APIs and Tech Stack Insights from Richard Bird of Traceable AI.
Richard Bird explaining APIs and tech stack strategies at Traceable AI event.

Securing Our API-Driven World with Richard Bird of Traceable AI

Episode Overview

Episode Topic:

Welcome to an insightful episode of PayPod. We invent the critical and ever-evolving realm of APIs and tech stack security with Richard Bird of Traceable AI. The discussion zeroes in on the complexities and importance of maintaining robust security measures to protect the intricate web of APIs that underpin modern tech stacks. With APIs playing a pivotal role in the functionality and innovation of financial technology services, understanding their security implications is more crucial than ever. This episode sheds light on the challenges and strategies related to securing APIs and tech stacks, offering valuable insights for professionals navigating this essential aspect of fintech.

Lessons You’ll Learn:

There are essential lessons on the importance of API security within your tech stack, providing a comprehensive understanding of how to safeguard your digital assets effectively. You’ll learn about the multifaceted nature of APIs, the potential security risks they pose, and the best practices for ensuring their security. The episode offers an in-depth exploration of strategies to enhance the security of your APIs and tech stack, equipping you with the knowledge to anticipate and mitigate potential threats, thereby fortifying your fintech solutions against evolving cybersecurity challenges.

About Our Guest:

Richard Bird, the Chief Security Officer at Traceable AI, graces this episode with his profound expertise in API security and the tech stack landscape. With a storied career rooted deeply in fintech and cybersecurity, Richard brings to the table a wealth of knowledge and firsthand experiences. His insights into APIs and tech stacks are not just theoretical but are backed by years of practical experience and a keen understanding of the fintech sector’s current and future needs. His discussion on the podcast illuminates the essential nature of robust API security frameworks and the strategic role of tech stacks in safeguarding digital assets and information in today’s interconnected world.

Topics Covered:

This episode covers a broad spectrum of topics related to APIs and tech stacks, providing listeners with a comprehensive overview of the subject. We discuss the evolution of API security, the expanding landscape of tech stacks in fintech, and the paramount importance of these technologies in ensuring operational continuity and security in the digital age. Key discussions include the impact of APIs on global internet traffic, the role of tech stacks in enhancing application performance, and the strategies businesses must adopt to secure their digital infrastructure. By exploring these topics, the episode aims to equip listeners with the knowledge and insights needed to navigate the complexities of APIs and tech stacks in the context of modern technology and cybersecurity.

Our Guest: Richard Bird- Pioneer of APIs and Tech Stack in the Fintech Landscape

Richard Bird is the Chief Security Officer at Traceable AI, a company at the forefront of API security technology, ensuring that enterprises’ tech stacks are robust, secure, and capable of withstanding the evolving threats in the digital landscape. With an illustrious career deeply embedded in the fintech and cybersecurity sectors, Richard brings a wealth of expertise and experience to the table. His journey in the technology realm began in the mid-90s at Checkfree, a pioneer in person-to-person payments, marking the start of his profound impact on the fintech industry. His experience spans across significant roles in banking and technology firms, where he honed his skills and deepened his knowledge, particularly around APIs and tech stacks, areas now critical to the operational backbone of modern digital enterprises.

In his role at Traceable AI, Richard is instrumental in shaping the strategic direction of the company’s security solutions, focusing on the intricate interplay between APIs and tech stacks. His insights are not just limited to securing the technology but extend to understanding how these technologies can drive business value, innovation, and operational efficiency. His approach combines deep technical acumen with strategic foresight, emphasizing the importance of a proactive security posture in the rapidly evolving digital ecosystem. Richard’s leadership is pivotal in Traceable AI’s mission to provide cutting-edge solutions that empower organizations to achieve API visibility and attack protection, ensuring their tech stacks are not just operational but also secure and resilient against sophisticated cyber threats.

