![Bad News Outdated Security Is Putting Your Apis At Risk Bad News Outdated Security Is Putting Your Apis At Risk](https://www.hostingadvice.com/images/uploads/2024/11/HA-Traceable.jpg?width=484&height=230)
TL; DR: You’ve heard of multifactor authentication (MFA), strong passwords, and CAPTCHAs — they’re all designed to protect personal information. But for companies handling massive amounts of data, the stakes are higher, with API security is a major vulnerability. We spoke with Richard Bird, Chief Security Officer of Traceable, who explained how thousands of organizations are either struggling to keep up — or simply choosing not to.
In 2004, the U.S. government officially declared October as Cybersecurity Awareness Month. The initiative was a joint effort by the Department of Homeland Security and the National Cyber Security Alliance with the goal of educating Americans about the growing dangers of the internet.
If you were online in the early aughts, you probably remember common threats like viruses, spam, and the infamous “Nigerian prince” scams. Looking back, these issues felt more like inconveniences than serious dangers (unless, of course, you actually wired the “prince” some money…).
Fast forward to 2024, and it’s clear as day that cybersecurity has evolved into something much more complex. With interconnected devices, cloud computing, and remote access, each new piece of tech adds another potential entry point for attackers.
APIs — application programming interfaces, which link software systems to each other — are a huge part of how we use technology today. But the problem is that each API also opens a new door for attackers to slip through.
According to Richard Bird, Chief Security Officer of leading API security platform Traceable, this is a risk that most companies and organizational leaders are aware of. And yet, many still aren’t doing enough to address it.
![Traceable.ai logo Traceable.ai logo](https://www.hostingadvice.com/images/uploads/2024/11/Traceable.ai-logo.jpg?width=736&height=260)
“This is a dynamic that I thought I would never see in my working career: Companies are making a conscious choice to be less secure for the sake of cost containment,” said Richard. “But it’s like I always say, the bad guys have none of those issues.”
Richard makes a great point.
Attackers aren’t slowed down by red tape or budget constraints. They’re scattered all over the world, from solo hobbyists to expert teams.
So it only makes sense that the longer a company delays upgrading to better security standards, the more time attackers have to get ahead. And if cost is the excuse, just remember: You get what you (don’t) pay for.
Recognizing the Security Gap
Say there’s been a string of break-ins and carjackings in your neighborhood. Every night, a new house is targeted. What would you do?
- Option A: Install a security system, maybe add a camera or two.
- Option B: Do nothing and hope your house isn’t next.
Most of us would go with Option A, or at least something that adds a layer of security — whether it’s a guard dog, a metal bat by the bed, or motion-sensing lights. The point is, we wouldn’t just leave ourselves vulnerable.
But what if the threat isn’t outside your door? When companies cut costs on cybersecurity, they’re essentially choosing Option B, just hoping they don’t become the next target.
“That’s why we focus on one of the most unique features of our solution: Being a single source of truth for your APIs.”
— Richard Bird, CSO of Traceable
So then the question becomes: You’d protect yourself from a physical danger, but are you doing enough to protect yourself from a digital one? Because if you’re not, you’re pretty much a sitting duck.
Traceable is a platform that secures APIs for companies by using AI and machine learning (ML) to detect threats and vulnerabilities in real time. And, according to Traceable’s 2025 State of API Security report, the numbers speak for themselves:
- API breaches are way too common: 57% of companies have had API-related incidents in the past two years, highlighting a major security gap.
- Only 37% of companies really understand API context, meaning the vast majority need stronger, context-aware security strategies.
While organizations are aware of the risks, Richard noted many still don’t take the necessary steps to protect their digital assets. There’s a gap between recognizing the threat and actually doing something about it.
“What’s really fascinating to me is we’ve reached a place in the space where enterprise companies finally understand that they have an API security problem,” Richard said. “But I also think we’re in this very strange place where the cognitive dissonance gap between, ‘Yes, I recognize I have a problem’ and ‘No, I’m not doing anything about it’ is the biggest I’ve ever seen.”
Or companies think they’re doing just enough with their current setup. Legacy solutions are also a problem, Richard noted.
“I still think that the large majority of the market are applying landed data center and monolithic application security to an environment that just doesn’t even remotely look like that anymore,” he said.
I’ve always loved cautionary tales, and the Greek myth of Icarus is one of my favorites. When Icarus escaped imprisonment with wings his father, Daedalus, crafted, he warned Icarus not to fly too close to the sun. But, caught up in the thrill, Icarus ignored the advice, his wings melted, and he fell into the sea and drowned.
In cybersecurity, it’s no different. Not staying vigilant or simply relying on outdated protections is just asking for trouble.
Beyond Legacy Solutions
When we talk about legacy solutions, we’re not talking about the tried-and-true systems the word “legacy” likely evokes. Instead, we mean outdated software and technology that are still in use…but no longer get the job done.
