 Hi, this is Yoho Saptan Bhartiya and welcome to TF4 Newsroom and today we have with us Rupesh Chakshi, Senior Vice President and General Manager of Application Security at Akamai Rupesh. It's great to have you on the show. Great. Thank you so much, Rupesh, for having me, looking forward to our conversation. Yeah, and today we are going to talk about a survey that you folks did with the SANS Institute on, of course, API security. Before we talk about the survey, I do want to understand a bit about the evolved security landscape because you folks have been around for a very long time. You have seen the whole evolution of security space, traditional data center security than cloud security. So I want to talk a bit about how the security itself or risk have evolved over time. Then we'll talk about API security. Sure. No, that's a great question. And, you know, Akamai has been in the cyber security space for, you know, multiple decades. And we see, you know, tremendous amount of data and traffic on the internet, you know, based upon the edge platform that we have. So if I think about, you know, security and the landscape, it's become a boardroom conversation based upon what we have seen occurring with, you know, big companies, small companies, government agencies, it's a global sort of, you know, phenomenon where the CEO, the CIO, the CTO, the CISO, everybody has it front and center. I think the landscape and the threat vectors are continuously evolving. So it becomes a, it's not a one and done. It's not a project, right? These are investments that you need to make to continue to be in that sort of, you know, right kind of security posture, whether it is dealing with applications, whether it's dealing with data, whether it's dealing with cloud, whether it's dealing with endpoints, what's dealing with the networks, across the board, you have to have a very comprehensive, you know, cyber security strategy and how you go about it. And then who are the right kind of trusted strategic, you know, partners that you work with, right? And it's, you know, it's, again, a very evolving, rapidly moving space. And with everything that we're hearing about AI, you see the bad actors utilizing technology like, you know, ML and AI to continue to do what they need to do. So it's very interesting that, you know, we stay together, stay ahead of it, both from a private company perspective, but also the government agencies are playing a big role in this too. Yeah. And then we talk about security. Security is not a product. It's a process. It's also a cat and mouse game. As a good guy, you have to be right every time. Bad guy has to be right only once. And then, you know, we can also look at the street lamp effect. Sometimes we are looking at things where we should be, and, you know, bad actors are exploring a lot of things. So can you also talk about, because which also kind of leads us to security is not a product, it's a process, it's a cultural change. And it's not cultural change within one team. It has to be across organization. So can you talk about this aspect also? You know, as you stated, right, it's a cat and mouse game, you know, it needs to be definitely a cultural change, but something that is, you know, kind of accepted, right? And I'll give you what is happening in the macro kind of digitization, right? Even post pandemic, we're seeing, you know, significant amount of investments going into the digitization. We live in a very connected economy, you know, things are moving fast, the supply chains, the digital connected economy. And what that does is it's the not just the group that sits under a CISO is responsible for cyber security and the hygiene and the risk profiles and the posture management. It's the entire sort of an organization because the brand is at stake, the customer data is at stake. It's the supply chain of how you do the interactions at stake, etc. So if you think about, you know, the big picture, the customers or the organizations, they have to really systematically go about the programs and how do you evolve those programs with the rapid changing landscape, right? So I think it's a very important space and it's sort of, you know, as I mentioned, it's a boardroom problem and a discussion. It's, you know, security is a business issue. It's not just a tech and what tech you have. Now, let's talk a bit about this survey that you folks did with the SANS Institute e-findings. And also there are certain things that you were expecting that, hey, this is what's going in the market. And at the same time, sometimes this service, they present a picture that, oh, we were not even expecting that. So, you know, we did in partnership with the SANS Institute, we did a survey focused on sort of, you know, sort of API security, right? So this is what is happening in the world of application security and the API security market is, you know, kind of broad, the landscape is broad, etc. So we started to think about, okay, you know, how much do the customers and the enterprises already know and are aware of, right? What is their current sort of, you know, thought process? How are they going about all of these things, right? So if you start to unpack that, right? We've come to the realization that, you know, preventing API-based attacks is not just guarding the endpoints or checking the credentials. It's a lot more sophisticated than that, right? So Forrester and other analysts have put published reports out there and they talk about that it is such a hot topic right now because we've seen, you know, many customers have had breaches because of an API vulnerability or an API abuse problem. And a lot of the customer data was stolen or some kind of a data breach occurred or ransomware was put in, etc. So, you know, the more and more what we see on the Akamai sort of, you know, edge platform and the traffic, and we published that in one of our state of the internet report, the SOTI report is, hey, just the amount of API transactions that are traversing are significant and the attacks utilizing those data and those transactions are also very, very significant. So