Beyond his professional achievements, Richard is recognized for his thought leadership in the industry, often sharing his knowledge and insights at conferences, seminars, and webinars. His expertise is sought after by many in the industry, looking to navigate the complexities of API security and the broader implications for business and technology strategies. His contributions extend beyond the confines of his role at Traceable AI, impacting the broader discourse on digital security and influencing emerging standards and practices in the industry. His perspectives shed light on the critical importance of securing APIs and tech stacks, which are the linchpins of modern digital infrastructure, crucial for the operational success of businesses in today’s interconnected world.

Episode Transcript

Richard Bird: If you go look at the headline news the last 18 months, the one single API with one exposed endpoint netted to 37 million lost accounts by T-Mobile. That’s huge. I think I’ve seen the figures that the recovery on, it’s been something like $150 million. So I would say in the 18 months since I’ve started, there’s been a recognition in the marketplace across all verticals that API security is a thing, that those companies that were breached and were in the headline news, they all had a WAF and they all had a gateway. So what went wrong? What happened that wasn’t sufficient from a security standpoint. So those thoughts and ideas are starting to propagate.

Jacob Hollabaugh: Welcome to PayPod, the Payments Industry Podcast. Each week, we’ll bring you in-depth conversations with leaders who are shaping the payments and fintech world, from payment processing to risk management, and from new technology to entirely new payment types. If you want to know what’s happening in the world of fintech and payments, you’re in the right place. Hello, everyone. Welcome to PayPod. I’m your host, Jacob Hollabaugh. And today on the show, we’re diving into the world of API security. With every passing episode of PayPod, we discuss the latest and greatest innovations, new products, and services bursting onto the fintech scene, all of which typically boast their own API that we end up talking about and leads to the ever-growing web of APIs and tech stacks that make up modern enterprise companies. One thing we don’t get to discuss nearly as often is keeping all those many APIs and your entire tech stack organized in use and most importantly, secure. So today we’re going to do just that, and I’ve got just the right guest to walk us through it all. I’m pleased to be joined by Richard Byrd, chief security officer at Traceable AI, the industry-leading API security company that helps organizations achieve API visibility and attack protection. Richard, welcome to the show. Thank you so much for being here.

Richard Bird: Very glad to be here.

Jacob Hollabaugh: I didn’t realize going in that AI and API would be kind of tough to say next to each other and not know when to throw that third letter in or not. But it’s wonderful to have you. And as I mentioned there in the intro, APIs get talked about all the time on the show, every single episode, whoever we’re talking with, eventually we get down to the nitty-gritty in the tech and talking about their APIs and their integrations and everything else. API security, however, doesn’t typically get much mention on this show, so if you’d be so kind for me and the listeners who may be less familiar with this idea, could you explain the basics of what API security even means and what the kind of purpose or driving benefit of it is?

Richard Bird: Yeah, absolutely. And before I kind of reel that out a little bit, I mean, I’ll share. I’m actually very excited to be on this podcast. The reason is, is that as a technologist, I was born and raised in fintech. In the middle 90s, I started with a company called Checkfree, back in the day, that really pioneered point-to-point person-to-person payments. and here I am back, back in the fold. I started.

Jacob Hollabaugh: Then the right spot because it comes up often on this show. The show is slowly but surely might as well be a cyber security show because the world of fintech and technology in general is. So that is maybe the most important thing around all of it. So those worlds blended, and it’s cool to hear you started in one kind of we’re always within the blend of these two worlds your whole time.

Richard Bird: Yeah. That led me to a path into banking proper where I worked for many, many years. So I’m as solutions, I work 20 plus years in the, in the enterprise that’s relevant to the API conversation and how API security works for very specific reasons. The first is, is that if we think about the history of application programming interfaces, the API space, it is a space that for now closing in on 15 years, has never been managed, has never been, run from a pure operational standpoint, like all other aspects of technology stacks, APIs were, opportunities for developers to hook into assets and resources that they needed. And it has unleashed massive business value. I saw a survey the other day that showed that somewhere between 72 to 75% of all daily, internet traffic are APIs. that’s massive, right? That is an enormous amount of traffic, much of it tied to personal information, and economic transactions, whether they’re monetary crypto or large Treasury transfers. This is all now happening on the public internet. A decade ago, we would have been like, that’s never going to happen. We’re not going to put that stuff out on the public internet. We do it all the time now, and we do it using APIs. But because we’ve had very little control in the structure, classification, management, and deployment, like most companies, don’t even have a change control process around APIs that are already in production. As a result of that lack of controls that have been applied from a security standpoint and all other aspects of the technology stack, APIs represent the largest unmitigated attack surface every company has today.

