System-to-system communication often operates over plaintext channels or SSL connections not governed by signed SSL certificates
Says who? APIs can be locked down to TLS-only access. Is he talking about 3rd-party integrations like Mint needing plaintext credentials? That’s still user to system initially, inter-system requests should always be secured! What HTTP-based protocol is he thinking of that doesn’t support a security layer?!
