DevSecOps platform tucks in API security as AI apps heat up
Harness merges with its sister company Traceable for API security, which has broadening appeal as organizations develop generative and agentic AI applications.
DevSecOps vendor Harness will merge with another company founded by its creator. The goal is to integrate API security into its platform amid growing interest in AI applications that frequently rely on APIs.
Harness was founded as a continuous delivery company by CEO Jyoti Bansal and CTO Rishi Singh in 2017. Traceable was founded in 2018 by Bansal, who also served as its CEO, and CTO Sanjay Nagaraj, who will now join Harness as the general manager of a new application security business unit.
Since its founding, Harness has expanded to include continuous integration, cloud cost management, application security test orchestration, software supply chain security, database DevOps and DORA metrics monitoring, among other features. Traceable offers security features for application programming interfaces (APIs) that include discovery and inventory of APIs in an environment, along with changes to them; attack detection and threat hunting; attack protection and pre-production security testing for vulnerabilities.
This last feature will be where the companies' products come together first, as an API security module for the Harness DevSecOps platform, but the plan is to go further, said Nick Durkin, field CTO at Harness.
"We had offerings in the [application security space] around the artifacts that we're delivering," Durkin said. The goal is to ensure protection "not just at build time and deploy time but running [in] the future," he said.
AI apps = more APIs
Other DevSecOps platform vendors such as GitLab and GitHub offer application security features, and JFrog added Runtime security to its software supply chain toolset in September. But the specific focus on API security has largely been the territory of specialist startups until recently, said Katie Norton, an analyst at IDC.
"API Security seems to be a place we are seeing M&A [mergers and acquisitions] activity lately," Norton said, citing deals between Akamai and No Name, Snyk and Probely and F5 and Wib in 2024.
API security tools are also increasingly popular among DevSecOps organizations, Norton said. In a July 2024 IDC DevSecOps survey, 350 respondents were asked what application security tools they use. API runtime threat protection, web app and API protection platforms, and dynamic application security testing tools were all among the top tools in use, and each of these tool categories were chosen as in use by more than 58% of respondents.
APIs have been a key element of web applications in the cloud for years, but Norton said they will become more critical as enterprises develop generative and agentic AI applications.
"APIs serve as the connective tissue that allows devs to rapidly integrate advanced AI features into existing software without reinventing the wheel," Norton said. "As organizations build and integrate AI-powered services, the number of APIs in use rapidly multiplies [and] more endpoints mean more potential vulnerabilities."
Attackers also know that compromising an API can give them direct access to both the service logic and sensitive data used by AI models, Norton added. The July IDC DevSecOps survey also found that organizations' top AI security concern for production apps was protecting sensitive data, cited by 23% of respondents.
Whither 'shift left?'
Security training for developers was cited as the most important action for 52% of 385 respondents to an Enterprise Strategy Group application security survey in August 2024. Improving collaboration between security and development teams -- also chosen by 52% of respondents -- was the second most popular response.
Still, these market research results come amid some recent skepticism about the efficacy of the "shift left" concept popular among DevSecOps proponents, which Harness's Durkin said isn't lost on him.
"When we said shift left, what teams did automatically was just shifted the workload of [security] to the engineer," Durkin said. "The industry actually did it wrong," he said.
Harness's approach will leave application security design and policy settings to security teams while making information about those policies visible to developers when it's relevant during the software delivery process, Durkin said.
"This is about making sure that everyone knows the rules of the game," he said. "Being able to … fail fast, in a safe way, with guardrails [is] how you get velocity."
Beth Pariseau, senior news writer for Informa TechTarget, is an award-winning veteran of IT journalism covering DevOps. Have a tip? Email her or reach out @PariseauTT.