Richard Bird: And if you ask somebody, how many APIs do I have? Where do those APIs reside? What are those APIs doing? More times than not, you’re going to get back blank stares, right? And no time in security history. Now I’ll put my security hat on. No time in security history has the answer, I don’t know anything. Been safe, right? Or secure. and we go through these discovery phases about every decade. How many virtual machines do I have? How many accounts and credentials do I have? And now how many APIs do I have? So API security is really about continuous monitoring of APIs. What they’re doing, how they’re behaving, what they’re supposed to be doing, where they’re supposed to be going. The great thing about APIs are always built where the design spec itself is already present. It’s in the code. We know what it’s supposed to do. We know what endpoints it’s supposed to go to, what it’s allowed to transact, and not allowed to transact. But security, a security wrapper around all that means that we’re continuously monitoring to make sure that an API is doing what it was designed to do, delivering what it was designed to deliver, and being leveraged by systems or people that it was designed to be leveraged for. Right now, a lot of what I just went through are absolute blind spots to most companies and organizations. So API security encompasses not just testing and the appsec space, but runtime protection, catalog and discovery, risk and posture management. It really has turned into a very extensive and expansive set of capabilities. In order to be able to do what you need to with APIs.

Jacob Hollabaugh: Yeah. And so you referenced there it’s only been 15 years, I think you said since the onset of this technology in general, and that there was a point even ten years ago where what we how we operate today, people would have laughed at and said, no way, we would never do that. Was there any sort of tipping point over the last half-decade or decade that, like all of that changed, that sentiment changed, or where things kind of picked up more rapidly? When did the idea, I guess basically of like, we’re going to need someone to monitor all of this actually kind of first come about?

Richard Bird: I think there are a couple of different, really important pieces or landmarks in history that bring us to this point of massive API volume with very little understanding of the risk of those APIs. and I think it’s really important, In 1955, I think it was, some researchers wrote a paper about a theoretical notion called application programming interfaces. Write APIs have been an understood quantity for 50, to 60 years now. they were very difficult to use back in my old days, running data centers and monolithic applications because most monolithic applications back in the day were written in very proprietary code. So landmark number one is the rise of open source and open standards whether that be at the language level, whether it be at the protocol level, whether you just kind of name them. Open source and open standards created a much more integration-friendly environment. And then once we moved our activities to the cloud with massive efforts around cloud migration as well as just pure native web application building and the SaaS space and all of that. we ended up putting all of these applications, exposing them directly to the World Wide Web, directly to HTTP and HTTPs. And, because we’re exposing all of that outside of our boundaries, then we start to lose substantial amounts of security control capabilities. We’ll talk about it, I’m sure, a little bit, as it relates to payments. But the payments world has always been a model for, transactional flow in that there’s always a requester and a responder or a payer and a payee.