you start to see this combination of variables that are starting to point leading indicators, right? The traffic is growing, the API transactions are growing, developers are putting in more and more applications and codes in production. We're in a connected economy and you now have created this sort of, you know, an opportunity and an attack surface for the bad guys to go exploit. And this is all happening at a very rapid pace, right? So the updates are very frequent and one of the, you know, customers said it really right that, you know, hey, look, you know, for us, it was just to even understand the discovery, the visibility of how many APIs I have and what's happening and give me even the viewpoint of what is traversing for me in my sort of, you know, environment, right? And that is valuable. And then from there, we go into, you know, detection and remediation and better practices and deeper API testing. So we covered a lot through this survey in terms of the different areas. When we look at API security, what were the top eight API security concerns for, you know, for the folks that you service? We talk about things like zombie APIs and not all the things. So talk to them. So I think that, you know, the survey articulated that there were a couple of things, right? That kind of was rising up to the top. So one was, you know, fishing was a big concern and, you know, 38% of the respondent talked about that, you know, missing, you know, patches was another big thing that kind of rose at 24%. So if you start to think about these vulnerabilities can serve as sort of, you know, open doors for malicious actors to exploit, you know, posing significant risks to the business and their customers. And I feel like when you step back and look at it, right, going back to, you know, are there, you know, API testing tools deployed, right? So the survey found that, you know, only 49% of the customers had thought of that or are doing that and the others are not. So just the landscape is very broad. The other thing of interest along these lines of concerns is that you start to think about the API transactions that are happening in all industries, right? So if you think about healthcare, you think about manufacturing, or even you think about the connected cars or the smart cities and what we are seeing from an evolution perspective, these are all API transactions that are occurring. So just the broad applicability of that is huge. And there's a lot of, you know, B2B applications that communicate. There's a lot of machine to machine communications. There is a lot of, you know, sort of, you know, the internet facing applications where user and web applications. So broad, broad applicability. And as I mentioned, the concerns were, hey, about the phishing, the missing patches, the open vulnerabilities, et cetera. How much awareness or readiness is there when it comes to API attacks? Because these attacks are not going to go away. As you earlier said, you know, it's like cat and mouse game we have. We can stay ahead of the game, but we are not going to solve this problem overall. So talk about the state of, you know, readiness and awareness. So I feel like, you know, going back to the SANS Institute survey, we felt that the customers were looking at it, but really not fully prepared, right? And, you know, prior to that, we had published a SOTY report and that talked about just a sheer volume of interactions that are taking place and the attacks that are happening to those, right? And you go look at any industry analyst report. So right now, I feel from a customer perspective, it is, you know, top of mind that API security is very important. Then you break it down to say, OK, how much deeper awareness is there within that enterprise or that customer? So I think, you know, the, the vulnerable APIs are increasingly getting targeted, you know, they're becoming common. You've seen examples of, you know, public information on, you know, T-Mobile having an issue or had a data breach. We had Optus, we had Twitter and many other examples that are there from 2022 into 2023. Less than 50 percent of the respondents, you know, in the survey said that they have, you know, API security testing tools in place. So even fewer had discovery tools. So, you know, highlighting the lack of awareness and readiness for these API attacks is very important. And, you know, the customers really see value in visibility, discovery, detection, remediation, you know, response, reinforcement. And you also have to think about the behavioral aspects, because there's a lot of times there's an abuse going on, too, is that, hey, the API transactions are trying to do sort of the business process, right? And you're trying to connect machine to machine or app to user, whatever that is. And let's do a simple example and, hey, I'm trying to get a real time credit validation in a financial environment or use case. And the, you know, those APIs are being abused or they are being kind of attacked and overflow of the traffic, etc. And those transactions are not going through creating a frustration on part of the end user and impacting the brand of that particular enterprise or the customer, right? So one of the customers, you know, really said this thing very nicely for us is that API security is front and center for them. It improves the compliance, the risk management and enables them with business process agility and the outcomes, right? So they want to continue the business process agility and the outcomes on their apps while they feel comfortable that they are sort of taking care of what is needed in API security. So I think a lot more to do in this space and I'm glad we're having this conversation as you, you know, reach to the audience and they listen to this, you know, make it front and center. It's an important area of focus and investment. And when I was listening to you, it was like a lot of these organizations, they are not even taking advantage of some of these practices, tools, technologies that are available to them. And if you look at DDOS and load balancing services, they have API