. You need to know how APIs are being exploited and how we can defend against that. You folks also come up with a lot of reports. And what we are seeing sometimes is that, of course, the threats out there is emerging. The most worrying thing that we often hear is the lack of preparedness. Very refined that companies were not even prepared. From your perspective, when you join Soul Security, do you think situation has improved? There's a lot of awareness. Or you still feel that, no, this is also the fact that security is not an end product. It's a process. It's a catch-and-mouse game. And you come from a major background. You know that the bad guys have to be right only once. Good guys have to be right all the time, 101% time. So talk a bit about the kind of gaps you are seeing and what do you feel is the reason where organizations are still not fully prepared when we look at API security? It's a great question. Look, I think the first reason to not prepare it is because it's relatively new. So they've built great practices along the years of other protector endpoints and others around how to protect some of their perimeter. And it's new and some organization, frankly, just lack the expertise and the program. I think with the economic situation that we've had in the last year, it also caused some people to maybe not try to expand what they're doing and just focus on the existing controls. I actually think there's a big opportunity here for cost savings. Because again, any data that has to do with an application that's written in an API first manner must go for the API. And that's actually an opportunity to get more visibility without needing to monitor a lot of places within the application. And on the other hand, I'm definitely seeing more awareness, more maturity. I'm definitely seeing people come to us and say, hey, we actually know what we're looking for. We understand attack vectors. We understand how our APIs are being exploited. We have specific concerns versus just telling us, hey, give us visibility or give us a list of best practices. I think that's a great thing. And I think as the years move along, more practitioners are actually going to get that expertise in the same way that web security was a relatively new expertise many years ago. And today, it's like something that's very common in the market. I always love to talk about, of course, technology is the easy part. People is the difficult phase to culture. How much role do you see, of course, security? We see the whole practice around DevSecOps and a lot of other practices, cultural changes are happening. But how much role do you see of culture change when it comes to improving API security? How much organizations are doing it? And as you're talking about, there are a lot of factors. Costs can become a big factor because in that case, security always goes on the back burner, other things take priority. But do you think if organization embrace a culture, then those things will be baked into their DNA and it will not be something secondary or something that is someone else's problem? I am seeing a real progress and maturity in the thinking of organizations. And the reason I think that engineering and developers are a lot more in line with security is because they're a lot closer to production. So we have customers that deploy code into production 40, 60 times a day. And it's very easy for somebody that does that to say, hey, if I do something wrong, there's gonna be immediate impact. So SecDevOps is definitely a practice that we're seeing take traction. We think with APIs probably more because again, the developer actually develops an API and that API gets deployed as is into production. That's different if you're just building like 5% or 3% of some bigger software. And we consider it part of our mission statement to really connect developers to what's happening with their APIs in production. And not just bad things, right? Give them that visibility and make them part of the ownership of making sure that that API is secure and does what it needs to do within the cloud environment. What is your advice to organizations so they can build some best practices so that they're also prepared for the next thread so they don't have to play the catch up game. They are already prepared for these kinds of things. That will continue to happen. I think the best way to look at preparedness for API security is look at it as a maturity model. And the first thing that you need to make sure that you know what you have. The most dangerous API, the API that's most exploitable is the one you haven't heard about. And that is actually a problem, right? Developers sometimes deploy things where the security team is not aware. Make sure there's no zombie APIs. Nothing is left out there that is not being managed from a risk perspective. So that's kind of a basic layers of any risk management program is to know what you have. Then I would say, look at the OS top 10. Look at the typical attack vectors that are out there and make sure that you have a good program in place. So what happens if one of those OSP API 10, OSP is the organization of course that manages standards for application security. Make sure that you have that basic framework in place. And then I would move maybe to a third level of maturity. How are you specifically being attacked, right? What would attackers do or are doing specifically to exploit your business line, the application that you put out there and make sure that you have special controls that put in place to make sure that you're able to counter them or in fact block them from ever even starting an attack. I think that's kind of the best practice. But taking steps because trying to move too fast is sometimes overwhelming. And you mentioned that put on the back burner, everybody's busy, developers are busy and they're not security people. Security people are busy. So just make sure that you kind of go through those steps and see the benefit in each step. As we were talking about culture and you also mentioned cost can be a factor. Priorities can be a factor. Talk a bit about how organizations like Sol Security make it easier for teams so that they don't compromise with security at the same time as folks like you. When you, as you said, your job is to keep an eye on what is the next step. Organizations cannot keep an eye on that because as you also said, they don't know the next vulnerability there. So talk about how you folks held them. So once again, these organizations continue to focus on their building, their business value, their developer continue to put their effort and time in building the business, adding the business value and you folks help them to secure their workloads, their environments. We see as part of our mission statements to improve API security, making sure that our customers are well educated, that they are aware of the threats that are out there. We both do this in terms of a training program and talking to them, but also automatically, our platform has components of threat intelligence where we're able to look at specific attacks. Recently, there was an interesting attack against one of the WordPress applications called WhoCommerce. And one of the things that we did was to make sure that all of our customers that are in that space, eCommerce, are able to see exactly when that attack vector is deployed against them and give them clear actionable steps in order how to mitigate that. And I thought that was great partnership because yes, it is hard for every organization in the world to educate themselves about every attack that's happening out there. So I think one of our benefits from our central vantage point as a SaaS vendor is to constantly be able to make sure that that information gets the right people. Ori, thank you so much for taking time out today and give us a great overview of the whole API security landscape. And I also look forward to a lot of more discussions with you around the whole API security. But I really, really appreciate your time with it. Thank you. Thank you so much. It was a pleasure. Really great questions. And looking forward to talking to you in the future, Assault itself matures and our space becomes even bigger than what it is today. Thank you.