Richard Bird: You know, there are two points at the ends of these transactions, very similar to the way that APIs work. They typically work on a 1 to 1 basis with a requester and a responder. And the real problem is, is that, because nobody owns the internet, once that transaction leaves my endpoint. In the interim in that space. In between, there are a lot of questions about who owns the security for that. Now the argument becomes, well, it’s got encryption. Well, you know what? I’ve been in security for a long time. How well is encryption working for us historically not great. And the receiver is saying, hey, I’m just receiving what’s getting to me. I don’t have any obligations for security for that. So we have this really interesting set of cognitive dissonances that I like to call them big gaps in both thinking as well as risk and control management around APIs because they were always just code widgets. Nobody cared you mean you can get my application in production faster? Cool. You mean that I’ll always love the Twilio example. I’ve used this Twilio example a number of times. I think it was oh eight or oh nine. Twilio built an entire business case for their funding off of one slide that says, I can get all the information about you that I need to with five APIs. And then they would run that demo and the investors’ minds were blown. They were like, oh my gosh, you got all this information about me from all these different sources that apparently weren’t protected. And then you have this profile of me, where do I write the check for Twilio? Right.

Richard Bird: This is kind of the the rush to greatness that we’ve seen. Now, there’s one last element that I think is important. Covid saw a massive blow-up in APIs. And the reason is, is because developers were distanced from each other. There was a lot of fragmentation in terms of remote working that made it very, very difficult for people to do long sessions to build integration hooks and all that kind of stuff. So they started using APIs at a really massive scale. And so that’s why we saw a huge explosion from about 2019 to current. And then we look at things like Kong has put out an analysis recently with a world economist, saying that attacks against APIs are going to grow by 1,000%, and successful attacks by 1,000% by 2030. But the volume of APIs is probably going to escalate by 100, 600, and 700% in that same time period. So now you can just kind of get this vision of a runaway freight train, like we’re not doing much in the way of security. We’re putting more into the system. We’re having less and less visibility into what is getting thrown into the internet. And that doesn’t even start to bring it into the conversation. Things like supply chain risk, and third-party risk, who are also using APIs. They’re not connecting with you with APIs. And on top of that, your developers are now using APIs to contact and connect internal systems because it’s fast and it delivers value. And yet there’s very little in the way of notional security around these subjects.

Jacob Hollabaugh: Makes sense. So we’ve danced around it a little bit. That was a fantastic overview, and I appreciate you going through it. For those of us who are less familiar with it. Really, really well said and so the Traceable AI company you work with is obviously tackling this, this entire problem that we’ve been laying out here. Could you tell me a little about who Traceable is, what exactly the product or service offering is, and who you most commonly work with?

Richard Bird: I love talking about Traceable, and I’m not the founder. It is important to talk about our genetic roots. our founders, Jyoti Bansal and Sanjay Nagaraj. Jyoti is famous in the technology world, not because of Traceable, but because he built and eventually sold to Cisco, AppDynamics. AppDynamics was and is still a very widely used application performance management system, that had huge impacts on improving, all of our experiences on the internet. But the company actually there’s a mythology about the company came to be because, all the performance metrics for those applications, were being, security-related aggregated and all of the security-related information from those same calls was being basically tossed on the floor. And one of our solutions engineers at one time said, hey, do you think anybody cares about the security stuff? And there you go. Here comes Traceable. and Traceable has an unfair advantage. I always like to say we’re the most unfairly advantaged round B startup in history. because our founder obviously was very, very successful with his first exit. He has another company, Harness, which is a CI, and CD pipeline company, and then he has Traceable. And, all three companies have been wildly successful now with Traceable, as we developed into a security platform from those beginnings, we recognized there were a number of short-sighted positions and API security. The first is a lot of times you’ll hear people in technology say, “I don’t have an API security problem because I have a WAF and I have a gateway.”

Richard Bird: Well, WAFs and gateways have been around for a long time. the amount of security that is provided by the gateway. Weighs somewhere between zero and none. because they’re routers, right? They manage the language of the APIs and they send APIs where they’re supposed to go. Web application firewalls are basically boundary guardians, right? They allow or prohibit any traffic that comes in based on rules or other policy triggers, you’re able to kind of take care of bad things that you know about. And now begins the problem, what Traceable really excels at. It’s the behaviors of the APIs that are indicators of their risk and their threat. This means that bad actors are learning how to use APIs for new breaches and new hacks every single day, which means there are no published vulnerabilities, and no published exploits, means that, maybe some researchers are sitting around in a corner somewhere and discovering a couple of new exploits.