Earlier, I talked about how cybersecurity concerns looked different in the early 2000s. Back then, we used traditional security methods such as web application firewalls (WAFs) and antivirus software to combat common cybersecurity threats.
But those solutions don’t hold up the same way today. In reality, they have a pretty short shelf life.
![Traceable's 2025 State of API Security report Traceable's 2025 State of API Security report](https://www.hostingadvice.com/images/uploads/2024/11/image-13.jpg?width=368&height=402)
There are plenty of examples that show just how risky outdated security can be. Take Parler, for instance. This social media platform was founded on principles of free speech and decentralization. But in 2021, a major data breach exposed tons of user information thanks to an API design flaw.
Even zero-trust methods aren’t cutting it anymore. Richard led a webinar titled “You Can’t Have True Zero Trust Without API Security,” in which he called out this trusted approach.
Now, that’s not to say zero-trust is outdated — it’s definitely not. But Richard argues that with all the changes in infrastructure and new attack surfaces popping up, it’s time to expand our perspective and make API security a core part of the strategy.
That’s why Traceable uses a “contextually informed” WAF approach. It’s designed to understand the relationships between different APIs and provide a level of protection that traditional solutions just can’t offer anymore.
“Within security, there is nothing that is worth its weight in unobtainium as much as a source of truth.”
— Richard Bird, CSO of Traceable
Traceable’s services are the answer to problems like these.
“Massive hacks have occurred when a developer removed an API from production to fix it, then returned it without reinstating encryption,” said Richard. “That oversight led to the exposure of millions of accounts. Traceable, though, would catch that anomaly 24/7/365.”
That’s a pretty bold statement, but it seems warranted.
Let’s take a look at what Traceable offers:
- API Discovery: Automatically discovers and catalogs all APIs within an organization so it’s easier to see the entire ecosystem
- Threat Detection: Uses AI and machine learning to detect anomalies, uncover vulnerabilities, and identify potential threats
- Attack Protection: Offers protection against several types of attacks, including business logic abuse, OWASP Top 10 Vulnerabilities, and zero-day exploits
- API Security Testing: Conducts context-aware security testing to identify and mitigate API vulnerabilities
- Fraud and Abuse Prevention: Helps detect and prevent API fraud and abuse
“We focus on every angle of an API — from its lifecycle, behavior, and configuration, to its vulnerabilities, AppSec, testing, and all the way to continuous runtime protection,” said Richard.
He went on to explain Traceable’s Four Pillars — that is, the company’s API observability framework.
Pillar 1: API Functional Test Automation
Legacy testing tools can’t keep up with constant API changes, which means developers often miss critical issues until they’re live. Traceable’s API functional test automation continuously models and validates API interactions, helping devs catch issues early before they reach customers.
Pillar 2: API Performance Management
Obviously, old tech can’t keep up with new tech. The two just aren’t compatible — it’s like outgrowing your shoes. Traceable’s API observability provides full, contextual performance insights that make it easier for devs to find bottlenecks and diagnose issues that affect user experience.
Pillar 3: API Security
APIs, while powerful, unfortunately widen what we call the “surface attack area.” Traceable uses telemetry and ML to identify unusual behavior — such as unexpected data access patterns, for example — to give teams the upper hand in finding and fixing security risks before they’re exploited.
Pillar 4: User Analytics
Understanding user behavior is obviously important…but legacy tools only scratch the surface. Traceable’s API user analytics tools give a detailed view of interactions across all touchpoints in the buyer’s journey, making it easier for your teams to predict trends, meet user needs, and ultimately make smarter product decisions.
API Security for Multicloud Environments
“Folks may not like to hear this, but the truth of the matter is there really are no API security experts on the planet.”
This was Richard’s honest response when asked about staying agile in this space.
I think it’s worth highlighting because it’s not that Traceable is claiming to have the industry secrets nobody else does; it just has the passion and resources to keep a constant eye on the landscape.
It’s like going to a medical specialist. (I know I’m chock-full of analogies today, but bear with me.) You know no doctor has all the answers, but you still want someone who studies the latest research and treatments.
That’s what makes the difference: Not necessarily having all the answers, but knowing how to find them.
![Traceable solutions Traceable solutions](https://www.hostingadvice.com/images/uploads/2024/11/image-14.jpg?width=736&height=406)
With that in mind, there are a few things on Traceable’s radar.
Richard said that automation and orchestration are big priorities, especially as more organizations require tools that can automatically detect issues across different cloud services.
For example, APIs may work one way on Amazon’s cloud but differently on Google’s, which can create security gaps. Traceable is developing tools to make sure security stays consistent, even in complex, multicloud setups.
“Within security, there is nothing that is worth its weight in unobtainium as much as a source of truth,” Richard added. “That’s why we focus on one of the most unique features of our solution: Being a single source of truth for your APIs.”
Whether your organization uses 10 or 1,000 APIs, every single one is a potential entry point for an unwanted visitor. And you know what they say: Once something is on the internet, it stays there forever.
Learn more about how Traceable can help protect your company and clients.