security controls baked in, but it was found that this is one of the most underutilized areas in API security tools. Why do you think that is the case? Why organizations are not taking advantage of all these tools, all these practices that are available to them? You know, again, we'll start at a macro view point. So I think from a, you know, if I'm a C-suite in an enterprise, whether it's a CISO, CTO, CIO, CEO, it's a lot coming at me, right? And it's a lot of, you know, security point solutions. There's a lot of like, hey, there's the next thing happening, et cetera, and as you mentioned that, you know, it's not a revenue generator, but it plays an important role. So I think a lot of the kind of messaging that I bring forward to is that what we as security professionals or cybersecurity professionals need to do is make it not a tax, it's more of an enabler, right? It's embedded into the business processes, the tools, the applications, the interactions, et cetera, and you make that kind of business process agility and the outcomes, the main focus, right? And, you know, if I go a level down and say, OK, within the Akamai portfolio, whether we have the app and application sort of, you know, API security protection, you know, the web application firewall products, the DDoS products, the load balancers, many other things that we provide, you know, we do have some level of, you know, protection in that, right? But more of that web application protection or the web application firewall is think of it more as a gatekeeper function, right? So, hey, this is the traffic that is kind of moving through. And if we have visibility of any kind of malicious, we block it, but any kind of authenticated traffic kind of gets through. And then you don't have the full understanding of what is happening beyond that, right? So the behavioral aspects of these things become, you know, very important. So a lot of the organizations are, you know, even in the surveys, and, hey, we can check the box on the OWASP, you know, top 10 list and, you know, for application, for API, and, you know, that framework is very helpful, which is fantastic. And then they're also, you know, relying on some other tools to say, can I have more kind of visibility into what is happening? And it was interesting because in the survey, you know, the organization said that they're relying on other tools and not fully addressing the API security level risk. And the underutilization of these features, you know, with only 29% respondents using them is, again, like it's an alarm bell, right? It's a fire alarm, right? That says, you know, more and more needs to be. And I think to your point, right? I think it's awareness. I think it is focus. I think it's the budgets and the investments that are needed. And I also think, you know, a lot of these things can be handled where you don't have to go to, you know, hundreds of, you know, vendors and point solutions, right? You know, at least what Akamai is doing is that we're bringing a much more sort of, you know, cohesive value proposition in application security and API security. So that is, should make it easy for the customer. What advice do you have to, of course, those CTOs, developers, DevOps team, DevSecOps teams, SRE teams, you know, we have so many labels these days that so that they, irrespective of where they are in their either cloud adoption journey or security, API security journey, that these are some of the practices if they start embracing, irrespective of their size, expected state, they will have some right culture begging and which also because, as you also said, you know, you know, without right tools, culture itself is not efficient and without right culture tools are not, you know, so talk about that. It's a great point. And I think it's top of mind for everybody. And see, I think enterprises should go on the, on the offense, right? So, you know, a lot of the research, whether it is the report that we did with Sands to do to our Saudi reports, or even the announcement that we did recently, a lot of it points to, you know, data that is giving indicators, right? So going a bit on the offense is very important, like put the focus on discovery, visibility, detection, remediation, have a more broad end to end view. Because the space that we are in with this sort of, you know, connected economy and the digitization and the pace at which it is happening, I feel that, you know, it's not an afterthought. Like you can't, it's not the classic like, hey, let me go do kind of like, you know, firewalls. So everything is like blocked and protected. It's a lot more involved and complicated than that, right? So focusing on an offensive strategy, understanding the landscape, the threat vectors, what you need to do proactively going into sort of, you know, addressing authentication and asset inventory and vulnerability management, change control, a lot of really good practices that can be brought forward. And again, you know, go with the right, you know, trusted strategic partner who can bring value forward, who can guide, who can demonstrate that, you know, we can do a lot of it at scale. And you hear a lot more from a sort of, you know, security practitioners perspective that utilization of ML and AI technologies to kind of fight, you know, fight the bad guys is also front and center, right? So that we need the right kind of tech, we read the right kind of pace and we need the right kind of agility to deal with the attackers, the hackers, the bad guys and, and, you know, play on the offense, right? Like go on the offense, very important. Rupesh, thank you so much for taking time out today. And of course, talk about this survey that you posted with the Sense Institute and also share the insights and advice how folks can actually improve their APIs. And also share the, as you said, macro and macro level discussion on security, security is really important. We should embrace these practices and cultures of thanks for all those insights. And I would love to chat with you again. Thank you. Great. Thank you so much for having me. Appreciate it. Take care.