Richard Bird: But in the main, what’s actually happening is a large number of attacks are unknown, unknown unknowns. Unless you’re able to measure the behaviors of those APIs like traceable, can, using our secure threat like every time, every single time an API is used, you cannot understand whether an API is being exploited or not. It’s virtually impossible. So Traceable take has been let’s figure out how to protect all APIs everywhere. Internal, external, third-party, vendor-supplied, commercialized, and monetized, don’t really matter. All of them are across the board. How do we build the best in class, data collection capabilities to be able to collect that traffic? That’s some really technical magic stuff. you know, that’s something we deep dive into with people because we’re talking about Linux kernel layer level. We’re talking about VPC mirroring stuff that can get really tricky. But we’ve mastered all of that. We collect that traffic. We have an ongoing catalog of APIs tons and tons of APIs. And everybody’s environment that’s listening has been built with no documentation. That is a consistent theme for the last 30 years of technology. Built my code, with no documentation. but we actually are able to auto-generate documentation.

Richard Bird: Now we have a basis to do that. Normative baseline threat analytics against. Here’s what we know the API was designed to do. It’s actually doing. And then we’ve got the triggers that are necessary to protect the company once something starts to go bad. So we can either do that by passing information to a policy enforcement point like a gateway or a web application firewall or we can actually natively just shut it off. Most companies aren’t ready for that second point that I made, there’s still a lot of resistance to, automation around, runtime protection and shutting down, anything because there are concerns of impact and those kinds of things. But the reality is, that we are moving into a world where runtime protection at the actual API execution layer or execution level is going to be a necessity. because if you’re just passing off a policy enforcement, you could have a time gap of minutes, if not more, and the house could be cleaned out right? The way that the world is working with bad actors, the speed at which they operate at, is faster than human capabilities. We have to start relying on some automation. We pre-built those capabilities into traceable.

Jacob Hollabaugh: And I’m glad you mentioned there that you do have a little pushback on kind of the secondary part of what you’re hoping to continue doing for folks. I wonder, do you have what’s the initial response from most people? Is it like, oh my gosh, thank goodness someone is finally going to do this for us? Or is it more you kind of referenced early on, like some people might say, “We don’t need what do you mean? We’ve got we’ve got this covered with this and this and do those really work?” No, but we’ve got it covered. What is the kind of typical general response of you coming in and saying, this is an Indian? Like, we’re kind of creating this world because it clearly needs to be done, and we’re here to do it for you. Is it? Thank goodness. Or is it more often like, you got to explain yourselves and convince me?

Richard Bird: There’s a half a dozen ways to answer that question, I won’t cover them all. The way that I’ll split that today first, kind of reverting to a year and a half ago when I started at Traceable, I don’t mean this to be offensive. So nobody takes it as an offense, but a lot of willful ignorance around APIs and the risk that they represent companies similar to that. I’ve got a gateway and I’ve got a WAF. No big deal. I’ve got it covered and one of the things like, if you go look at the headline news the last 18 months, it’s been very helpful to me in having this conversation about whether API security is not important or not because of the level. And. And the scale and the damage that the breaches have created. In the marketplace, right? The one single API, with one exposed endpoint, netted 37 million lost accounts by T-Mobile. That’s huge. And I think I’ve seen the figures that the recovery on that’s been something like $150 million. So I would say in the 18 months since I’ve started, there’s been a recognition in the marketplace, across all verticals, that API security is a thing, that those companies that were breached and were in the headline news, they all had a WAF and they all had a gateway. So what went wrong? Right? What happened was that wasn’t sufficient from a security standpoint. And so those thoughts and ideas are starting to propagate.

