Spotlight: Traceable CSO Richard Bird on Securing the API Economy

In this Spotlight episode of the Security Ledger podcast, I interview Richard Bird, the CSO of the firm Traceable AI about the challenge of securing application programming interfaces (APIs), which are increasingly being abused to steal sensitive data. [MP3] [Transcript] The term “API economy” has been given to the emergence of business models and business practices designed and built around the use of APIs – or Application Programming Interfaces. APIs, today, are everywhere – they’re the foundation of digital transformation initiatives: allowing organizations  exchange of data and instructions seamlessly between  applications – many hosted in cloud environments.  APIs abused in cyber attacks But APIs can also facilitate cyber attacks and the theft of data. In 2022, insecure and leaky APIs were the common theme behind a number of major cyber incidents, including the leak of data on more than 5 million Twitter account holders as well as other incidents. While development organizations and the downstream consumers of APIs have enabled rapid development of new applications and capabilities – security, h however, has lagged.  What is the fix for API security issues? According to our guest today: organizations need to recognize the ability of APIs to be used and abused. Richard Bird is the Chief Security Officer at Traceable.ai., a company that specializes in API security. Traceable’s technology enables organizations to identify and monitor the internal and external APIs in use in their environment and grasp the API risk posture as well as “application context” – the complex interactions of APIs, users, data, and code. In this conversation, Richard and I talk about the challenges of securing API ecosystems within organizations. The key, Bird said, is for organizations to understand the security risks that APIs pose and take steps to both monitor and constrain their use.  Transcript Richard Bird (Traceable): I’m the Chief Security Officer for Traceable. I always like to say that I’m in my Benjamin Button phase of my career. I’m aging backwards. I spent 20 plus years in the corporate world. And about 16 or 17 of those were in banking, financial services, hedge fund administration, all in technology. Before I ever got into the solutions side of the business, I had already been a chief information officer and a Chief Information Security officer as I did two tracks in my own corporate career. And I made the decision that I wanted to try and help more than jus...