Richard Bird: Now there’s a second part of the answer I think is really relevant to the audience for for this discussion, which is where we have seen a massive change in attitude and, concern in banking, financial services, and fintech. And the reason for that, is, first of all, it’s money. and when we think about the condition of how bad APIs have been, from an exploitability standpoint, there have been several breaches where, there have been monetary takeouts associated with API hacks, Fraud, in particular, is super interesting. It’s capitalizing on that, gap where nobody is owning the security while riding on the internet. We’re seeing that beyond the edge, kind of fraud happening on a regular basis. you know, in customers and, and use cases and scenarios where we’re providing protection already. so banks have the most lucrative, treasure, which is why banks are super interested in mitigating the risk. But that’s not the only thing that’s driving banking, fintech, and financial services, it’s regulatory and compliance. The OCC has been very specific about APIs and one standard so far, the FFIC put out a mandate two years ago now for full catalog discovery, understanding inventory of all of your APIs, as well as a risk assessment against those APIs. It caught a lot of banks short because it was embedded in a standard, didn’t make any sense for that standard to have. and they missed it.

Richard Bird: And so you saw a lot of scrambling of banks to get observability first. And, but as the bankers have looked at and, and like I said, fintech and financial services writ large as they’ve looked at the problem, they go, oh, this risk is huge. We didn’t put two and two together. We understood that we had opportunities for exploitation, but we didn’t realize how big the attack surface was. you know, in cases where companies have, particularly in banking, financial services, and fintech, they have ten, 50, 60, 100,000 API, APIs operating in their environments. that’s a huge amount of traffic to try and monitor and keep secure. And so definitely a lot of movement and recognition in the banking, financial services, fintech, and then a lot of recognizing the size and scale of the problem outside of that particular set of industrial or verticals. But but still a lot of resistance because the reality is, is that companies have put a ton of money into their entrenched security stacks. now, the idea of repurposing funding or finding new dollars to cover a completely new frontier for them, it takes a lot of work to move their companies and get them thinking in the direction of protecting what’s commonly known as layer seven. and so we’re seeing a lot of that kind of, I know I needed to do something. I don’t know what to do, but I haven’t still allocated any budget or have a program yet.

Jacob Hollabaugh: Yeah, it’s always that tricky part that comes in the world of security of, like, we maybe should be priority number one for all of your companies. But when it comes to allocating the budget, somehow we always end up with priority 4 or 5 six. And suddenly there isn’t as much left to, actually give or spend or, put into use, which is, all too unfortunate. But one day we’ll get there and those things will level out, hopefully.

Richard Bird: That was helpful. I think there’s a really quick, helpful story there for the audience, which is these changes come in about ten-year waves, at least in my experience. And as these changes come, we have ourselves oriented to the way that we do security today. And then something new comes along and we go, well, no, I’m going here. And then ten years on, we’re proven to have been wrong and made the wrong decision. And a great example of that. You know, where I’m at today with folks when we talk. Talk about API security, whether they have it or not, is okay. If your API security is dependent upon, say, WAFs and gateways and you’re not using an API security platform like traceable. Let me ask you a question in 2014. You have a choice to make. In 2014, you can buy Symantec Avg. Or you can buy endpoint security from a three-year-old company named CrowdStrike. Which one do you buy? And people always go, well, I’m gonna buy CrowdStrike. And I’m like, no, no, no, no, this isn’t a cool kids conversation. This is 2014. And they go, yeah, I’m probably buying Symantec Avg. I’m like ten years on, right choice? Three years after 2014, right choice? People go “No”. And I’m like, so expand your mind a little bit, be intellectually curious, and say, where’s the ball going? And if the ball is going in a direction that’s not consistent with how we’re able to secure and control those technologies today, you better be looking at what’s coming, in that ten-year horizon. and that’s that’s exactly why I joined traceable. I’m like, this is where the ball is going. And, we’ve got an opportunity to be ahead of it, but we still have to get through all of the cultural and historical resistances.

Jacob Hollabaugh: Yeah, absolutely. That’s a really great analogy too. And that makes perfect sense of how we should be allocating not just our money, but our attention and our focus on what what we need to be working on. You started walking through, some parts of this specific to the fintech industry, other than anything you already kind of covered. Is there anything unique or different compared to other industries when trying to secure APIs within the world of fintech in financial, is it just simply that quantity, like you said, being, really, really is that way bigger than other places would be? Is there anything that makes this industry unique to try to secure?

Richard Bird: It’ll be unique by degrees. What I’m going to say might apply to other verticals like aerospace, might be a great example. Because really what we’re talking about is criticality. What is the criticality of the function of that API from a transactional standpoint? so we’re talking about money when we’re talking about national monetary infrastructures and currency exchanges and international clearing and all these kinds of things. These are all very important, usually very complicated transactions, at least in all of the work that it takes for these things to reach a point where an API is triggered to move money someplace. So I don’t think it’s just volume. The volume itself has enormous criticality. And when we talk about the landscape of money and all the different ways that money is transacted, the complicated nature of that network, as well as the demands of that network for, you know,  zero failure, are enormous. And I think that is a big critical differentiator for financial services, fintech, and banking. Now, I think the other thing that is really important to understand, I had a really funny conversation a couple of days ago. PCI, DSS 4 has a lot of changes, actually some of the most interesting prescriptive changes that I’ve seen. And I will tell the audience, from a regulatory standpoint in the API space, what we are seeing and what is coming, I can put my hand on the table and tell you this, what we’re seeing and what’s coming is prescriptive. No more of this is the expected outcome of the regulation. We don’t care how you achieve that outcome as long as you can prove the controls work. We are seeing the Fed’s moving to a) you need to know all of your APIs. Do you mean APIs? All of your APIs? Do you mean internal APIs and HAPIs? All of your APIs. I’ve had several people in the banking industry who’ve said that the OCC examiners have been really tough this year, and when we talk about the differences and the importance of API security, understand that the CFPB’s movements relative to digital consumer trust and open banking are going to have a knock-on effect. Your listeners are currently operating in a light-touch regulatory way. CFPB is proposing that a substantial number of companies will have to abide by banking regulations even though they’re not a bank. So this landscape change is another big, big difference. But PCI, and DSS 4, back to the prescriptive nature of it, one of the things that is out there is an annual sampling or assessment is no longer enough. You have to prove that you have continuous security monitoring. So in a conversation with somebody the other day, they said, well, I think you’re overstating the issue because, I read PCI, and DSS 4 and it doesn’t say a single thing about APIs. And you’re right. If you did a ctrl+f search in the document for PCI, DSS 4, and set API, you won’t find a single one. My response was to name me a credit card transaction that doesn’t run with an API today. Yeah, and the light bulb goes on. All of a sudden it’s like, oh yeah, you’re right. That stuff is not all right on the internet anymore. Nobody has point-to-point connections. Nobody’s got dial-ins to each other anymore. So they all ride on APIs. I think this is the foundational truth about banking, financial services, and fintech. You are in an API world every single day, and API security isn’t nice to have at all. It is an absolute necessity to be successful. I’m not the only one that thinks that way. If you look at what is happening with Swift. Swift is eliminating itself. I’m an old hedge fund, administration guy in technology. And I was shocked, that Swift is actively working for its own extinction by building ISO 222, which does specifically reference APIs. And FS-ISAC is built, the FDX API is the way that the entire world is going. And this gets back to the point that I made. If you can see these indicators of where the ball is going, waiting another two years, waiting another year to begin to seriously get to work on API security is going to put you so far behind that you are going to be the weak and sickly animal in the herd that those bad actors are going to come after super hard.

Jacob Hollabaugh: Yeah. And even if you manage to continue existing for the next cycle to complete, you’re going to struggle even more the next time around to see the ball and actually follow it again the next time, even if you get the chance to do so. So that’s all really good logic. The final thing that kind of leads me to is potentially that that cycle we’ve talked about and different iterations and waves may be quickening, which is the second part of the name, Traceable AI. I feel like I need to ask you a little bit about the AI part of that name in AI’s role in all of this because it will be a large role. You’ll be able to say here what type of role and how large, but my naive self can say it’s going to be a big one for sure. So why is AI in the name? How are you using it now to build the platform or operate the platform? And how does the proliferation of AI tech affect what you do? The entire tech stack ecosystem, API ecosystem and I’m someone who thinks things are only accelerating at bigger and bigger factors. So when you referenced earlier, this ten-year cycle to me, I think to add AI into the equation that ten-year cycle, the next one might be eight, the one after that might be five, the one after that might be three, etc. I just threw a lot at you, and I think there were a few questions in there, but explain the use of AI in the name and the company and what you think and how you think it’s going to affect this world.

Richard Bird: Let me first give the cynical answer. I am an old crusty technologist and I’ve been around for a long time. it’s not new. And I really wish the media would stop suggesting that it is. It’s super fascinating what you can do with a ton of Nvidia, cards and a large language model. But when it comes to the realities of how companies are using AI, LLM is a distraction. That may not be the case for people who are running call centers and all that kind of stuff. But if you’re building solutions, if you’re building software you’re looking at AI and why it’s such an important component of Traceable, you’re looking at AI to optimize your capabilities from an operational perspective. So things like LLM and stellar LLMs, a  computational or automation AI are very important to us, very much a part of our built-in componentry. The reason is that I don’t even want to think about this ten years from now, but today we’re currently monitoring trillions of calls a year, trillions and in trillions, we’re trying to find the eye within the eye, within the eye of the needle in the haystack. And this comparative analytics piece. And there’s no human factor that is good enough. There’s no amount of humans in terms of sum total. that would ever be enough to be able to catch what we’re able to catch with our use of artificial intelligence in our platform. The speed and the capability of computational, or automation-related AIs, allow us to be able to respond in application with no additional touch by a human, by another system, or something else assessing. You know, the risk of criticality, the issue, the problem. So that’s where we leverage AI. And I always like to name-drop. We’re so serious about Last year, Doctor Zhisheng Wang joined our team. Zhisheng, I just encourage everyone, just go ahead and do a quick Google. He’s one of the original patent creators and holders around the rise of UEBA, end-user behavioral analytics, which was really the beginning of high-value AI several years ago in technology solutions. We have the guy who created it, and I struggle sometimes to talk with him because he’s way up here intellectually. And he kind of blows my mind. But, the net effect that both his work and the engineering teams that are associated with our AI work have yielded for our customers and being able to identify those unknowns or, the equivalent of a zero-day in an API has just been massive. We wouldn’t be the success that we are today without leveraging AI capabilities.

Jacob Hollabaugh: Yeah, absolutely. Well, Richard, this has been a real pleasure and definitely super interesting and only scary at little bits of time, which is pretty good for talking about these topics that can get scary sometimes pretty quickly. So for those listening who may want to learn more about Traceable AI or follow you, get in touch, where would be the best place for them to go to do so?

Richard Bird: So Traceable AI definitely traceable.ai. If you go to the website and get everything that you need. for me, one of the things that I often make sure I round off a discussion with is I’m a resource to the market, whether it’s  API security or identity security, which I’m extremely well known for, or it’s just making connections with somebody in the industry, or you just have a suggestion. Look up LinkedIn. hashtag the guy with the bow tie, Richard Bird. Super easy to find me and I’m there. Whether it’s a Traceable conversation or another conversation if it’s advancing, making the digital world safer for everybody, I’m ready to have that talk. So look forward to catching up with people.

Jacob Hollabaugh: I Love that. Well, this has been absolutely wonderful. We’ll link to those and more in the show notes below. Richard, thank you so much for your time and knowledge today. I’ve greatly enjoyed it and hope to speak again sometime soon.

Richard Bird: Thank you. I totally appreciate it.

Jacob Hollabaugh: If you enjoyed this episode and want to hear more, head on over to soarpay.com/podcast to subscribe on your podcast listening platform of choice. That’s soarpay.com/podcast.